QRouland/M2OLA
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

TG-36 : LivretAPI -> création de livret + sécurisation

Browse Source
This commit is contained in:
Clément ARNAUDEAU 2017-03-31 12:35:29 +02:00
parent ab33fb2bbe
commit cf95abbf17
7 changed files with 104 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
backend/OLA.mysql
View File

@ -66,6 +66,7 @@ CREATE TABLE IF NOT EXISTS LIVRET
contract_type INT NOT NULL, contract_type INT NOT NULL,
contract_start DATE NOT NULL, contract_start DATE NOT NULL,
contract_end DATE NOT NULL, contract_end DATE NOT NULL,
description TEXT NOT NULL,
ressources_dir VARCHAR(512), ressources_dir VARCHAR(512),
opened TINYINT(1) NOT NULL, opened TINYINT(1) NOT NULL,
expire DATE NOT NULL, expire DATE NOT NULL,
@ -143,3 +144,5 @@ CREATE UNIQUE INDEX user_email
ON `USER` (`email`); ON `USER` (`email`);
CREATE UNIQUE INDEX user_hash CREATE UNIQUE INDEX user_hash
ON `USER` (`hash`); ON `USER` (`hash`);
CREATE UNIQUE INDEX tutorship_unique_bygroup
ON `TUTORSHIP` (`group_id`, `student_id`);

18
backend/app/OLA_DATA.mysql
View File

@ -1,18 +0,0 @@
USE OLA;
INSERT INTO SETTINGS VALUES ('URL_BASE_DIRECTORY', '/OLA_RESSOURCES/', 'Répertoire base pour le dépot des fichiers');
INSERT INTO SETTINGS VALUES ('OLA_URL', 'ola.univ-tlse2.fr/', 'URL de l application');
INSERT INTO `USER` VALUES (1, 'sec', '1', 'sec@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `USER` VALUES (2, 'etu1', '4', 'etu1@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `USER` VALUES (3, 'etu2', '4', 'etu2@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `USER` VALUES (4, 'etu3', '4', 'etu3@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `USER` VALUES (5, 'resp', '2-3', 'resp@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `USER` VALUES (6, 'tut', '3', 'tut@univ-tlse2.fr', '01.23.45.67.89');
INSERT INTO `GROUP` VALUES (1, 'M2_ICE_2016-2017_TEST', '2017', 'Master2 ICE', 'Master 2 Informatique Collaborative en Entreprise', 'Sciences du chômage proffessionnel', 5, 1, '/home/dan/PycharmProjects/OLA/backend/app/OLA_RESSOURCES/M2_ICE_2016-2017_TEST');
INSERT INTO `GROUP` VALUES (2, 'M1_ICE_2016-2017_TEST', '2017', 'Master1 ICE', 'Master 1 Informatique Collaborative en Entreprise', 'Sciences du chômage proffessionnel', 5, 1, '/home/dan/PycharmProjects/OLA/backend/app/OLA_RESSOURCES/M1_ICE_2016-2017_TEST');
INSERT INTO TUTORSHIP VALUES (DEFAULT, 1, 2, 5);
INSERT INTO TUTORSHIP VALUES (DEFAULT, 2, 4, 5);
INSERT INTO TUTORSHIP VALUES (DEFAULT, 1, 3, 6);

