Merge branch 'feature/dienstverwaltung' into develop

2020-01-19 21:33:58 +01:00 · 2020-01-19 21:33:58 +01:00 · f7d3b17680
parent d61a97387c 635051d615
commit f7d3b17680
14 changed files with 433 additions and 412 deletions
--- a/geruecht/init.py
+++ b/geruecht/init.py
@ -5,6 +5,8 @@
 """
 from .logger import getLogger
 from geruecht.controller import dbConfig
 from flask_mysqldb import MySQL
 LOGGER = getLogger(__name__)
 LOGGER.info("Initialize App")
@ -15,14 +17,22 @@ from flask_cors import CORS
 LOGGER.info("Build APP")
 app = Flask(__name__)
 CORS(app)
-# app.config['SECRET_KEY'] = '0a657b97ef546da90b2db91862ad4e29'
+app.config['SECRET_KEY'] = '0a657b97ef546da90b2db91862ad4e29'
 app.config['MYSQL_HOST'] = dbConfig['URL']
 app.config['MYSQL_USER'] = dbConfig['user']
 app.config['MYSQL_PASSWORD'] = dbConfig['passwd']
 app.config['MYSQL_DB'] = dbConfig['database']
 app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
 db = MySQL(app)
 from geruecht import routes
 from geruecht.baruser.routes import baruser
 from geruecht.finanzer.routes import finanzer
 from geruecht.user.routes import user
 from geruecht.vorstand.routes import vorstand
 LOGGER.info("Registrate bluebrints")
 app.register_blueprint(baruser)
 app.register_blueprint(finanzer)
 app.register_blueprint(user)
 app.register_blueprint(vorstand)
--- a/geruecht/baruser/routes.py
+++ b/geruecht/baruser/routes.py
@ -1,12 +1,20 @@
 from flask import Blueprint, request, jsonify
-from geruecht.controller import ldapController as ldap, accesTokenController, userController
+import geruecht.controller as gc
 import geruecht.controller.ldapController as lc
 import geruecht.controller.userController as uc
 from datetime import datetime
 from geruecht.model import BAR, MONEY
 from geruecht.decorator import login_required
 baruser = Blueprint("baruser", __name__)
 ldap= lc.LDAPController(gc.ldapConfig['URL'], gc.ldapConfig['dn'])
 userController = uc.UserController()
@baruser.route("/bar")
-def _bar():
+@login_required(groups=[BAR])
 def _bar(**kwargs):
    """ Main function for Baruser
        Returns JSON-file with all Users, who hast amounts in this month.
@ -15,13 +23,7 @@ def _bar():
            JSON-File with Users, who has amounts in this month
            or ERROR 401 Permission Denied
    """
    print(request.headers)
    token = request.headers.get("Token")
    print(token)
    accToken = accesTokenController.validateAccessToken(token, BAR)
    dic = {}
    if accToken:
    users = userController.getAllUsersfromDB()
    for user in users:
        geruecht = None
@ -43,10 +45,11 @@ def _bar():
                                    "type": type
                                    }
    return jsonify(dic)
-    return jsonify({"error": "permission denied"}), 401
+
@baruser.route("/baradd", methods=['POST'])
-def _baradd():
+@login_required(groups=[BAR])
 def _baradd(**kwargs):
    """ Function for Baruser to add amount
        This function added to the user with the posted userID the posted amount.
@ -55,11 +58,6 @@ def _baradd():
            JSON-File with userID and the amount
            or ERROR 401 Permission Denied
    """
    token = request.headers.get("Token")
    print(token)
    accToken = accesTokenController.validateAccessToken(token, BAR)
    if accToken:
    data = request.get_json()
    userID = data['userId']
    amount = int(data['amount'])
@ -80,10 +78,11 @@ def _baradd():
    dic['type'] = type
    return jsonify(dic)
-    return jsonify({"error", "permission denied"}), 401
+
@baruser.route("/barGetUsers")
-def _getUsers():
+@login_required(groups=[BAR, MONEY])
 def _getUsers(**kwargs):
    """ Get Users without amount
        This Function returns all Users, who hasn't an amount in this month.
