diff --git a/admin/app/controllers/users/user/user.controller.js b/admin/app/controllers/users/user/user.controller.js index abbea5d3..52793684 100644 --- a/admin/app/controllers/users/user/user.controller.js +++ b/admin/app/controllers/users/user/user.controller.js @@ -11,7 +11,8 @@ app.controller('UserController', function ($scope, $scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user")); $scope.getAllUsers = function () { - UserService.getAllUsers(function (response) { + let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token }; + UserService.getAllUsers(headers, function (response) { if (angular.isDefined(response.status) && response.status === 200) { $scope.users = response.data; } else { diff --git a/admin/app/services/users/user/user.service.js b/admin/app/services/users/user/user.service.js index d9a38a74..b8ad7d67 100644 --- a/admin/app/services/users/user/user.service.js +++ b/admin/app/services/users/user/user.service.js @@ -1,8 +1,8 @@ 'use strict'; app.factory('UserService', function($http) { return { - getAllUsers:function(callback){ - $http.get(getAPI()+'users') + getAllUsers:function(headers, callback){ + $http.get(getAPI()+'users', {headers}) .then(function (response) { callback(response); }, function (response) { diff --git a/myems-api/MyEMS.postman_collection.json b/myems-api/MyEMS.postman_collection.json index 66e63491..7f12cf99 100644 --- a/myems-api/MyEMS.postman_collection.json +++ b/myems-api/MyEMS.postman_collection.json @@ -6487,7 +6487,18 @@ "type": "noauth" }, "method": "GET", - "header": [], + "header": [ + { + "key": "User-UUID", + "value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4", + "type": "text" + }, + { + "key": "Token", + "value": "50bc979c9181699bc33927aa04a453fd83e2b8e8280544bfc3807fdedf2645201676fe474787e0ea3024502659a2ab4b1905c6ca4f444ffdba764a603c4eb691", + "type": "text" + } + ], "url": { "raw": "{{base_url}}/users", "host": [ diff --git a/myems-api/core/user.py b/myems-api/core/user.py index a51b7e70..35b014fa 100644 --- a/myems-api/core/user.py +++ b/myems-api/core/user.py @@ -22,9 +22,51 @@ class UserCollection: @staticmethod def on_get(req, resp): - # todo: add access control + if 'USER-UUID' not in req.headers or \ + not isinstance(req.headers['USER-UUID'], str) or \ + len(str.strip(req.headers['USER-UUID'])) == 0: + raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', + description='API.INVALID_USER_UUID') + admin_user_uuid = str.strip(req.headers['USER-UUID']) + + if 'TOKEN' not in req.headers or \ + not isinstance(req.headers['TOKEN'], str) or \ + len(str.strip(req.headers['TOKEN'])) == 0: + raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', + description='API.INVALID_TOKEN') + admin_token = str.strip(req.headers['TOKEN']) + + # Check administrator privilege cnx = mysql.connector.connect(**config.myems_user_db) cursor = cnx.cursor() + query = (" SELECT utc_expires " + " FROM tbl_sessions " + " WHERE user_uuid = %s AND token = %s") + cursor.execute(query, (admin_user_uuid, admin_token,)) + row = cursor.fetchone() + + if row is None: + cursor.close() + cnx.disconnect() + raise falcon.HTTPError(falcon.HTTP_404, title='API.NOT_FOUND', + description='API.ADMINISTRATOR_SESSION_NOT_FOUND') + else: + utc_expires = row[0] + if datetime.utcnow() > utc_expires: + cursor.close() + cnx.disconnect() + raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', + description='API.ADMINISTRATOR_SESSION_TIMEOUT') + + query = (" SELECT name " + " FROM tbl_users " + " WHERE uuid = %s AND is_admin = true ") + cursor.execute(query, (admin_user_uuid,)) + row = cursor.fetchone() + if row is None: + cursor.close() + cnx.disconnect() + raise falcon.HTTPError(falcon.HTTP_400, 'API.BAD_REQUEST', 'API.INVALID_PRIVILEGE') query = (" SELECT u.id, u.name, u.display_name, u.uuid, " " u.email, u.is_admin, p.id, p.name, "