26
backend/app/api/GroupAPI.py
View File

@ -12,6 +12,7 @@ class GroupAPI(Resource):
""" """
Group Api Resource Group Api Resource
""" """
@login_required(roles=[Roles.resp_formation]) @login_required(roles=[Roles.resp_formation])
def post(self): def post(self):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
@ -48,8 +49,8 @@ class GroupAPI(Resource):
"URL": getParam('OLA_URL')}) "URL": getParam('OLA_URL')})
mails.append((user["email"], mail)) mails.append((user["email"], mail))
if "2" not in user['role'].split('-'): if str(Roles.resp_formation) not in user['role'].split('-'):
role = user['role'] + "-2" role = user['role'] + "-" + str(Roles.resp_formation)
query = USER.update().values(role=role).where(USER.c.id == resp_id) query = USER.update().values(role=role).where(USER.c.id == resp_id)
query.execute() query.execute()
@ -69,8 +70,8 @@ class GroupAPI(Resource):
"URL": getParam('OLA_URL')}) "URL": getParam('OLA_URL')})
mails.append((user["email"], mail)) mails.append((user["email"], mail))
if "1" not in user['role'].split('-'): if str(Roles.secretaire) not in user['role'].split('-'):
role = user['role'] + "-1" role = user['role'] + "-" + str(Roles.secretaire)
query = USER.update().values(role=role).where(USER.c.id == sec_id) query = USER.update().values(role=role).where(USER.c.id == sec_id)
query.execute() query.execute()
@ -86,6 +87,7 @@ class GroupAPI(Resource):
return {"GID": res.lastrowid}, 201 return {"GID": res.lastrowid}, 201
@login_required(roles=Roles.resp_formation)
def put(self, gid): def put(self, gid):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args): if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
@ -125,8 +127,8 @@ class GroupAPI(Resource):
"URL": getParam('OLA_URL')}) "URL": getParam('OLA_URL')})
mails.append((user["email"], mail)) mails.append((user["email"], mail))
if "2" not in user['role'].split('-'): if str(Roles.resp_formation) not in user['role'].split('-'):
role = user['role'] + "-2" role = user['role'] + "-" + str(Roles.resp_formation)
query = USER.update().values(role=role).where(USER.c.id == resp_id) query = USER.update().values(role=role).where(USER.c.id == resp_id)
query.execute() query.execute()
@ -146,8 +148,8 @@ class GroupAPI(Resource):
"URL": getParam('OLA_URL')}) "URL": getParam('OLA_URL')})
mails.append((user["email"], mail)) mails.append((user["email"], mail))
if "1" not in user['role'].split('-'): if str(Roles.secretaire) not in user['role'].split('-'):
role = user['role'] + "-1" role = user['role'] + "-" + str(Roles.secretaire)
query = USER.update().values(role=role).where(USER.c.id == sec_id) query = USER.update().values(role=role).where(USER.c.id == sec_id)
query.execute() query.execute()
@ -166,12 +168,14 @@ class GroupAPI(Resource):
return {"GID": gid}, 200 return {"GID": gid}, 200
@login_required()
def get(self, gid=0, name=""): def get(self, gid=0, name=""):
if gid > 0: if gid > 0:
return {'GROUP': getGroup(gid=gid)}, 200 return {'GROUP': getGroup(gid=gid)}, 200
elif name != "": elif name != "":
return {'GROUP': getGroup(name=name)}, 200 return {'GROUP': getGroup(name=name)}, 200
@login_required(roles=Roles.resp_formation)
def options(self, gid): def options(self, gid):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['pairs'], args): if not checkParams(['pairs'], args):
@ -188,16 +192,16 @@ class GroupAPI(Resource):
stud = getUser(uid=p[0]) stud = getUser(uid=p[0])
if stud is None: if stud is None:
return {"ERROR": "The user with id " + str(p[0]) + " does not exists !"}, 400 return {"ERROR": "The user with id " + str(p[0]) + " does not exists !"}, 400
elif stud['role'] != "4": elif stud['role'] != str(Roles.etudiant):
return {"ERROR": "A student must have the 'student' role !"}, 400 return {"ERROR": "A student must have the 'student' role !"}, 400
tutor = getUser(uid=p[1]) tutor = getUser(uid=p[1])
if tutor is None: if tutor is None:
return {"ERROR": "The user with id " + str(p[1]) + " does not exists !"}, 400 return {"ERROR": "The user with id " + str(p[1]) + " does not exists !"}, 400
elif tutor['role'] == "4": elif tutor['role'] == str(Roles.etudiant):
return {"ERROR": "A student can't be a tutor !"}, 400 return {"ERROR": "A student can't be a tutor !"}, 400
elif "3" not in tutor['role'].split('-'): elif "3" not in tutor['role'].split('-'):
role = tutor['role'] + "-3" role = tutor['role'] + "-" + str(Roles.tuteur_univ)
query = USER.update().values(role=role).where(USER.c.id == p[1]) query = USER.update().values(role=role).where(USER.c.id == p[1])
query.execute() query.execute()
except IndexError: except IndexError:

98
backend/app/api/LivretAPI.py
View File

@ -1,80 +1,83 @@
import os import os
from datetime import datetime
from dateutil.relativedelta import relativedelta
from flask import session
from flask_restful import Resource, request from flask_restful import Resource, request
from sqlalchemy import and_
from app.api import mailsModels from app.api import mailsModels
from app.model import Roles, getParam, getGroup, getUser, USER, GROUP, TUTORSHIP
from app.utils import send_mail, checkParams
from app.api.LoginAPI import login_required from app.api.LoginAPI import login_required
from app.model import Roles, getParam, getGroup, getUser, USER, GROUP, TUTORSHIP, LIVRET
from app.utils import send_mail, checkParams
class LivretAPI(Resource): class LivretAPI(Resource):
""" """
Livret Api Resource Livret Api Resource
""" """
@login_required(roles=[Roles.etudiant]) @login_required(roles=[Roles.etudiant])
def post(self): def post(self):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args): if not checkParams(['student_id', 'group_id', 'etutor_id', 'company_name', 'company_address', 'contract_type',
'contract_start', 'contract_end', 'description'], args):
return {"ERROR": "One or more parameters are missing !"}, 400 return {"ERROR": "One or more parameters are missing !"}, 400
name = args['name'] user = session.get("user")
year = args['year'] group_id = args['group_id']
class_short = args['class_short'] etutor_id = args['etutor_id']
class_long = args['class_long'] company_name = args['company_name']
department = args['department'] company_address = args['company_address']
resp_id = args['resp_id'] contract_type = int(args['contract_type'])
sec_id = args['sec_id'] contract_start = datetime.strptime(args['contract_start'], "%d-%m-%Y")
res_dir = getParam('BASE_DIRECTORY') + name + "/" contract_end = datetime.strptime(args['contract_end'], "%d-%m-%Y")
description = args['description']
mails = [] mails = []
group = getGroup(name=name) group = getGroup(gid=group_id)
if group is not None: if group is None:
return {"GID": group["id"]}, 200 return {"ERROR": "This group does not exists !"}, 405
user = getUser(uid=resp_id) query = TUTORSHIP.select(and_(TUTORSHIP.c.group_id == group_id, TUTORSHIP.c.student_id == user["id"]))
res = query.execute()
tutorship = res.first()
if tutorship is None:
return {"ERROR": "This student is not in this group !"}, 405
tutorship_id = tutorship.id
user = getUser(uid=etutor_id)
if user is None: if user is None:
return {"ERROR": "The user with id " + str(resp_id) + " does not exists !"}, 400 return {"ERROR": "The user with id " + str(etutor_id) + " does not exists !"}, 400
else: else:
query = USER.select(USER.c.id == user["id"]) query = USER.select(USER.c.id == user["id"])
rows = query.execute() rows = query.execute()
res = rows.first() res = rows.first()
if res.hash is not None and len(res.hash) > 0: if res.hash is not None and len(res.hash) > 0:
mail = mailsModels.getMailContent("NEW_RESP_OF_GROUP", {"GROUP": name, mail = mailsModels.getMailContent("NEW_ETUTOR_ADDED", {"GROUP": group["name"],
"URL": getParam('OLA_URL') + "registration/"
+ res.hash})
else:
mail = mailsModels.getMailContent("RESP_OF_GROUP", {"GROUP": name,
"URL": getParam('OLA_URL')})
mails.append((user["email"], mail))
if "2" not in user['role'].split('-'):
role = user['role'] + "-2"
query = USER.update().values(role=role).where(USER.c.id == resp_id)
query.execute()
user = getUser(uid=sec_id)
if user is None:
return {"ERROR": "The user with id " + str(sec_id) + " does not exists !"}, 400
else:
query = USER.select(USER.c.id == user["id"])
rows = query.execute()
res = rows.first()
if res.hash is not None and len(res.hash) > 0:
mail = mailsModels.getMailContent("NEW_SEC_OF_GROUP", {"GROUP": name,
"URL": getParam('OLA_URL') + "registration/" "URL": getParam('OLA_URL') + "registration/"
+ res.hash}) + res.hash})
else: else:
mail = mailsModels.getMailContent("SEC_OF_GROUP", {"GROUP": name, mail = mailsModels.getMailContent("ETUTOR_ADDED", {"GROUP": group["name"],
"URL": getParam('OLA_URL')}) "URL": getParam('OLA_URL')})
mails.append((user["email"], mail)) mails.append((user["email"], mail))
if "1" not in user['role'].split('-'): if str(Roles.tuteur_entreprise) not in user['role'].split('-'):
role = user['role'] + "-1" return {"ERROR": "The user with id " + str(etutor_id) +
query = USER.update().values(role=role).where(USER.c.id == sec_id) " doesn't have the 'etutor' role (" + str(Roles.tuteur_entreprise) + ") !"}, 400
query.execute()
query = GROUP.insert().values(name=name, year=year, class_short=class_short, class_long=class_long, if contract_start > contract_end:
department=department, resp_id=resp_id, sec_id=sec_id, ressources_dir=res_dir) return {"ERROR": "The contract start can't be after its end !"}, 400
res_dir = group["ressources_dir"] + user['id'] + "/"
expire = datetime.now() + relativedelta(year=1)
query = LIVRET.insert().values(tutorship_id=tutorship_id, etutor_id=etutor_id, company_name=company_name,
company_address=company_address, contract_type=contract_type,
contract_start=contract_start, contract_end=contract_end,
description=description, ressources_dir=res_dir, opened='1', expire=expire)
res = query.execute() res = query.execute()
os.mkdir(res_dir) os.mkdir(res_dir)
@ -83,8 +86,9 @@ class LivretAPI(Resource):
mail = m[1] mail = m[1]
send_mail(mail[0], addr, mail[1]) send_mail(mail[0], addr, mail[1])
return {"GID": res.lastrowid}, 201 return {"LID": res.lastrowid}, 201
@login_required(roles=[Roles.etudiant])
def put(self, gid): def put(self, gid):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args): if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
@ -165,12 +169,14 @@ class LivretAPI(Resource):
return {"GID": gid}, 200 return {"GID": gid}, 200
@login_required()
def get(self, gid=0, name=""): def get(self, gid=0, name=""):
if gid > 0: if gid > 0:
return {'GROUP': getGroup(gid=gid)}, 200 return {'GROUP': getGroup(gid=gid)}, 200
elif name != "": elif name != "":
return {'GROUP': getGroup(name=name)}, 200 return {'GROUP': getGroup(name=name)}, 200
@login_required(roles=Roles.etudiant)
def options(self, gid): def options(self, gid):
args = request.get_json(cache=False, force=True) args = request.get_json(cache=False, force=True)
if not checkParams(['pairs'], args): if not checkParams(['pairs'], args):

