From 6f0e9854d6e600a32f625a13f435b4ead960449d Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Fri, 6 Nov 2020 01:13:52 +0100 Subject: [PATCH] [API][Plugin] Bugfix and API change * users: Fixed bug in edit_user where if modify by admin * API: Users return list of roles as string not Roles --- flaschengeist/controller/userController.py | 6 +++--- flaschengeist/models/user.py | 9 +++++++-- flaschengeist/plugins/auth/__init__.py | 2 +- flaschengeist/plugins/users/__init__.py | 18 ++++++++++++------ 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/flaschengeist/controller/userController.py b/flaschengeist/controller/userController.py index 9106032..dc9aa43 100644 --- a/flaschengeist/controller/userController.py +++ b/flaschengeist/controller/userController.py @@ -28,12 +28,12 @@ def update_user(user): def set_roles(user: User, roles: [str]): - user.roles.clear() + user.roles_.clear() for role_name in roles: role = Role.query.filter(Role.name == role_name).one_or_none() if not role: raise BadRequest("Role not found >{}<".format(role_name)) - user.roles.append(role) + user.roles_.append(role) def modify_user(user, password, new_password=None): @@ -56,7 +56,7 @@ def get_users(): def get_user_by_role(role: Role): - return User.query.join(User.roles).filter_by(role_id=role.id).all() + return User.query.join(User.roles_).filter_by(role_id=role.id).all() def get_user(uid): diff --git a/flaschengeist/models/user.py b/flaschengeist/models/user.py index 4166cc7..fe55ee8 100644 --- a/flaschengeist/models/user.py +++ b/flaschengeist/models/user.py @@ -53,14 +53,19 @@ class User(db.Model, ModelSerializeMixin): firstname: str = db.Column(db.String(30)) lastname: str = db.Column(db.String(30)) mail: str = db.Column(db.String(30)) - roles: [Role] = db.relationship("Role", secondary=association_table) + roles: [str] = [] + roles_: [Role] = db.relationship("Role", secondary=association_table) _id = db.Column("id", db.Integer, primary_key=True) _sessions = db.relationship("Session", back_populates="_user") _attributes = db.relationship( "_UserAttribute", collection_class=attribute_mapped_collection("name"), cascade="all, delete" ) + @property + def roles(self): + return [role.name for role in self.roles_] + def set_attribute(self, name, value): if name in self._attributes: self._attributes[name].value = value @@ -76,7 +81,7 @@ class User(db.Model, ModelSerializeMixin): return default def get_permissions(self): - return ["user"] + [permission.name for role in self.roles for permission in role.permissions] + return ["user"] + [permission.name for role in self.roles_ for permission in role.permissions] def has_permission(self, permission): return permission in self.get_permissions() diff --git a/flaschengeist/plugins/auth/__init__.py b/flaschengeist/plugins/auth/__init__.py index 9889e04..8bd867f 100644 --- a/flaschengeist/plugins/auth/__init__.py +++ b/flaschengeist/plugins/auth/__init__.py @@ -49,7 +49,7 @@ def login(): # Lets cleanup the DB sessionController.clear_expired() - return {"session": session, "user": user}, CREATED + return {"session": session, "user": user, "permissions": user.get_permissions()}, CREATED @auth_bp.route("/auth", methods=["GET"]) diff --git a/flaschengeist/plugins/users/__init__.py b/flaschengeist/plugins/users/__init__.py index 87875cf..ef7a7d7 100644 --- a/flaschengeist/plugins/users/__init__.py +++ b/flaschengeist/plugins/users/__init__.py @@ -9,6 +9,7 @@ from flask import Blueprint, request, jsonify, make_response from werkzeug.exceptions import BadRequest, Forbidden, MethodNotAllowed from flaschengeist import logger +from flaschengeist.models.user import User from flaschengeist.plugins import Plugin from flaschengeist.decorator import login_required, extract_session from flaschengeist.controller import userController @@ -81,11 +82,14 @@ def get_user(userid, current_session): current_session: Session sent with Authorization Header Returns: - JSON encoded `flaschengeist.models.user.User` or HTTP error + JSON encoded `flaschengeist.models.user.User` or if userid is current user also containing permissions or HTTP error """ logger.debug("Get information of user {{ {} }}".format(userid)) - user = userController.get_user(userid) - return jsonify(user) + user: User = userController.get_user(userid) + serial = user.serialize() + if (userid == current_session._user.userid): + serial['permissions'] = user.get_permissions() + return jsonify(serial) @users_bp.route("/users/", methods=["DELETE"]) @@ -132,9 +136,11 @@ def edit_user(userid, current_session): password = None new_password = data["new_password"] if "new_password" in data else None + author = user if userid != current_session._user.userid: - if not user.has_permission(_permission_edit): - return Forbidden + author = current_session._user + if not author.has_permission(_permission_edit): + raise Forbidden else: if "password" not in data: raise BadRequest("Password is missing") @@ -145,7 +151,7 @@ def edit_user(userid, current_session): setattr(user, key, data[key]) if "roles" in data: - if not user.has_permission(_permission_set_roles): + if not author.has_permission(_permission_set_roles): raise Forbidden userController.set_roles(user, data["roles"])