added access control to GET all users in API

admin/app/controllers/users/user/user.controller.js

@@ -11,7 +11,8 @@ app.controller('UserController', function ($scope,
 
 	$scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user"));
 	$scope.getAllUsers = function () {
-		UserService.getAllUsers(function (response) {
+		let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+		UserService.getAllUsers(headers, function (response) {
 			if (angular.isDefined(response.status) && response.status === 200) {
 				$scope.users = response.data;
 			} else {

admin/app/services/users/user/user.service.js

@@ -1,8 +1,8 @@
 'use strict';
 app.factory('UserService', function($http) {  
     return {  
-        getAllUsers:function(callback){
-            $http.get(getAPI()+'users')  
+        getAllUsers:function(headers, callback){
+            $http.get(getAPI()+'users', {headers})  
             .then(function (response) {
                 callback(response);
             }, function (response) {

myems-api/MyEMS.postman_collection.json

@@ -6487,7 +6487,18 @@
 									"type": "noauth"
 								},
 								"method": "GET",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "50bc979c9181699bc33927aa04a453fd83e2b8e8280544bfc3807fdedf2645201676fe474787e0ea3024502659a2ab4b1905c6ca4f444ffdba764a603c4eb691",
+										"type": "text"
+									}
+								],
 								"url": {
 									"raw": "{{base_url}}/users",
 									"host": [

myems-api/core/user.py

@@ -22,9 +22,51 @@ class UserCollection:
 
     @staticmethod
     def on_get(req, resp):
-        # todo: add access control
+        if 'USER-UUID' not in req.headers or \
+                not isinstance(req.headers['USER-UUID'], str) or \
+                len(str.strip(req.headers['USER-UUID'])) == 0:
+            raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
+                                   description='API.INVALID_USER_UUID')
+        admin_user_uuid = str.strip(req.headers['USER-UUID'])
+
+        if 'TOKEN' not in req.headers or \
+                not isinstance(req.headers['TOKEN'], str) or \
+                len(str.strip(req.headers['TOKEN'])) == 0:
+            raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
+                                   description='API.INVALID_TOKEN')
+        admin_token = str.strip(req.headers['TOKEN'])
+
+        # Check administrator privilege
         cnx = mysql.connector.connect(**config.myems_user_db)
         cursor = cnx.cursor()
+        query = (" SELECT utc_expires "
+                 " FROM tbl_sessions "
+                 " WHERE user_uuid = %s AND token = %s")
+        cursor.execute(query, (admin_user_uuid, admin_token,))
+        row = cursor.fetchone()
+
+        if row is None:
+            cursor.close()
+            cnx.disconnect()
+            raise falcon.HTTPError(falcon.HTTP_404, title='API.NOT_FOUND',
+                                   description='API.ADMINISTRATOR_SESSION_NOT_FOUND')
+        else:
+            utc_expires = row[0]
+            if datetime.utcnow() > utc_expires:
+                cursor.close()
+                cnx.disconnect()
+                raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
+                                       description='API.ADMINISTRATOR_SESSION_TIMEOUT')
+
+        query = (" SELECT name "
+                 " FROM tbl_users "
+                 " WHERE uuid = %s AND is_admin = true ")
+        cursor.execute(query, (admin_user_uuid,))
+        row = cursor.fetchone()
+        if row is None:
+            cursor.close()
+            cnx.disconnect()
+            raise falcon.HTTPError(falcon.HTTP_400, 'API.BAD_REQUEST', 'API.INVALID_PRIVILEGE')
 
         query = (" SELECT u.id, u.name, u.display_name, u.uuid, "
                  "        u.email, u.is_admin, p.id, p.name, "