24
backend/app/api/UserAPI.py
View File

@ -1,10 +1,11 @@
from hashlib import sha256 from hashlib import sha256
from flask import session
from flask_restful import Resource, request from flask_restful import Resource, request
from app.api.LoginAPI import login_required
from app.model import Roles, getUser, hashExists, USER from app.model import Roles, getUser, hashExists, USER
from app.utils import checkParams, get_random_string from app.utils import checkParams, get_random_string
from app.api.LoginAPI import login_required
class UserAPI(Resource): class UserAPI(Resource):
""" """
@ -52,9 +53,14 @@ class UserAPI(Resource):
password = sha256(psw.encode('utf-8')).hexdigest() password = sha256(psw.encode('utf-8')).hexdigest()
if getUser(uid=uid) is None: user = getUser(uid=uid)
if user is None:
return {"ERROR": "This user doesn't exists !"}, 405 return {"ERROR": "This user doesn't exists !"}, 405
# On n'autorise pas de modifcation anonyme d'un profil s'il est déjà activé (si il a un mdp)
if user["password"] is not None and user["password"] != "" and session.get("user", None) is None:
return {"msg": "UNAUTHORIZED"}, 401
if getUser(email=email) is not None: if getUser(email=email) is not None:
return {"ERROR": "A user with this email already exists !"}, 405 return {"ERROR": "A user with this email already exists !"}, 405
@ -64,9 +70,11 @@ class UserAPI(Resource):
return {"UID": uid}, 200 return {"UID": uid}, 200
def get(self, uid=0, email="", hashcode=""): def get(self, uid=0, email="", hashcode=""):
if uid > 0: if session.get('user', None) is not None:
return {'USER': getUser(uid=uid)}, 200 if uid > 0:
elif email != "": return {'USER': getUser(uid=uid)}, 200
return {'USER': getUser(email=email)}, 200 elif email != "":
elif hashcode != "": return {'USER': getUser(email=email)}, 200
return {'USER': getUser(hashcode=hashcode)}, 200
if hashcode != "":
return {'USER': getUser(hashcode=hashcode)}, 200

4
backend/app/api/UserInfoAPI.py
View File

@ -1,6 +1,6 @@
from flask import session from flask import session
from flask_restful import Resource from flask_restful import Resource
from app.api.LoginAPI import login_required
from app.model import LIVRET, TUTORSHIP, and_ from app.model import LIVRET, TUTORSHIP, and_
@ -9,7 +9,6 @@ class UserInfoAPI(Resource):
UserInfo Api Resource UserInfo Api Resource
""" """
@login_required()
def get(self): def get(self):
user = session.get("user", None) user = session.get("user", None)
return {'USER': user}, 200 return {'USER': user}, 200
@ -19,7 +18,6 @@ class UserGroupsAPI(Resource):
""" """
UserGroups Api Resource UserGroups Api Resource
""" """
@login_required()
def get(self): def get(self):
user = session.get("user", None) user = session.get("user", None)
if user is not None: if user is not None:

19
backend/app/api/mailsModels.py
View File

@ -11,7 +11,7 @@ _STUD_OF_GROUP = (
_NEW_RESP_OF_GROUP = ("Votre compte OLA a été créé !", "Bonjour,<br/><p>Votre compte vient d'être créé dans l'Outil du " _NEW_RESP_OF_GROUP = ("Votre compte OLA a été créé !", "Bonjour,<br/><p>Votre compte vient d'être créé dans l'Outil du "
"Livret de l'Alternant en tant que responsable du groupe <b>#GROUPE</b>. Vous pouvez dès " "Livret de l'Alternant en tant que responsable du groupe <b>#GROUPE</b>. Vous pouvez dès "
"maintenant l'activer, en vous rendant à l'adresse : <br/>" "maintenant l'activer en vous rendant à l'adresse : <br/>"
"<a href='#URL'>#URL</a></p><p>Bonne journée !</p>") "<a href='#URL'>#URL</a></p><p>Bonne journée !</p>")
_RESP_OF_GROUP = ( _RESP_OF_GROUP = (
@ -22,7 +22,7 @@ _RESP_OF_GROUP = (
_NEW_SEC_OF_GROUP = ("Votre compte OLA a été créé !", "Bonjour,<br/><p>Votre compte vient d'être créé dans l'Outil du " _NEW_SEC_OF_GROUP = ("Votre compte OLA a été créé !", "Bonjour,<br/><p>Votre compte vient d'être créé dans l'Outil du "
"Livret de l'Alternant en tant que secrétaire du groupe <b>#GROUPE</b>. Vous pouvez dès " "Livret de l'Alternant en tant que secrétaire du groupe <b>#GROUPE</b>. Vous pouvez dès "
"maintenant l'activer, en vous rendant à l'adresse : <br/>" "maintenant l'activer en vous rendant à l'adresse : <br/>"
"<a href='#URL'>#URL</a></p><p>Bonne journée !</p>") "<a href='#URL'>#URL</a></p><p>Bonne journée !</p>")
_SEC_OF_GROUP = ( _SEC_OF_GROUP = (
@ -31,6 +31,17 @@ _SEC_OF_GROUP = (
"maintenant y accéder en vous rendant à l'adresse : <br/>" "maintenant y accéder en vous rendant à l'adresse : <br/>"
"<a href='#URL'>#URL</a></p><p>Bonne journée !</p>") "<a href='#URL'>#URL</a></p><p>Bonne journée !</p>")
_NEW_ETUTOR_ADDED = ("Votre compte OLA a été créé !", "Bonjour,<br/><p>Votre compte vient d'être créé dans l'Outil du "
"Livret de l'Alternant de l'Université Toulouse Jean-Jaurès en tant que tuteur dans le groupe <b>#GROUPE</b>. Vous pouvez dès "
"maintenant l'activer en vous rendant à l'adresse : <br/>"
"<a href='#URL'>#URL</a></p><p>Bonne journée !</p>")
_ETUTOR_ADDED = (
"Vous avez été déclaré comme tuteur dans OLA !", "Bonjour,<br/><p>Votre compte vient d'être ajouté dans l'Outil du "
"Livret de l'Alternant de l'Université Toulouse Jean-Jaurès en tant que tuteur dans le groupe <b>#GROUPE</b>. Vous pouvez dès "
"maintenant accéder à votre compte en vous rendant à l'adresse : <br/>"
"<a href='#URL'>#URL</a></p><p>Bonne journée !</p>")
def getMailContent(mail_type, args): def getMailContent(mail_type, args):
if mail_type == "NEW_STUD_OF_GROUP": if mail_type == "NEW_STUD_OF_GROUP":
@ -45,6 +56,10 @@ def getMailContent(mail_type, args):
mail = _NEW_SEC_OF_GROUP mail = _NEW_SEC_OF_GROUP
elif mail_type == "SEC_OF_GROUP": elif mail_type == "SEC_OF_GROUP":
mail = _SEC_OF_GROUP mail = _SEC_OF_GROUP
elif mail_type == "NEW_ETUTOR_ADDED":
mail = _NEW_ETUTOR_ADDED
elif mail_type == "ETUTOR_ADDED":
mail = _ETUTOR_ADDED
else: else:
raise Exception("Unknown mail type !") raise Exception("Unknown mail type !")