@ -92,21 +91,14 @@ def _getUsers():
            JSON-File with Users
            or ERROR 401 Permission Denied
    """
    token = request.headers.get("Token")
    print(token)
    accToken = accesTokenController.validateAccessToken(token, BAR)
    retVal = {}
    if accToken:
    retVal = ldap.getAllUser()
    return jsonify(retVal)
-    return jsonify({"error": "permission denied"}), 401
+
@baruser.route("/barGetUser", methods=['POST'])
-def _getUser():
+@login_required(groups=[BAR])
-    token = request.headers.get("Token")
+def _getUser(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, BAR)
    if accToken:
    data = request.get_json()
    username = data['userId']
    user = userController.getUser(username)
@ -120,21 +112,12 @@ def _getUser():
    retVal['amount'] = amount
    retVal['type'] = type
    return jsonify(retVal)
-    return jsonify("error", "permission denied"), 401
+
@baruser.route("/search", methods=['POST'])
-def _search():
+@login_required(groups=[BAR, MONEY])
-    token = request.headers.get("Token")
+def _search(**kwargs):
    print(token)
    accToken = accesTokenController.validateAccessToken(token, BAR)
    accToken2 = accesTokenController.validateAccessToken(token, MONEY)
    if accToken or accToken2:
    data = request.get_json()
    searchString = data['searchString']
    retVal = ldap.searchUser(searchString)
    return jsonify(retVal)
    return jsonify({"error": "permission denied"}), 401
--- a/geruecht/configparser.py
+++ b/geruecht/configparser.py
@ -1,6 +1,7 @@
 import yaml
 import sys
-from . import LOGGER
+from .logger import getLogger
 LOGGER = getLogger(__name__)
 default = {
    'AccessTokenLifeTime': 1800,
@ -34,7 +35,7 @@ class ConifgParser():
        self.ldap = self.config['LDAP']
        LOGGER.info("Set LDAPconfig: {}".format(self.ldap))
        if 'AccessTokenLifeTime' in self.config:
-            self.accessTokenLifeTime = self.config['AccessTokenLifeTime']
+            self.accessTokenLifeTime = int(self.config['AccessTokenLifeTime'])
            LOGGER.info("Set AccessTokenLifeTime: {}".format(self.accessTokenLifeTime))
        else:
            self.accessTokenLifeTime = default['AccessTokenLifeTime']
--- a/geruecht/controller/init.py
+++ b/geruecht/controller/init.py
@ -15,29 +15,7 @@ class Singleton(type):
            cls._instances[cls] = super(Singleton, cls).__call__(*args, **kwargs)
        return cls._instances[cls]
 from .databaseController import DatabaseController
 def getDatabesController():
    if db is not None:
        return db
    else:
        return DatabaseController(dbConfig['URL'], dbConfig['user'], dbConfig['passwd'], dbConfig['database'])
 from .ldapController import LDAPController
 def getLDAPController():
    if ldapController is not None:
        return ldapController
    else:
        return LDAPController(ldapConfig['URL'], ldapConfig['dn'])
 from .accesTokenController import AccesTokenController
 dbConfig = config.getDatabase()
 ldapConfig = config.getLDAP()
 accConfig = config.getAccessToken()
 mailConfig = config.getMail()
 db = DatabaseController(dbConfig['URL'], dbConfig['user'], dbConfig['passwd'], dbConfig['database'])
 ldapController = LDAPController(ldapConfig['URL'], ldapConfig['dn'])
 accesTokenController = AccesTokenController(accConfig)
 from . emailController import EmailController
 emailController = EmailController(mailConfig['URL'], mailConfig['user'], mailConfig['passwd'], mailConfig['port'], mailConfig['email'])
 from . userController import UserController
 userController = UserController()
--- a/geruecht/controller/accesTokenController.py
+++ b/geruecht/controller/accesTokenController.py
@ -1,9 +1,14 @@
 from geruecht.model.accessToken import AccessToken
 import geruecht.controller as gc
 import geruecht.controller.userController as uc
 from geruecht.model import BAR
 from geruecht.controller import LOGGER
 from datetime import datetime, timedelta
 import hashlib
 from . import Singleton
 userController = uc.UserController()
 class AccesTokenController(metaclass=Singleton):
    """ Control all createt AccesToken
@ -22,10 +27,16 @@ class AccesTokenController(metaclass=Singleton):
            Initialize Thread and set tokenList empty.
