seg_yinzy
/
myems
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added access control to actions of user in api

pull/80/head
13621160019@163.com 2021-11-10 18:04:15 +08:00
parent 72484ea920
commit dd279ba548
40 changed files with 114 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
admin/app/controllers/users/user/user.controller.js
View File

@ -46,7 +46,8 @@ app.controller('UserController', function ($scope,
}
});
modalInstance.result.then(function (user) {
UserService.addUser(user, function (response) {
let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
UserService.addUser(user, headers, function (response) {
if (angular.isDefined(response.status) && response.status === 201) {
toaster.pop({
type: "success",
@ -85,7 +86,8 @@ app.controller('UserController', function ($scope,
});
modalInstance.result.then(function (modifiedUser) {
UserService.editUser(modifiedUser, function (response) {
let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
UserService.editUser(modifiedUser, headers, function (response) {
if (angular.isDefined(response.status) && response.status === 200) {
toaster.pop({
type: "success",
@ -123,12 +125,8 @@ app.controller('UserController', function ($scope,
});
modalInstance.result.then(function (modifiedUser) {
let data = {
name: modifiedUser.name,
password: modifiedUser.password };
let data = {name: modifiedUser.name, password: modifiedUser.password };
let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
UserService.resetPassword(data, headers, function (response) {
if (angular.isDefined(response.status) && response.status === 200) {
toaster.pop({
@ -166,7 +164,8 @@ app.controller('UserController', function ($scope,
},
function (isConfirm) {
if (isConfirm) {
UserService.deleteUser(user, function (response) {
let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
UserService.deleteUser(user, headers, function (response) {
if (angular.isDefined(response.status) && response.status === 204) {
toaster.pop({
type: "success",

16
admin/app/services/users/user/user.service.js
View File

@ -17,16 +17,16 @@ app.factory('UserService', function($http) {
callback(response);
});
},
addUser: function(user, callback) {
$http.post(getAPI()+'users',{data:user})
addUser: function(user, headers, callback) {
$http.post(getAPI()+'users', {data:user}, {headers})
.then(function (response) {
callback(response);
}, function (response) {
callback(response);
});
},
editUser: function(user, callback) {
$http.put(getAPI()+'users/'+user.id,{data:user})
editUser: function(user, headers, callback) {
$http.put(getAPI()+'users/'+user.id, {data:user}, {headers})
.then(function (response) {
callback(response);
}, function (response) {
@ -49,16 +49,16 @@ app.factory('UserService', function($http) {
callback(response);
});
},
deleteUser: function(user, callback) {
$http.delete(getAPI()+'users/'+user.id)
deleteUser: function(user, headers, callback) {
$http.delete(getAPI()+'users/'+user.id, {headers})
.then(function (response) {
callback(response);
}, function (response) {
callback(response);
});
},
getUser: function(id, callback) {
$http.get(getAPI()+'users/'+id)
getUser: function(id, headers, callback) {
$http.get(getAPI()+'users/'+id, {headers})
.then(function (response) {
callback(response);
}, function (response) {

2
myems-api/core/combinedequipment.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class CombinedEquipmentCollection:

2
myems-api/core/contact.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import uuid
import re
from core.userlogger import user_logger
from core.useractivity import user_logger
class ContactCollection:

2
myems-api/core/costcenter.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class CostCenterCollection:

2
myems-api/core/costfile.py
View File

@ -5,7 +5,7 @@ import config
import uuid
from datetime import datetime, timezone, timedelta
import os
from core.userlogger import user_logger
from core.useractivity import user_logger
class CostFileCollection:

2
myems-api/core/datasource.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import uuid
from datetime import datetime, timezone, timedelta
from core.userlogger import user_logger
from core.useractivity import user_logger
class DataSourceCollection:

2
myems-api/core/distributioncircuit.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class DistributionCircuitCollection:

2
myems-api/core/distributionsystem.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class DistributionSystemCollection:

2
myems-api/core/emailmessage.py
View File

@ -3,7 +3,7 @@ import json
import mysql.connector
import config
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class EmailMessageCollection:

2
myems-api/core/emailserver.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import base64
import re
from core.userlogger import user_logger
from core.useractivity import user_logger
class EmailServerCollection:

2
myems-api/core/energycategory.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class EnergyCategoryCollection:

2
myems-api/core/energyflowdiagram.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class EnergyFlowDiagramCollection:

2
myems-api/core/energyitem.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class EnergyItemCollection:

2
myems-api/core/equipment.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class EquipmentCollection:

2
myems-api/core/gateway.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import uuid
from datetime import datetime, timezone, timedelta
from core.userlogger import user_logger
from core.useractivity import user_logger
class GatewayCollection:

2
myems-api/core/knowledgefile.py
View File

@ -7,7 +7,7 @@ from datetime import datetime, timezone, timedelta
import os
import base64
import sys
from core.userlogger import user_logger
from core.useractivity import user_logger
class KnowledgeFileCollection:

