TG-126 Securiser les methodes de l'api
This commit is contained in:
parent
8c97b49a67
commit
aa6a2bc0bb
|
|
@ -3,15 +3,16 @@ import os
|
|||
from flask_restful import Resource, request
|
||||
|
||||
from app.api import mailsModels
|
||||
from app.model import *
|
||||
from app.utils import *
|
||||
from app.api.LoginAPI import login_required
|
||||
from app.model import Roles, getGroup, getParam, getUser, USER, GROUP, TUTORSHIP
|
||||
from app.utils import send_mail, checkParams
|
||||
|
||||
|
||||
class GroupAPI(Resource):
|
||||
"""
|
||||
Group Api Resource
|
||||
"""
|
||||
|
||||
@login_required(roles=[Roles.resp_formation])
|
||||
def post(self):
|
||||
args = request.get_json(cache=False, force=True)
|
||||
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
|
||||
|
|
|
|||
|
|
@ -3,15 +3,15 @@ import os
|
|||
from flask_restful import Resource, request
|
||||
|
||||
from app.api import mailsModels
|
||||
from app.model import *
|
||||
from app.utils import *
|
||||
|
||||
from app.model import Roles, getParam, getGroup, getUser, USER, GROUP, TUTORSHIP
|
||||
from app.utils import send_mail, checkParams
|
||||
from app.api.LoginAPI import login_required
|
||||
|
||||
class LivretAPI(Resource):
|
||||
"""
|
||||
Livret Api Resource
|
||||
"""
|
||||
|
||||
@login_required(roles=[Roles.etudiant])
|
||||
def post(self):
|
||||
args = request.get_json(cache=False, force=True)
|
||||
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
|
||||
|
|
|
|||
|
|
@ -49,3 +49,15 @@ class LoginAPI(Resource):
|
|||
session['user'] = None
|
||||
return {'AUTH_RESULT': 'OK'}, 200
|
||||
|
||||
|
||||
|
||||
def login_required(roles=[]):
|
||||
def my_login_required(func):
|
||||
def wrapper(*args):
|
||||
current_user = session.get('user', None)
|
||||
if current_user is None or (len(roles) != 0 and not sum([1 for x in current_user['role'].split("-") if int(x) in roles]) > 0):
|
||||
return {"msg": "UNAUTHORIZED"}, 401
|
||||
return func(*args)
|
||||
return wrapper
|
||||
return my_login_required
|
||||
|
||||
|
|
|
|||
|
|
@ -1,29 +1,29 @@
|
|||
import os
|
||||
|
||||
from flask import request
|
||||
from flask_restful import Resource
|
||||
from flask_restful.reqparse import RequestParser
|
||||
from app.tools.LibPdf import delete_file
|
||||
from model import getParam
|
||||
from werkzeug.utils import secure_filename
|
||||
|
||||
from app.model import getGroup
|
||||
from app.tools.LibPdf import delete_file, upload_file, allowed_file
|
||||
from app.tools.LibPdf import upload_file, allowed_file
|
||||
from app.api.LoginAPI import login_required
|
||||
|
||||
import os
|
||||
import request
|
||||
|
||||
class PdfAPI(Resource):
|
||||
"""
|
||||
Pdf Api Resource
|
||||
"""
|
||||
|
||||
@login_required()
|
||||
def delete(self):
|
||||
parser = RequestParser()
|
||||
parser.add_argument('templateName', required=True, help="Template name is required !")
|
||||
args = parser.parse_args()
|
||||
|
||||
if ".." in args:
|
||||
return {"msg": ".. not allowed in path"}, 400
|
||||
|
||||
delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), args['templateName']))
|
||||
delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), secure_filename(args['templateName'])))
|
||||
|
||||
@login_required()
|
||||
def post(self):
|
||||
"""
|
||||
Upload d'un template
|
||||
|
|
|
|||
|
|
@ -2,15 +2,15 @@ from hashlib import sha256
|
|||
|
||||
from flask_restful import Resource, request
|
||||
|
||||
from app.model import *
|
||||
from app.model import Roles, getUser, hashExists, USER
|
||||
from app.utils import checkParams, get_random_string
|
||||
|
||||
from app.api.LoginAPI import login_required
|
||||
|
||||
class UserAPI(Resource):
|
||||
"""
|
||||
User Api Resource
|
||||
"""
|
||||
|
||||
@login_required(roles=[Roles.resp_formation])
|
||||
def post(self):
|
||||
args = request.get_json(cache=False, force=True)
|
||||
if not checkParams(['role', 'email', 'name'], args):
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
from flask import session
|
||||
from flask_restful import Resource
|
||||
|
||||
from app.model import *
|
||||
from app.api.LoginAPI import login_required
|
||||
from app.model import LIVRET, TUTORSHIP, and_
|
||||
|
||||
|
||||
class UserInfoAPI(Resource):
|
||||
|
|
@ -9,6 +9,7 @@ class UserInfoAPI(Resource):
|
|||
UserInfo Api Resource
|
||||
"""
|
||||
|
||||
@login_required()
|
||||
def get(self):
|
||||
user = session.get("user", None)
|
||||
return {'USER': user}, 200
|
||||
|
|
@ -18,7 +19,7 @@ class UserGroupsAPI(Resource):
|
|||
"""
|
||||
UserGroups Api Resource
|
||||
"""
|
||||
|
||||
@login_required()
|
||||
def get(self):
|
||||
user = session.get("user", None)
|
||||
if user is not None:
|
||||
|
|
|
|||
|
|
@ -91,3 +91,11 @@ def hashExists(test):
|
|||
rows = query.execute()
|
||||
res = rows.first()
|
||||
return res is not None
|
||||
|
||||
|
||||
class Roles:
|
||||
secretaire = 1
|
||||
resp_formation = 2
|
||||
tuteur_univ = 3
|
||||
etudiant = 4
|
||||
tuteur_entreprise = 5
|
||||
|
|
|
|||
Reference in New Issue