        """
        LOGGER.info("Initialize AccessTokenController")
-        self.lifetime = lifetime
+        self.lifetime = gc.accConfig
        self.tokenList = []
    def checkBar(self, user):
        if (userController.checkBarUser(user)):
            user.group.append(BAR)
        elif BAR in user.group:
            user.group.remove(BAR)
    def validateAccessToken(self, token, group):
        """ Verify Accestoken
@ -47,6 +58,7 @@ class AccesTokenController(metaclass=Singleton):
                now = datetime.now()
                LOGGER.debug("Check if AccessToken's Endtime {} is bigger then now {}".format(endTime, now))
                if now <= endTime:
                    self.checkBar(accToken.user)
                    LOGGER.debug("Check if AccesToken {} has same group {}".format(accToken, group))
                    if self.isSameGroup(accToken, group):
                        accToken.updateTimestamp()
@ -72,24 +84,27 @@ class AccesTokenController(metaclass=Singleton):
        LOGGER.info("Create AccessToken")
        now = datetime.ctime(datetime.now())
        token = hashlib.md5((now + user.dn).encode('utf-8')).hexdigest()
        self.checkBar(user)
        accToken = AccessToken(user, token, datetime.now())
        LOGGER.debug("Add AccessToken {} to current Tokens".format(accToken))
        self.tokenList.append(accToken)
        LOGGER.info("Finished create AccessToken {} with Token {}".format(accToken, token))
        return token
-    def isSameGroup(self, accToken, group):
+    def isSameGroup(self, accToken, groups):
        """ Verify group in AccessToken
            Verify if the User in the AccesToken has the right group.
            Args:
                accToken: AccessToken to verify.
-                group: Group to verify.
+                groups: Group to verify.
            Returns:
                A Bool. If the same then True else False
        """
-        print("controll if", accToken, "hase group", group)
+        print("controll if", accToken, "hase groups", groups)
-        LOGGER.debug("Check if AccessToken {} has group {}".format(accToken, group))
+        LOGGER.debug("Check if AccessToken {} has group {}".format(accToken, groups))
-        return True if group in accToken.user.group else False
+        for group in groups:
            if group in accToken.user.group: return True
        return False
--- a/geruecht/controller/databaseController.py
+++ b/geruecht/controller/databaseController.py
@ -1,8 +1,9 @@
 import pymysql
 from . import Singleton
 from geruecht import db
 from geruecht.model.user import User
 from geruecht.model.creditList import CreditList
-from datetime import datetime
+from datetime import datetime, timedelta
 class DatabaseController(metaclass=Singleton):
    '''
@ -11,29 +12,13 @@ class DatabaseController(metaclass=Singleton):
    Connect to the Database and execute sql-executions
    '''
-    def __init__(self, url='192.168.5.108', user='wu5', password='E1n$tein', database='geruecht'):
+    def __init__(self):
-        self.url = url
+        self.db = db
        self.user = user
        self.password = password
        self.database = database
        self.connect()
    def connect(self):
        try:
            self.db = pymysql.connect(self.url, self.user, self.password, self.database, cursorclass=pymysql.cursors.DictCursor)
        except Exception as err:
            raise err
    def getAllUser(self):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        try:
        cursor.execute("select * from user")
        data = cursor.fetchall()
            self.db.close()
        except Exception as err:
            raise err
        if data:
            retVal = []
@ -45,15 +30,10 @@ class DatabaseController(metaclass=Singleton):
            return retVal
    def getUser(self, username):
        self.connect()
        retVal = None
-        cursor = self.db.cursor()
+        cursor = self.db.connection.cursor()
        try:
        cursor.execute("select * from user where uid='{}'".format(username))
