From d2858c8c76e3cf121179036dfb389788b15ccd85 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Sat, 24 Oct 2020 20:10:43 +0200 Subject: [PATCH] [Plugin] Users now allows setting the role of an user --- flaschengeist/modules/users/__init__.py | 30 +++++++++++++++++-------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/flaschengeist/modules/users/__init__.py b/flaschengeist/modules/users/__init__.py index bba35f3..f48cfe5 100644 --- a/flaschengeist/modules/users/__init__.py +++ b/flaschengeist/modules/users/__init__.py @@ -8,12 +8,13 @@ from flaschengeist.system.controller import userController users_bp = Blueprint("users", __name__) _permission_edit = "users_edit_other" +_permission_set_roles = "users_set_roles" _permission_delete = "users_delete_other" class UsersPlugin(Plugin): def __init__(self, config): - super().__init__(blueprint=users_bp, permissions=[_permission_edit, _permission_delete]) + super().__init__(blueprint=users_bp, permissions=[_permission_edit, _permission_delete, _permission_set_roles]) ################################################# # Routes # @@ -64,17 +65,28 @@ def __delete_user(uid, **kwargs): def __edit_user(uid, **kwargs): logger.debug("Modify information of user {{ {} }}".format(uid)) user = userController.get_user(uid) - - if uid != kwargs["access_token"].user.userid and user.has_permission(_permission_edit): - return Forbidden - data = request.get_json() - if "password" not in data: - raise BadRequest("Password is missing") + + password = None + new_password = data["new_password"] if "new_password" in data else None + + if uid != kwargs["access_token"].user.userid: + if not user.has_permission(_permission_edit): + return Forbidden + else: + if "password" not in data: + raise BadRequest("Password is missing") + password = data["password"] + for key in ["firstname", "lastname", "display_name", "mail"]: if key in data: setattr(user, key, data[key]) - new_password = data["new_password"] if "new_password" in data else None - userController.modify_user(user, data["password"], new_password) + + if "roles" in data: + if not user.has_permission(_permission_set_roles): + raise Forbidden + userController.set_roles(user, data["roles"]) + + userController.modify_user(user, password, new_password) userController.update_user(user) return jsonify({"ok": "ok"})