added access control to rule in api and admin

2021-12-10 17:58:42 +08:00 · 2021-12-10 17:58:42 +08:00 · d3519bf39c
parent 806554923f
commit d3519bf39c
5 changed files with 101 additions and 26 deletions
--- a/admin/app/controllers/fdd/rule/rule.controller.js
+++ b/admin/app/controllers/fdd/rule/rule.controller.js
@ -1,6 +1,14 @@
 'use strict';

-app.controller('RuleController', function($scope, $uibModal, $translate, RuleService, toaster, SweetAlert) {
+app.controller('RuleController', function(
+    $scope,
+    $window,
+    $uibModal,
+    $translate,
+    RuleService,
+    toaster,
+    SweetAlert) {
+    $scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user"));

 	$scope.initExpression = [{
 		"sample_object_id": 1,
@ -13,7 +21,8 @@ app.controller('RuleController', function($scope, $uibModal, $translate, RuleSer
 	$scope.initMessageTemplate = 'This a sample template. Use %s for substitution. You can use multiple %s s in the template.';

 	$scope.getAllRules = function() {
-		RuleService.getAllRules(function (response) {
+        let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+		RuleService.getAllRules(headers, function (response) {
 			if (angular.isDefined(response.status) && response.status === 200) {
 				$scope.rules = response.data;
 			} else {
@ -40,7 +49,8 @@ app.controller('RuleController', function($scope, $uibModal, $translate, RuleSer
 			}
 		});
 		modalInstance.result.then(function(rule) {
-			RuleService.addRule(rule, function (response) {
+		    let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+			RuleService.addRule(rule, headers, function (response) {
 				if (angular.isDefined(response.status) && response.status === 201) {
 					toaster.pop({
 						type: "success",
@ -79,7 +89,8 @@ app.controller('RuleController', function($scope, $uibModal, $translate, RuleSer
 		});