        data = cursor.fetchone()
            self.db.close()
        except Exception as err:
            raise err
        if data:
            retVal = User(data)
            creditLists = self.getCreditListFromUser(retVal)
@ -61,6 +41,17 @@ class DatabaseController(metaclass=Singleton):
        return retVal
    def getUserById(self, id):
        retVal = None
        cursor = self.db.connection.cursor()
        cursor.execute("select * from user where id={}".format(id))
        data = cursor.fetchone()
        if data:
            retVal = User(data)
            creditLists = self.getCreditListFromUser(retVal)
            retVal.initGeruechte(creditLists)
        return retVal
    def _convertGroupToString(self, groups):
        retVal = ''
        for group in groups:
@ -69,75 +60,49 @@ class DatabaseController(metaclass=Singleton):
            retVal += group
        return retVal
    def insertUser(self, user):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        groups = self._convertGroupToString(user.group)
        try:
        cursor.execute("insert into user (uid, dn, firstname, lastname, gruppe, lockLimit, locked, autoLock, mail) VALUES ('{}','{}','{}','{}','{}',{},{},{},'{}')".format(
            user.uid, user.dn, user.firstname, user.lastname, groups, user.limit, user.locked, user.autoLock, user.mail))
-            self.db.commit()
+        self.db.connection.commit()
-        except Exception as err:
+
            self.db.rollback()
            self.db.close()
            raise err
        self.db.close()
    def updateUser(self, user):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        groups = self._convertGroupToString(user.group)
        try:
        sql = "update user set dn='{}', firstname='{}', lastname='{}', gruppe='{}', lockLimit={}, locked={}, autoLock={}, mail='{}' where uid='{}'".format(
            user.dn, user.firstname, user.lastname, groups, user.limit, user.locked, user.autoLock, user.mail, user.uid)
        print(sql)
        cursor.execute(sql)
-            self.db.commit()
+        self.db.connection.commit()
        except Exception as err:
            self.db.rollback()
            self.db.close()
            print(err.__traceback__)
            raise err
        self.db.close()
    def getCreditListFromUser(self, user, **kwargs):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        try:
        if 'year' in kwargs:
            sql = "select * from creditList where user_id={} and year_date={}".format(user.id, kwargs['year'])
        else:
            sql = "select * from creditList where user_id={}".format(user.id)
        cursor.execute(sql)
        data = cursor.fetchall()
            self.db.close()
        except Exception as err:
            self.db.close()
            raise err
        if len(data) == 1:
            return [CreditList(data[0])]
        else:
            return [CreditList(value) for value in data]
    def createCreditList(self, user_id, year=datetime.now().year):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        try:
        cursor.execute("insert into creditList (year_date, user_id) values ({},{})".format(year, user_id))
-            self.db.commit()
+        self.db.connection.commit()
-            self.db.close()
+
        except Exception as err:
            self.db.close()
            raise err
    def updateCreditList(self, creditlist):
-        self.connect()
+        cursor = self.db.connection.cursor()
        cursor = self.db.cursor()
        try:
        cursor.execute("select * from creditList where user_id={} and year_date={}".format(creditlist.user_id, creditlist.year))
        data = cursor.fetchall()
            self.db.close()
        if len(data) == 0:
            self.createCreditList(creditlist.user_id, creditlist.year)
