[API][Plugin] Bugfix and API change

* users: Fixed bug in edit_user where if modify by admin
* API: Users return list of roles as string not Roles
This commit is contained in:
Ferdinand Thiessen 2020-11-06 01:13:52 +01:00
parent 7aba295e45
commit 6f0e9854d6
4 changed files with 23 additions and 12 deletions

View File

@ -28,12 +28,12 @@ def update_user(user):
def set_roles(user: User, roles: [str]): def set_roles(user: User, roles: [str]):
user.roles.clear() user.roles_.clear()
for role_name in roles: for role_name in roles:
role = Role.query.filter(Role.name == role_name).one_or_none() role = Role.query.filter(Role.name == role_name).one_or_none()
if not role: if not role:
raise BadRequest("Role not found >{}<".format(role_name)) raise BadRequest("Role not found >{}<".format(role_name))
user.roles.append(role) user.roles_.append(role)
def modify_user(user, password, new_password=None): def modify_user(user, password, new_password=None):
@ -56,7 +56,7 @@ def get_users():
def get_user_by_role(role: Role): def get_user_by_role(role: Role):
return User.query.join(User.roles).filter_by(role_id=role.id).all() return User.query.join(User.roles_).filter_by(role_id=role.id).all()
def get_user(uid): def get_user(uid):

View File

@ -53,14 +53,19 @@ class User(db.Model, ModelSerializeMixin):
firstname: str = db.Column(db.String(30)) firstname: str = db.Column(db.String(30))
lastname: str = db.Column(db.String(30)) lastname: str = db.Column(db.String(30))
mail: str = db.Column(db.String(30)) mail: str = db.Column(db.String(30))
roles: [Role] = db.relationship("Role", secondary=association_table) roles: [str] = []
roles_: [Role] = db.relationship("Role", secondary=association_table)
_id = db.Column("id", db.Integer, primary_key=True) _id = db.Column("id", db.Integer, primary_key=True)
_sessions = db.relationship("Session", back_populates="_user") _sessions = db.relationship("Session", back_populates="_user")
_attributes = db.relationship( _attributes = db.relationship(
"_UserAttribute", collection_class=attribute_mapped_collection("name"), cascade="all, delete" "_UserAttribute", collection_class=attribute_mapped_collection("name"), cascade="all, delete"
) )
@property
def roles(self):
return [role.name for role in self.roles_]
def set_attribute(self, name, value): def set_attribute(self, name, value):
if name in self._attributes: if name in self._attributes:
self._attributes[name].value = value self._attributes[name].value = value
@ -76,7 +81,7 @@ class User(db.Model, ModelSerializeMixin):
return default return default
def get_permissions(self): def get_permissions(self):
return ["user"] + [permission.name for role in self.roles for permission in role.permissions] return ["user"] + [permission.name for role in self.roles_ for permission in role.permissions]
def has_permission(self, permission): def has_permission(self, permission):
return permission in self.get_permissions() return permission in self.get_permissions()

View File

@ -49,7 +49,7 @@ def login():
# Lets cleanup the DB # Lets cleanup the DB
sessionController.clear_expired() sessionController.clear_expired()
return {"session": session, "user": user}, CREATED return {"session": session, "user": user, "permissions": user.get_permissions()}, CREATED
@auth_bp.route("/auth", methods=["GET"]) @auth_bp.route("/auth", methods=["GET"])

View File

@ -9,6 +9,7 @@ from flask import Blueprint, request, jsonify, make_response
from werkzeug.exceptions import BadRequest, Forbidden, MethodNotAllowed from werkzeug.exceptions import BadRequest, Forbidden, MethodNotAllowed
from flaschengeist import logger from flaschengeist import logger
from flaschengeist.models.user import User
from flaschengeist.plugins import Plugin from flaschengeist.plugins import Plugin
from flaschengeist.decorator import login_required, extract_session from flaschengeist.decorator import login_required, extract_session
from flaschengeist.controller import userController from flaschengeist.controller import userController
@ -81,11 +82,14 @@ def get_user(userid, current_session):
current_session: Session sent with Authorization Header current_session: Session sent with Authorization Header
Returns: Returns:
JSON encoded `flaschengeist.models.user.User` or HTTP error JSON encoded `flaschengeist.models.user.User` or if userid is current user also containing permissions or HTTP error
""" """
logger.debug("Get information of user {{ {} }}".format(userid)) logger.debug("Get information of user {{ {} }}".format(userid))
user = userController.get_user(userid) user: User = userController.get_user(userid)
return jsonify(user) serial = user.serialize()
if (userid == current_session._user.userid):
serial['permissions'] = user.get_permissions()
return jsonify(serial)
@users_bp.route("/users/<userid>", methods=["DELETE"]) @users_bp.route("/users/<userid>", methods=["DELETE"])
@ -132,9 +136,11 @@ def edit_user(userid, current_session):
password = None password = None
new_password = data["new_password"] if "new_password" in data else None new_password = data["new_password"] if "new_password" in data else None
author = user
if userid != current_session._user.userid: if userid != current_session._user.userid:
if not user.has_permission(_permission_edit): author = current_session._user
return Forbidden if not author.has_permission(_permission_edit):
raise Forbidden
else: else:
if "password" not in data: if "password" not in data:
raise BadRequest("Password is missing") raise BadRequest("Password is missing")
@ -145,7 +151,7 @@ def edit_user(userid, current_session):
setattr(user, key, data[key]) setattr(user, key, data[key])
if "roles" in data: if "roles" in data:
if not user.has_permission(_permission_set_roles): if not author.has_permission(_permission_set_roles):
raise Forbidden raise Forbidden
userController.set_roles(user, data["roles"]) userController.set_roles(user, data["roles"])