2020-07-12 17:34:25 +02:00
|
|
|
# ContentDB
|
2021-01-30 17:59:42 +01:00
|
|
|
# Copyright (C) 2018-21 rubenwardy
|
2019-11-22 15:33:22 +01:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
2021-01-30 17:59:42 +01:00
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
2019-11-22 15:33:22 +01:00
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2021-01-30 17:59:42 +01:00
|
|
|
# GNU Affero General Public License for more details.
|
2019-11-22 15:33:22 +01:00
|
|
|
#
|
2021-01-30 17:59:42 +01:00
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
2019-11-22 15:33:22 +01:00
|
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
2019-11-27 02:16:59 +01:00
|
|
|
from flask import render_template, redirect, request, session, url_for, abort
|
2022-01-07 22:55:33 +01:00
|
|
|
from flask_babel import lazy_gettext
|
2020-12-04 23:05:10 +01:00
|
|
|
from flask_login import login_required, current_user
|
2019-11-22 15:33:22 +01:00
|
|
|
from flask_wtf import FlaskForm
|
2023-06-19 20:32:36 +02:00
|
|
|
from wtforms import StringField, SubmitField
|
|
|
|
from wtforms.validators import InputRequired, Length
|
2023-06-18 23:21:37 +02:00
|
|
|
from wtforms_sqlalchemy.fields import QuerySelectField
|
2020-12-04 03:23:04 +01:00
|
|
|
|
2023-06-18 23:21:37 +02:00
|
|
|
from app.models import db, User, APIToken, Permission
|
2023-06-19 22:27:49 +02:00
|
|
|
from app.utils import random_string
|
2020-12-04 03:23:04 +01:00
|
|
|
from . import bp
|
2020-12-05 19:39:50 +01:00
|
|
|
from ..users.settings import get_setting_tabs
|
2020-12-04 03:23:04 +01:00
|
|
|
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
class CreateAPIToken(FlaskForm):
|
2022-01-07 22:55:33 +01:00
|
|
|
name = StringField(lazy_gettext("Name"), [InputRequired(), Length(1, 30)])
|
|
|
|
package = QuerySelectField(lazy_gettext("Limit to package"), allow_blank=True,
|
2020-01-24 20:26:00 +01:00
|
|
|
get_pk=lambda a: a.id, get_label=lambda a: a.title)
|
2022-01-07 22:55:33 +01:00
|
|
|
submit = SubmitField(lazy_gettext("Save"))
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
|
2020-06-03 17:40:52 +02:00
|
|
|
@bp.route("/user/tokens/")
|
|
|
|
@login_required
|
|
|
|
def list_tokens_redirect():
|
|
|
|
return redirect(url_for("api.list_tokens", username=current_user.username))
|
|
|
|
|
|
|
|
|
2019-11-22 15:33:22 +01:00
|
|
|
@bp.route("/users/<username>/tokens/")
|
|
|
|
@login_required
|
|
|
|
def list_tokens(username):
|
|
|
|
user = User.query.filter_by(username=username).first()
|
|
|
|
if user is None:
|
|
|
|
abort(404)
|
|
|
|
|
2023-06-18 22:56:19 +02:00
|
|
|
if not user.check_perm(current_user, Permission.CREATE_TOKEN):
|
2019-11-22 15:33:22 +01:00
|
|
|
abort(403)
|
|
|
|
|
2020-12-05 04:16:09 +01:00
|
|
|
return render_template("api/list_tokens.html", user=user, tabs=get_setting_tabs(user), current_tab="api_tokens")
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/users/<username>/tokens/new/", methods=["GET", "POST"])
|
|
|
|
@bp.route("/users/<username>/tokens/<int:id>/edit/", methods=["GET", "POST"])
|
|
|
|
@login_required
|
|
|
|
def create_edit_token(username, id=None):
|
|
|
|
user = User.query.filter_by(username=username).first()
|
|
|
|
if user is None:
|
|
|
|
abort(404)
|
|
|
|
|
2023-06-18 22:56:19 +02:00
|
|
|
if not user.check_perm(current_user, Permission.CREATE_TOKEN):