        sql = "update creditList set jan_guthaben={}, jan_schulden={},feb_guthaben={}, feb_schulden={}, maer_guthaben={}, maer_schulden={}, apr_guthaben={}, apr_schulden={}, mai_guthaben={}, mai_schulden={}, jun_guthaben={}, jun_schulden={}, jul_guthaben={}, jul_schulden={}, aug_guthaben={}, aug_schulden={},sep_guthaben={}, sep_schulden={},okt_guthaben={}, okt_schulden={}, nov_guthaben={}, nov_schulden={}, dez_guthaben={}, dez_schulden={}, last_schulden={} where year_date={} and user_id={}".format(creditlist.jan_guthaben, creditlist.jan_schulden,
@ -154,16 +119,34 @@ class DatabaseController(metaclass=Singleton):
                                                 creditlist.dez_guthaben, creditlist.dez_schulden,
                                                 creditlist.last_schulden, creditlist.year, creditlist.user_id)
        print(sql)
-            self.connect()
+        cursor = self.db.connection.cursor()
            cursor = self.db.cursor()
        cursor.execute(sql)
-            self.db.commit()
+        self.db.connection.commit()
            self.db.close()
        except Exception as err:
            self.db.rollback()
            self.db.close()
            raise err
    def getWorker(self, user, date):
        cursor = self.db.connection.cursor()
        cursor.execute("select * from bardienste where user_id={} and startdatetime='{}'".format(user.id, date))
        data = cursor.fetchone()
        return {"user": user.toJSON(), "startdatetime": data['startdatetime'], "enddatetime": data['enddatetime']} if data else None
    def getWorkers(self, date):
        cursor = self.db.connection.cursor()
        cursor.execute("select * from bardienste where startdatetime='{}'".format(date))
        data = cursor.fetchall()
        return [{"user": self.getUserById(work['user_id']).toJSON(), "startdatetime": work['startdatetime'], "enddatetime": work['enddatetime']} for work in data]
    def setWorker(self, user, date):
        cursor = self.db.connection.cursor()
        cursor.execute("insert into bardienste (user_id, startdatetime, enddatetime) values ({},'{}','{}')".format(user.id, date, date + timedelta(days=1)))
        self.db.connection.commit()
    def deleteWorker(self, user, date):
        cursor = self.db.connection.cursor()
        cursor.execute("delete from bardienste where user_id={} and startdatetime='{}'".format(user.id, date))
        self.db.connection.commit()
 if __name__ == '__main__':
    db = DatabaseController()
--- a/geruecht/controller/userController.py
+++ b/geruecht/controller/userController.py
@ -1,13 +1,36 @@
-from . import LOGGER, Singleton, db, ldapController as ldap, emailController
+from . import LOGGER, Singleton, ldapConfig, dbConfig, mailConfig
 import geruecht.controller.databaseController as dc
 import geruecht.controller.ldapController as lc
 import geruecht.controller.emailController as ec
 from geruecht.model.user import User
 from geruecht.exceptions import PermissionDenied
-from datetime import datetime
+from datetime import datetime, timedelta
 db = dc.DatabaseController()
 ldap = lc.LDAPController(ldapConfig['URL'], ldapConfig['dn'])
 emailController = ec.EmailController(mailConfig['URL'], mailConfig['user'], mailConfig['passwd'], mailConfig['port'], mailConfig['email'])
 class UserController(metaclass=Singleton):
    def __init__(self):
        pass
    def getWorker(self, date, username=None):
        if (username):
            user = self.getUser(username)
            return [db.getWorker(user, date)]
        return db.getWorkers(date)
    def addWorker(self, username, date):
        user = self.getUser(username)
        if (not db.getWorker(user, date)):
            db.setWorker(user, date)
        return self.getWorker(date, username=username)
    def deleteWorker(self, username, date):
        user = self.getUser(username)
        db.deleteWorker(user, date)
    def lockUser(self, username, locked):
        user = self.getUser(username)
        user.updateData({'locked': locked})
@ -54,6 +77,20 @@ class UserController(metaclass=Singleton):
            self.__updateGeruechte(user)
        return db.getAllUser()
    def checkBarUser(self, user):
        date = datetime.now()
