QRouland/M2OLA
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

TG-126 Securiser les methodes de l'api

Browse Source
This commit is contained in:
Quentin Rouland 2017-03-31 00:19:02 +02:00
parent 8c97b49a67
commit aa6a2bc0bb
7 changed files with 44 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
backend/app/api/GroupAPI.py
View File

@ -3,15 +3,16 @@ import os
from flask_restful import Resource, request from flask_restful import Resource, request
from app.api import mailsModels from app.api import mailsModels
from app.model import * from app.api.LoginAPI import login_required
from app.utils import * from app.model import Roles, getGroup, getParam, getUser, USER, GROUP, TUTORSHIP
from app.utils import send_mail, checkParams
class GroupAPI(Resource): class GroupAPI(Resource):
""" """
Group Api Resource Group Api Resource
""" """
@login_required(roles=[Roles.resp_formation])
def post(self): def post(self):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args): if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):

8
backend/app/api/LivretAPI.py
View File

@ -3,15 +3,15 @@ import os
from flask_restful import Resource, request from flask_restful import Resource, request
from app.api import mailsModels from app.api import mailsModels
from app.model import * from app.model import Roles, getParam, getGroup, getUser, USER, GROUP, TUTORSHIP
from app.utils import * from app.utils import send_mail, checkParams
from app.api.LoginAPI import login_required
class LivretAPI(Resource): class LivretAPI(Resource):
""" """
Livret Api Resource Livret Api Resource
""" """
@login_required(roles=[Roles.etudiant])
def post(self): def post(self):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args): if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):

12
backend/app/api/LoginAPI.py
View File

@ -49,3 +49,15 @@ class LoginAPI(Resource):
session['user'] = None session['user'] = None
return {'AUTH_RESULT': 'OK'}, 200 return {'AUTH_RESULT': 'OK'}, 200
def login_required(roles=[]):
def my_login_required(func):
def wrapper(*args):
current_user = session.get('user', None)
if current_user is None or (len(roles) != 0 and not sum([1 for x in current_user['role'].split("-") if int(x) in roles]) > 0):
return {"msg": "UNAUTHORIZED"}, 401
return func(*args)
return wrapper
return my_login_required

18
backend/app/api/PdfAPI.py
View File

@ -1,29 +1,29 @@
import os
from flask import request
from flask_restful import Resource from flask_restful import Resource
from flask_restful.reqparse import RequestParser from flask_restful.reqparse import RequestParser
from app.tools.LibPdf import delete_file
from model import getParam from model import getParam
from werkzeug.utils import secure_filename
from app.model import getGroup from app.model import getGroup
from app.tools.LibPdf import delete_file, upload_file, allowed_file from app.tools.LibPdf import upload_file, allowed_file
from app.api.LoginAPI import login_required
import os
import request
class PdfAPI(Resource): class PdfAPI(Resource):
""" """
Pdf Api Resource Pdf Api Resource
""" """
@login_required()
def delete(self): def delete(self):
parser = RequestParser() parser = RequestParser()
parser.add_argument('templateName', required=True, help="Template name is required !") parser.add_argument('templateName', required=True, help="Template name is required !")
args = parser.parse_args() args = parser.parse_args()
if ".." in args: delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), secure_filename(args['templateName'])))
return {"msg": ".. not allowed in path"}, 400
delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), args['templateName']))
@login_required()
def post(self): def post(self):
""" """
Upload d'un template Upload d'un template

6
backend/app/api/UserAPI.py
View File

@ -2,15 +2,15 @@ from hashlib import sha256
from flask_restful import Resource, request from flask_restful import Resource, request
from app.model import * from app.model import Roles, getUser, hashExists, USER
from app.utils import checkParams, get_random_string from app.utils import checkParams, get_random_string
from app.api.LoginAPI import login_required
class UserAPI(Resource): class UserAPI(Resource):
""" """
User Api Resource User Api Resource
""" """
@login_required(roles=[Roles.resp_formation])
def post(self): def post(self):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['role', 'email', 'name'], args): if not checkParams(['role', 'email', 'name'], args):

7
backend/app/api/UserInfoAPI.py
View File

@ -1,7 +1,7 @@
from flask import session from flask import session
from flask_restful import Resource from flask_restful import Resource
from app.api.LoginAPI import login_required
from app.model import * from app.model import LIVRET, TUTORSHIP, and_
class UserInfoAPI(Resource): class UserInfoAPI(Resource):
@ -9,6 +9,7 @@ class UserInfoAPI(Resource):
UserInfo Api Resource UserInfo Api Resource
""" """
@login_required()
def get(self): def get(self):
user = session.get("user", None) user = session.get("user", None)
return {'USER': user}, 200 return {'USER': user}, 200
@ -18,7 +19,7 @@ class UserGroupsAPI(Resource):
""" """
UserGroups Api Resource UserGroups Api Resource
""" """
@login_required()
def get(self): def get(self):
user = session.get("user", None) user = session.get("user", None)
if user is not None: if user is not None:

8
backend/app/model.py
View File

@ -91,3 +91,11 @@ def hashExists(test):
rows = query.execute() rows = query.execute()
res = rows.first() res = rows.first()
return res is not None return res is not None
class Roles:
secretaire = 1
resp_formation = 2
tuteur_univ = 3
etudiant = 4
tuteur_entreprise = 5