|
2019-11-22 15:33:22 +01:00
|
|
|
abort(403)
|
|
|
|
|
|
|
|
is_new = id is None
|
|
|
|
|
|
|
|
token = None
|
|
|
|
access_token = None
|
|
|
|
if not is_new:
|
|
|
|
token = APIToken.query.get(id)
|
2023-10-31 21:11:55 +01:00
|
|
|
if token is None or token.owner != user:
|
2019-11-22 15:33:22 +01:00
|
|
|
abort(404)
|
|
|
|
|
2020-04-11 18:45:25 +02:00
|
|
|
access_token = session.pop("token_" + str(token.id), None)
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
form = CreateAPIToken(formdata=request.form, obj=token)
|
2021-02-02 18:09:21 +01:00
|
|
|
form.package.query_factory = lambda: user.maintained_packages.all()
|
2020-01-24 20:26:00 +01:00
|
|
|
|
2020-12-05 00:07:19 +01:00
|
|
|
if form.validate_on_submit():
|
2019-11-22 15:33:22 +01:00
|
|
|
if is_new:
|
|
|
|
token = APIToken()
|
2023-04-23 22:49:53 +02:00
|
|
|
db.session.add(token)
|
2019-11-22 15:33:22 +01:00
|
|
|
token.owner = user
|
2023-06-19 22:27:49 +02:00
|
|
|
token.access_token = random_string(32)
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
form.populate_obj(token)
|
2023-04-23 22:49:53 +02:00
|
|
|
db.session.commit()
|
2019-11-22 15:33:22 +01:00
|
|
|
|
2020-04-11 18:45:25 +02:00
|
|
|
if is_new:
|
|
|
|
# Store token so it can be shown in the edit page
|
|
|
|
session["token_" + str(token.id)] = token.access_token
|
|
|
|
|
2019-11-22 15:33:22 +01:00
|
|
|
return redirect(url_for("api.create_edit_token", username=username, id=token.id))
|
|
|
|
|
|
|
|
return render_template("api/create_edit_token.html", user=user, form=form, token=token, access_token=access_token)
|
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/users/<username>/tokens/<int:id>/reset/", methods=["POST"])
|
|
|
|
@login_required
|
|
|
|
def reset_token(username, id):
|
|
|
|
user = User.query.filter_by(username=username).first()
|
|
|
|
if user is None:
|
|
|
|
abort(404)
|
|
|
|
|
2023-06-18 22:56:19 +02:00
|
|
|
if not user.check_perm(current_user, Permission.CREATE_TOKEN):
|
2019-11-22 15:33:22 +01:00
|
|
|
abort(403)
|
|
|
|
|
|
|
|
token = APIToken.query.get(id)
|
|
|
|
if token is None:
|
|
|
|
abort(404)
|
|
|
|
elif token.owner != user:
|
|
|
|
abort(403)
|
|
|
|
|
2023-06-19 22:27:49 +02:00
|
|
|
token.access_token = random_string(32)
|
2019-11-22 15:33:22 +01:00
|
|
|
|
|
|
|
db.session.commit() # save
|
|
|
|
|
|
|
|
# Store token so it can be shown in the edit page
|
|
|
|
session["token_" + str(token.id)] = token.access_token
|
|
|
|
|
|
|
|
return redirect(url_for("api.create_edit_token", username=username, id=token.id))
|
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/users/<username>/tokens/<int:id>/delete/", methods=["POST"])
|
|
|
|
@login_required
|
|
|
|
def delete_token(username, id):
|
|
|
|
user = User.query.filter_by(username=username).first()
|
|
|
|
if user is None:
|
|
|
|
abort(404)
|
|
|
|
|
2023-06-18 22:56:19 +02:00
|
|
|
if not user.check_perm(current_user, Permission.CREATE_TOKEN):
|
2019-11-22 15:33:22 +01:00
|
|
|
abort(403)
|
|
|
|
|
|
|
|
token = APIToken.query.get(id)
|
|
|
|
if token is None:
|
|
|
|
abort(404)
|
|
|
|
elif token.owner != user:
|
|
|
|
abort(403)
|
|
|
|
|
|
|
|
db.session.delete(token)
|
|
|
|
db.session.commit()
|
|
|
|
|
|
|
|
return redirect(url_for("api.list_tokens", username=username))
|