        zero = date.replace(hour=0, minute=0, second=0, microsecond=0)
        end = zero + timedelta(hours=11)
        startdatetime = date.replace(hour=11, minute=0, second=0, microsecond=0)
        if date > zero and end > date:
             startdatetime = startdatetime - timedelta(days=1)
        enddatetime = startdatetime + timedelta(days=1)
        result = False
        if date >= startdatetime and date < enddatetime:
            result = db.getWorker(user, startdatetime)
        return True if result else False
    def getUser(self, username):
        user = db.getUser(username)
        groups = ldap.getGroup(username)
--- a/geruecht/decorator.py
+++ b/geruecht/decorator.py
@ -0,0 +1,21 @@
 from functools import wraps
 def login_required(**kwargs):
    import geruecht.controller.accesTokenController as ac
    from geruecht.model import BAR, USER, MONEY, GASTRO
    from flask import request, jsonify
    accessController = ac.AccesTokenController()
    groups = [USER, BAR, GASTRO, MONEY]
    if "groups" in kwargs:
        groups = kwargs["groups"]
    def real_decorator(func):
        @wraps(func)
        def wrapper(*args, **kwargs):
            token = request.headers.get('Token')
            accToken = accessController.validateAccessToken(token, groups)
            kwargs['accToken'] = accToken
            if accToken:
                return func(*args, **kwargs)
            else:
                return jsonify({"error": "error", "message": "permission denied"}), 401
        return wrapper
    return real_decorator
--- a/geruecht/finanzer/routes.py
+++ b/geruecht/finanzer/routes.py
@ -1,14 +1,18 @@
 from flask import Blueprint, request, jsonify
 from geruecht.finanzer import LOGGER
 from datetime import datetime
-from geruecht.controller import accesTokenController, userController
+import geruecht.controller.userController as uc
 from geruecht.model import MONEY
 from geruecht.decorator import login_required
 finanzer = Blueprint("finanzer", __name__)
 userController = uc.UserController()
@finanzer.route("/getFinanzerMain")
-def _getFinanzer():
+@login_required(groups=[MONEY])
 def _getFinanzer(**kwargs):
    """ Function for /getFinanzerMain
        Retrieves all User for the groupe 'moneymaster'
@ -17,11 +21,6 @@ def _getFinanzer():
            A JSON-File with Users
            or ERROR 401 Permission Denied.
    """
    LOGGER.info("Get main for Finanzer")
    token = request.headers.get("Token")
    LOGGER.debug("Verify AccessToken with Token {}".format(token))
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    LOGGER.debug("Get all Useres")
    users = userController.getAllUsersfromDB()
    dic = {}
@ -32,11 +31,10 @@ def _getFinanzer():
        LOGGER.debug("ReturnValue is {}".format(dic))
    LOGGER.info("Send main for Finanzer")
    return jsonify(dic)
    LOGGER.info("Permission Denied")
    return jsonify({"error": "permission denied"}), 401
@finanzer.route("/finanzerAddAmount", methods=['POST'])
-def _addAmount():
+@login_required(groups=[MONEY])
 def _addAmount(**kwargs):
    """ Add Amount to User
        This Function add an amount to the user with posted userID.
@ -47,12 +45,6 @@ def _addAmount():
            JSON-File with geruecht of year
            or ERROR 401 Permission Denied
    """
    LOGGER.info("Add Amount")
    token = request.headers.get("Token")
    LOGGER.debug("Verify AccessToken with Token {}".format(token))
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    LOGGER.debug("Get data {}".format(data))
    userID = data['userId']
@ -75,11 +67,10 @@ def _addAmount():
    retVal['locked'] = user.locked
    LOGGER.info("Send updated Geruecht")
    return jsonify(retVal)
    LOGGER.info("Permission Denied")
    return jsonify({"error": "permission denied"}), 401
@finanzer.route("/finanzerAddCredit", methods=['POST'])
-def _addCredit():
+@login_required(groups=[MONEY])
 def _addCredit(**kwargs):
    """ Add Credit to User
        This Function add an credit to the user with posted userID.
@ -90,13 +81,6 @@ def _addCredit():
            JSON-File with geruecht of year
            or ERROR 401 Permission Denied
    """
    LOGGER.info("Add Amount")
    token = request.headers.get("Token")
    LOGGER.debug("Verify AccessToken with Token {}".format(token))
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    print(data)
    LOGGER.debug("Get data {}".format(data))
@ -122,42 +106,31 @@ def _addCredit():
    retVal['locked'] = user.locked
    LOGGER.info("Send updated Geruecht")
    return jsonify(retVal)
-    LOGGER.info("Permission Denied")
+
    return jsonify({"error": "permission denied"}), 401
@finanzer.route("/finanzerLock", methods=['POST'])
-def _finanzerLock():
+@login_required(groups=[MONEY])
-    token = request.headers.get("Token")
+def _finanzerLock(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    username = data['userId']
    locked = bool(data['locked'])
    retVal = userController.lockUser(username, locked).toJSON()
    return jsonify(retVal)
-    return jsonify({"error": "permission denied"}), 401
+
@finanzer.route("/finanzerSetConfig", methods=['POST'])
-def _finanzerSetConfig():
+@login_required(groups=[MONEY])
-    token = request.headers.get("Token")
+def _finanzerSetConfig(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    username = data['userId']
    autoLock = bool(data['autoLock'])
    limit = int(data['limit'])
    retVal = userController.updateConfig(username, {'lockLimit': limit, 'autoLock': autoLock}).toJSON()
    return jsonify(retVal)
    return jsonify({"error": "permission denied"}), 401
@finanzer.route("/finanzerAddUser", methods=['POST'])
-def _finanzerAddUser():
+@login_required(groups=[MONEY])
-    token = request.headers.get("Token")
+def _finanzerAddUser(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    username = data['userId']
    userController.getUser(username)
@ -170,26 +143,17 @@ def _finanzerAddUser():
        dic[user.uid]['creditList'] = {credit.year: credit.toJSON() for credit in user.geruechte}
        LOGGER.debug("ReturnValue is {}".format(dic))
    return jsonify(dic), 200
    return jsonify({"error": "permission denied"}), 401
@finanzer.route("/finanzerSendOneMail", methods=['POST'])
-def _finanzerSendOneMail():
+@login_required(groups=[MONEY])
-    token = request.headers.get("Token")
+def _finanzerSendOneMail(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    data = request.get_json()
    username = data['userId']
    retVal = userController.sendMail(username)
    return jsonify(retVal)
    return jsonify({"error:", "permission denied"}), 401
@finanzer.route("/finanzerSendAllMail", methods=['GET'])
-def _finanzerSendAllMail():
+@login_required(groups=[MONEY])
-    token = request.headers.get("Token")
+def _finanzerSendAllMail(**kwargs):
    accToken = accesTokenController.validateAccessToken(token, MONEY)
    if accToken:
    retVal = userController.sendAllMail()
    return jsonify(retVal)
    return jsonify({"error": "permission denied"}), 401
--- a/geruecht/model/priceList.py
+++ b/geruecht/model/priceList.py
@ -1,17 +0,0 @@
 from geruecht.controller import db
 class PriceList(db.Model):
    """ Database Model for PriceList
        PriceList has lots of Drinks and safe all Prices (normal, for club, for other clubs, which catagory, etc)
    """
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String, nullable=False, unique=True)
    price = db.Column(db.Integer, nullable=False)
    price_club = db.Column(db.Integer, nullable=False)
    price_ext_club = db.Column(db.Integer, nullable=False)
    category = db.Column(db.Integer, nullable=False)
    upPrice = db.Column(db.Integer)
    upPrice_club = db.Column(db.Integer)
    upPrice_ext_club = db.Column(db.Integer)
--- a/geruecht/routes.py
+++ b/geruecht/routes.py
@ -1,9 +1,12 @@
 from geruecht import app, LOGGER
 from geruecht.exceptions import PermissionDenied
-from geruecht.controller import accesTokenController, userController
+import geruecht.controller.accesTokenController as ac
 import geruecht.controller.userController as uc
 from geruecht.model import MONEY, BAR, USER, GASTRO
 from flask import request, jsonify
 accesTokenController = ac.AccesTokenController()
 userController = uc.UserController()
 def login(user, password):
    return user.login(password)
@ -12,16 +15,16 @@ def login(user, password):
@app.route("/valid")
 def _valid():
    token = request.headers.get("Token")
-    accToken = accesTokenController.validateAccessToken(token, MONEY)
+    accToken = accesTokenController.validateAccessToken(token, [MONEY])
    if accToken:
        return jsonify(accToken.user.toJSON())
-    accToken = accesTokenController.validateAccessToken(token, BAR)
+    accToken = accesTokenController.validateAccessToken(token, [BAR])
    if accToken:
        return jsonify(accToken.user.toJSON())
-    accToken = accesTokenController.validateAccessToken(token, GASTRO)
+    accToken = accesTokenController.validateAccessToken(token, [GASTRO])
    if accToken:
        return jsonify(accToken.user.toJSON())
-    accToken = accesTokenController.validateAccessToken(token, USER)
+    accToken = accesTokenController.validateAccessToken(token, [USER])
    if accToken:
        return jsonify(accToken.user.toJSON())
    return jsonify({"error": "permission denied"}), 401
@ -48,7 +51,7 @@ def _login():
        user = userController.loginUser(username, password)
        user.password = password
        token = accesTokenController.createAccesToken(user)
-        dic = user.toJSON()
+        dic = accesTokenController.validateAccessToken(token, [USER]).user.toJSON()
        dic["token"] = token
        dic["accessToken"] = token
        LOGGER.info("User {} success login.".format(username))
--- a/geruecht/user/routes.py
+++ b/geruecht/user/routes.py
@ -1,28 +1,30 @@
 from flask import Blueprint, request, jsonify
-from geruecht.controller import userController, accesTokenController
+from geruecht.decorator import login_required
 import geruecht.controller.userController as uc
 from geruecht.model import USER
 from datetime import datetime
 user = Blueprint("user", __name__)
-@user.route("/user/main")
+userController = uc.UserController()
 def _main():
-    token = request.headers.get("Token")
+
-    accToken = accesTokenController.validateAccessToken(token, USER)
+@user.route("/user/main")
-    if accToken:
+@login_required(groups=[USER])
 def _main(**kwargs):
    if 'accToken' in kwargs:
        accToken = kwargs['accToken']
        accToken.user = userController.getUser(accToken.user.uid)
        retVal = accToken.user.toJSON()
        retVal['creditList'] = {credit.year: credit.toJSON() for credit in accToken.user.geruechte}
        return jsonify(retVal)
-    return jsonify({"error": "permission denied"}), 401
+    return jsonify("error", "something went wrong"), 500
@user.route("/user/addAmount", methods=['POST'])
-def _addAmount():
+@login_required(groups=[USER])
-
+def _addAmount(**kwargs):
-    token = request.headers.get("Token")
+    if 'accToken' in kwargs:
-    accToken = accesTokenController.validateAccessToken(token, USER)
+        accToken = kwargs['accToken']
    if accToken:
        data = request.get_json()
        amount = int(data['amount'])
        date = datetime.now()
@ -31,4 +33,4 @@ def _addAmount():
        retVal = accToken.user.toJSON()
        retVal['creditList'] = {credit.year: credit.toJSON() for credit in accToken.user.geruechte}
        return jsonify(retVal)
-    return jsonify({"error": "permission denied"}), 401
+    return jsonify({"error": "something went wrong"}), 500
--- a/geruecht/vorstand/init.py
+++ b/geruecht/vorstand/init.py
--- a/geruecht/vorstand/routes.py
+++ b/geruecht/vorstand/routes.py
@ -0,0 +1,41 @@
 from flask import Blueprint, request, jsonify
 from datetime import datetime
 import geruecht.controller.userController as uc
 from geruecht.decorator import login_required
 from geruecht.model import MONEY, GASTRO
 vorstand = Blueprint("vorstand", __name__)
 userController = uc.UserController()
@vorstand.route("/sm/addUser", methods=['POST', 'GET'])
@login_required(groups=[MONEY, GASTRO])
 def _addUser(**kwargs):
    if request.method == 'GET':
        return "<h1>HEllo World</h1>"
    data = request.get_json()
    user = data['user']
    date = datetime.utcfromtimestamp(int(data['date']))
    retVal = userController.addWorker(user['username'], date)
    print(retVal)
    return jsonify(retVal)
@vorstand.route("/sm/getUser", methods=['POST'])
@login_required(groups=[MONEY, GASTRO])
 def _getUser(**kwargs):
    data = request.get_json()
    date = datetime.utcfromtimestamp(int(data['date']))
    retVal = userController.getWorker(date)
    print(retVal)
    return  jsonify(retVal)
@vorstand.route("/sm/deleteUser", methods=['POST'])
@login_required(groups=[MONEY, GASTRO])
 def _deletUser(**kwargs):
    data = request.get_json()
    user = data['user']
    date = datetime.utcfromtimestamp(int(data['date']))
    userController.deleteWorker(user['username'], date)
    return jsonify({"ok": "ok"})