Select Git revision
manageuser.py
-
Herman Andersen Dyrkorn authoredHerman Andersen Dyrkorn authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
manageuser.py 3.52 KiB
from flask import request, jsonify
from flask_restful import Resource
from api.models.dbmodels import User
from api import db, limiter, bcrypt
from flask_jwt_extended import get_jwt_identity, jwt_required
from random import choice
from string import ascii_lowercase, digits
"""
Endpoint for administrators to manage users.
GET: Get all users in the system.
POST: Change a users access rights. The admin can update them to admin, remove admin or remove all access rights.
PUT: Is used if a user forgets their password. The admin can reset it, so that the user can login and change it at a
later point.
"""
class AdminManageUser(Resource):
decorators = [limiter.limit("60/minute")]
@staticmethod
@jwt_required
def get():
user_id = get_jwt_identity()
user = db.session.query(User).filter_by(id=user_id).first()
if user.admin:
user_list = []
users = db.session.query(User).filter_by(accepted=1).filter(User.id != user.id).all()
for pr_user in users:
ret = {"email": pr_user.email, "id": pr_user.id, "admin": pr_user.admin, "accepted": pr_user.accepted}
user_list.append(ret)
return jsonify({"users": user_list, "status": 200})
else:
return jsonify({"message": "no access", "status": 400})
@staticmethod
@jwt_required
def post():
data = request.form
user_id = get_jwt_identity()
user = db.session.query(User).filter_by(id=user_id).first()
if user.admin:
if "id" in data and "email" in data and user_id != data['id']:
update_user = db.session.query(User).filter_by(id=data['id']).first()
if "removeAdmin" in data and data['email'] == update_user.email:
update_user.admin = False
db.session.commit()
return jsonify({"message": "user is no longer admin", "status": 200})
if "makeAdmin" in data and data['email'] == update_user.email:
update_user.admin = True
db.session.commit()
return jsonify({"message": "user is now admin", "status": 200})
if "denyAccess" in data and data['email'] == update_user.email:
update_user.accepted = False
db.session.commit()
return jsonify({"message": "user is downgraded", "status": 200})
else:
return jsonify({"message": "wrong data", "status": 400})
else:
return jsonify({"message": "no access", "status": 400})
@staticmethod
@jwt_required
def put():
data = request.form
user_id = get_jwt_identity()
user = db.session.query(User).filter_by(id=user_id).first()
if user.admin:
if "id" in data and user_id != data['id']:
user = db.session.query(User).filter_by(id=data['id']).first()
new_password = get_random_string(5)
password_hash = bcrypt.generate_password_hash(new_password)
user.pwd = password_hash
db.session.commit()
return jsonify({"new_password": new_password, "status": 200})
else:
return jsonify({"message": "wrong data", "status": 400})
else:
return jsonify({"message": "no access", "status": 400})
def get_random_string(length):
# choose from all lowercase letter
letters = ascii_lowercase
return ''.join(choice(letters + digits) for i in range(length))