 		modalInstance.result.then(function(modifiedRule) {
-			RuleService.editRule(modifiedRule, function (response) {
+		    let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+			RuleService.editRule(modifiedRule, headers, function (response) {
 				if (angular.isDefined(response.status) && response.status === 200) {
 					toaster.pop({
 						type: "success",
@ -117,7 +128,8 @@ app.controller('RuleController', function($scope, $uibModal, $translate, RuleSer
 			},
 			function(isConfirm) {
                if (isConfirm) {
-                    RuleService.deleteRule(rule, function (response) {
+                    let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+                    RuleService.deleteRule(rule, headers, function (response) {
                        if (angular.isDefined(response.status) && response.status === 204) {
                            toaster.pop({
                                type: "success",
--- a/admin/app/services/fdd/rule.service.js
+++ b/admin/app/services/fdd/rule.service.js
@ -1,48 +1,48 @@
 'use strict';
 app.factory('RuleService', function($http) {  
    return {  
-        getAllRules:function(callback){
-            $http.get(getAPI()+'rules') 
+        getAllRules:function(headers, callback){
+            $http.get(getAPI()+'rules', {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
                callback(response);
            });
        },
-        searchRules: function(query, callback) {  
-            $http.get(getAPI()+'rules', { params: { q: query } }) 
+        searchRules: function(query, headers, callback) {
+            $http.get(getAPI()+'rules', { params: { q: query } }, {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
                callback(response);
            });
        },
-        addRule: function(rule, callback) {  
-            $http.post(getAPI()+'rules',{data:rule}) 
+        addRule: function(rule, headers, callback) {
+            $http.post(getAPI()+'rules', {data:rule}, {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
                callback(response);
            });
        },
-        editRule: function(rule, callback) {  
-            $http.put(getAPI()+'rules/'+rule.id,{data:rule}) 
+        editRule: function(rule, headers, callback) {
+            $http.put(getAPI()+'rules/'+rule.id,{data:rule}, {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
                callback(response);
            });
        },
-        deleteRule: function(rule, callback) {  
-            $http.delete(getAPI()+'rules/'+rule.id)  
+        deleteRule: function(rule, headers, callback) {
+            $http.delete(getAPI()+'rules/'+rule.id, {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
                callback(response);
            });
        },
-        getRule: function(id, callback) {  
-            $http.get(getAPI()+'rules/'+id)
+        getRule: function(id, headers, callback) {
+            $http.get(getAPI()+'rules/'+id, {headers})
            .then(function (response) {
                callback(response);
            }, function (response) {
--- a/myems-api/MyEMS.postman_collection.json
+++ b/myems-api/MyEMS.postman_collection.json
@ -5100,7 +5100,18 @@
 							"name": "GET All Rules",
 							"request": {
 								"method": "GET",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "2ac29271a9c58218ba88928dd13bccb3662f2b320152cc5ef52f76f2c2450f48c12bad4fbd4c7b03bd35686c70909894e5e3637b67198108f3e403d4a6ca8f55",
+										"type": "text"
+									}
+								],
 								"url": {
 									"raw": "{{base_url}}/rules",
 									"host": [
@ -5117,7 +5128,18 @@
 							"name": "GET a Rule by ID ",
 							"request": {
 								"method": "GET",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "2ac29271a9c58218ba88928dd13bccb3662f2b320152cc5ef52f76f2c2450f48c12bad4fbd4c7b03bd35686c70909894e5e3637b67198108f3e403d4a6ca8f55",
+										"type": "text"
+									}
+								],
 								"url": {
 									"raw": "{{base_url}}/rules/1",
 									"host": [
@ -5135,7 +5157,18 @@
 							"name": "POST Create New Rule",
 							"request": {
 								"method": "POST",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "2ac29271a9c58218ba88928dd13bccb3662f2b320152cc5ef52f76f2c2450f48c12bad4fbd4c7b03bd35686c70909894e5e3637b67198108f3e403d4a6ca8f55",
+										"type": "text"
+									}
+								],
 								"body": {
 									"mode": "raw",
 									"raw": "{\"data\":{\"name\":\"Space Energy Consumption Over Limit\", \"fdd_code\":\"SPACE01\", \"category\":\"SPACE\", \"priority\":\"HIGH\", \"channel\":\"WEB\", \"expression\":\"{\\\"space_id\\\":1, \\\"high_limit\\\":1000.000}\", \"message_template\":\"%s截止到目前电耗%s，超标%s。\", \"is_enabled\":true}}"
@ -5156,19 +5189,30 @@
 							"name": "PUT Update a Rule",
 							"request": {
 								"method": "PUT",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "2ac29271a9c58218ba88928dd13bccb3662f2b320152cc5ef52f76f2c2450f48c12bad4fbd4c7b03bd35686c70909894e5e3637b67198108f3e403d4a6ca8f55",
+										"type": "text"
+									}
+								],
 								"body": {
 									"mode": "raw",
 									"raw": "{\"data\":{\"name\":\"Space Energy Consumption Over Limit\", \"fdd_code\":\"SPACE01\", \"category\":\"SPACE\", \"priority\":\"HIGH\", \"channel\":\"WEB\", \"expression\":\"{\\\"space_id\\\":1, \\\"high_limit\\\":1000.000}\", \"message_template\":\"%s截止到目前电耗%s，超标%s。\", \"is_enabled\":true}}"
 								},
 								"url": {
-									"raw": "{{base_url}}/rules/1",
+									"raw": "{{base_url}}/rules/2",
 									"host": [
 										"{{base_url}}"
 									],
 									"path": [
 										"rules",
-										"1"
+										"2"
 									]
 								}
 							},
@ -5178,7 +5222,18 @@
 							"name": "DELETE a Rule by ID",
 							"request": {
 								"method": "DELETE",
-								"header": [],
+								"header": [
+									{
+										"key": "User-UUID",
+										"value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4",
+										"type": "text"
+									},
+									{
+										"key": "Token",
+										"value": "2ac29271a9c58218ba88928dd13bccb3662f2b320152cc5ef52f76f2c2450f48c12bad4fbd4c7b03bd35686c70909894e5e3637b67198108f3e403d4a6ca8f55",
+										"type": "text"
+									}
+								],
 								"url": {
 									"raw": "{{base_url}}/rules/2",
 									"host": [
--- a/myems-api/README.md
+++ b/myems-api/README.md
@ -1283,11 +1283,11 @@ Result in JSON
 | next_run_datetime | float | null, or the next run datetime string in local timezone |

 ```bash
-curl -i -X GET {{base_url}}/rules/{id}
+curl -i -H "User-UUID: 793f1bb4-6e25-4242-8cdc-2f662b25484f" -H "Token: GET-TOKEN-AFTER-LOGIN" -X GET {{base_url}}/rules/{id}
 ```
 *   GET All Rules
 ```bash
-curl -i -X GET {{base_url}}/rules
+curl -i -H "User-UUID: 793f1bb4-6e25-4242-8cdc-2f662b25484f" -H "Token: GET-TOKEN-AFTER-LOGIN" -X GET {{base_url}}/rules
 ```
 *   DELETE a Rule by ID
 ```bash
--- a/myems-api/core/rule.py
+++ b/myems-api/core/rule.py
@ -19,6 +19,8 @@ class RuleCollection:

    @staticmethod
    def on_get(req, resp):
+        """Handles GET requests"""
+        access_control(req)
        cnx = mysql.connector.connect(**config.myems_fdd_db)
        cursor = cnx.cursor(dictionary=True)

@ -70,6 +72,7 @@ class RuleCollection:
    @user_logger
    def on_post(req, resp):
        """Handles POST requests"""
+        access_control(req)
        try:
            raw_json = req.stream.read().decode('utf-8')
        except Exception as ex:
@ -194,6 +197,8 @@ class RuleItem:

    @staticmethod
    def on_get(req, resp, id_):
+        """Handles GET requests"""
+        access_control(req)
        if not id_.isdigit() or int(id_) <= 0:
            raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
                                   description='API.INVALID_RULE_ID')
@ -245,6 +250,8 @@ class RuleItem:
    @staticmethod
    @user_logger
    def on_delete(req, resp, id_):
+        """Handles DELETE requests"""
+        access_control(req)
        if not id_.isdigit() or int(id_) <= 0:
            raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
                                   description='API.INVALID_RULE_ID')
@ -274,6 +281,7 @@ class RuleItem:
    @user_logger
    def on_put(req, resp, id_):
        """Handles PUT requests"""
+        access_control(req)
        try:
            raw_json = req.stream.read().decode('utf-8')
        except Exception as ex: