added access control to GET all users in API
parent
5c900e9a82
commit
72484ea920
|
@ -11,7 +11,8 @@ app.controller('UserController', function ($scope,
|
|||
|
||||
$scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user"));
|
||||
$scope.getAllUsers = function () {
|
||||
UserService.getAllUsers(function (response) {
|
||||
let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
|
||||
UserService.getAllUsers(headers, function (response) {
|
||||
if (angular.isDefined(response.status) && response.status === 200) {
|
||||
$scope.users = response.data;
|
||||
} else {
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
'use strict';
|
||||
app.factory('UserService', function($http) {
|
||||
return {
|
||||
getAllUsers:function(callback){
|
||||
$http.get(getAPI()+'users')
|
||||
getAllUsers:function(headers, callback){
|
||||
$http.get(getAPI()+'users', {headers})
|
||||
.then(function (response) {
|
||||
callback(response);
|
||||
}, function (response) {
|
||||
|
|
|
@ -6487,7 +6487,18 @@
|
|||
"type": "noauth"
|
||||
},
|
||||
"method": "GET",
|
||||
"header": [],
|
||||
"header": [
|
||||
{
|
||||
"key": "User-UUID",
|
||||
"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
"key": "Token",
|
||||
"value": "50bc979c9181699bc33927aa04a453fd83e2b8e8280544bfc3807fdedf2645201676fe474787e0ea3024502659a2ab4b1905c6ca4f444ffdba764a603c4eb691",
|
||||
"type": "text"
|
||||
}
|
||||
],
|
||||
"url": {
|
||||
"raw": "{{base_url}}/users",
|
||||
"host": [
|
||||
|
|
|
@ -22,9 +22,51 @@ class UserCollection:
|
|||
|
||||
@staticmethod
|
||||
def on_get(req, resp):
|
||||
# todo: add access control
|
||||
if 'USER-UUID' not in req.headers or \
|
||||
not isinstance(req.headers['USER-UUID'], str) or \
|
||||
len(str.strip(req.headers['USER-UUID'])) == 0:
|
||||
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
|
||||
description='API.INVALID_USER_UUID')
|
||||
admin_user_uuid = str.strip(req.headers['USER-UUID'])
|
||||
|
||||
if 'TOKEN' not in req.headers or \
|
||||
not isinstance(req.headers['TOKEN'], str) or \
|
||||
len(str.strip(req.headers['TOKEN'])) == 0:
|
||||
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
|
||||
description='API.INVALID_TOKEN')
|
||||
admin_token = str.strip(req.headers['TOKEN'])
|
||||
|
||||
# Check administrator privilege
|
||||
cnx = mysql.connector.connect(**config.myems_user_db)
|
||||
cursor = cnx.cursor()
|
||||
query = (" SELECT utc_expires "
|
||||
" FROM tbl_sessions "
|
||||
" WHERE user_uuid = %s AND token = %s")
|
||||
cursor.execute(query, (admin_user_uuid, admin_token,))
|
||||
row = cursor.fetchone()
|
||||
|
||||
if row is None:
|
||||
cursor.close()
|
||||
cnx.disconnect()
|
||||
raise falcon.HTTPError(falcon.HTTP_404, title='API.NOT_FOUND',
|
||||
description='API.ADMINISTRATOR_SESSION_NOT_FOUND')
|
||||
else:
|
||||
utc_expires = row[0]
|
||||
if datetime.utcnow() > utc_expires:
|
||||
cursor.close()
|
||||
cnx.disconnect()
|
||||
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
|
||||
description='API.ADMINISTRATOR_SESSION_TIMEOUT')
|
||||
|
||||
query = (" SELECT name "
|
||||
" FROM tbl_users "
|
||||
" WHERE uuid = %s AND is_admin = true ")
|
||||
cursor.execute(query, (admin_user_uuid,))
|
||||
row = cursor.fetchone()
|
||||
if row is None:
|
||||
cursor.close()
|
||||
cnx.disconnect()
|
||||
raise falcon.HTTPError(falcon.HTTP_400, 'API.BAD_REQUEST', 'API.INVALID_PRIVILEGE')
|
||||
|
||||
query = (" SELECT u.id, u.name, u.display_name, u.uuid, "
|
||||
" u.email, u.is_admin, p.id, p.name, "
|
||||
|
|
Loading…
Reference in New Issue