2
myems-api/core/menu.py
View File

@ -2,7 +2,7 @@ import falcon
import simplejson as json
import mysql.connector
import config
from core.userlogger import user_logger
from core.useractivity import user_logger
class MenuCollection:

2
myems-api/core/meter.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class MeterCollection:

2
myems-api/core/notification.py
View File

@ -3,7 +3,7 @@ import json
import mysql.connector
import config
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class NotificationCollection:

2
myems-api/core/offlinemeter.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class OfflineMeterCollection:

2
myems-api/core/offlinemeterfile.py
View File

@ -5,7 +5,7 @@ import config
import uuid
from datetime import datetime, timezone, timedelta
import os
from core.userlogger import user_logger
from core.useractivity import user_logger
class OfflineMeterFileCollection:

2
myems-api/core/point.py
View File

@ -2,7 +2,7 @@ import falcon
import simplejson as json
import mysql.connector
import config
from core.userlogger import user_logger
from core.useractivity import user_logger
class PointCollection:

2
myems-api/core/privilege.py
View File

@ -2,7 +2,7 @@ import falcon
import simplejson as json
import mysql.connector
import config
from core.userlogger import user_logger
from core.useractivity import user_logger
class PrivilegeCollection:

2
myems-api/core/rule.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import uuid
from datetime import datetime, timezone, timedelta
import config
from core.userlogger import user_logger
from core.useractivity import user_logger
class RuleCollection:

2
myems-api/core/sensor.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class SensorCollection:

2
myems-api/core/shopfloor.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class ShopfloorCollection:

2
myems-api/core/space.py
View File

@ -6,7 +6,7 @@ import uuid
from datetime import datetime
from anytree import AnyNode
from anytree.exporter import JsonExporter
from core.userlogger import user_logger
from core.useractivity import user_logger
class SpaceCollection:

2
myems-api/core/store.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class StoreCollection:

2
myems-api/core/storetype.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class StoreTypeCollection:

2
myems-api/core/tariff.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import uuid
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class TariffCollection:

2
myems-api/core/tenant.py
View File

@ -4,7 +4,7 @@ import mysql.connector
import config
import uuid
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class TenantCollection:

2
myems-api/core/tenanttype.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class TenantTypeCollection:

2
myems-api/core/textmessage.py
View File

@ -3,7 +3,7 @@ import json
import mysql.connector
import config
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class TextMessageCollection:

2
myems-api/core/timezone.py
View File

@ -2,7 +2,7 @@ import falcon
import simplejson as json
import mysql.connector
import config
from core.userlogger import user_logger
from core.useractivity import user_logger
class TimezoneCollection:

53
myems-api/core/user.py
View File

@ -7,7 +7,7 @@ import hashlib
import re
import os
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger, write_log
from core.useractivity import user_logger, write_log, access_control
class UserCollection:
@ -22,52 +22,9 @@ class UserCollection:
@staticmethod
def on_get(req, resp):
if 'USER-UUID' not in req.headers or \
not isinstance(req.headers['USER-UUID'], str) or \
len(str.strip(req.headers['USER-UUID'])) == 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_USER_UUID')
admin_user_uuid = str.strip(req.headers['USER-UUID'])
if 'TOKEN' not in req.headers or \
not isinstance(req.headers['TOKEN'], str) or \
len(str.strip(req.headers['TOKEN'])) == 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_TOKEN')
admin_token = str.strip(req.headers['TOKEN'])
# Check administrator privilege
access_control(req)
cnx = mysql.connector.connect(**config.myems_user_db)
cursor = cnx.cursor()
query = (" SELECT utc_expires "
" FROM tbl_sessions "
" WHERE user_uuid = %s AND token = %s")
cursor.execute(query, (admin_user_uuid, admin_token,))
row = cursor.fetchone()
if row is None:
cursor.close()
cnx.disconnect()
raise falcon.HTTPError(falcon.HTTP_404, title='API.NOT_FOUND',
description='API.ADMINISTRATOR_SESSION_NOT_FOUND')
else:
utc_expires = row[0]
if datetime.utcnow() > utc_expires:
cursor.close()
cnx.disconnect()
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.ADMINISTRATOR_SESSION_TIMEOUT')
query = (" SELECT name "
" FROM tbl_users "
" WHERE uuid = %s AND is_admin = true ")
cursor.execute(query, (admin_user_uuid,))
row = cursor.fetchone()
if row is None:
cursor.close()
cnx.disconnect()
raise falcon.HTTPError(falcon.HTTP_400, 'API.BAD_REQUEST', 'API.INVALID_PRIVILEGE')
query = (" SELECT u.id, u.name, u.display_name, u.uuid, "
" u.email, u.is_admin, p.id, p.name, "
" u.account_expiration_datetime_utc, u.password_expiration_datetime_utc "
@ -110,7 +67,7 @@ class UserCollection:
@staticmethod
def on_post(req, resp):
"""Handles POST requests"""
# todo: add access control
access_control(req)
# todo: add user log
try:
raw_json = req.stream.read().decode('utf-8')
@ -246,7 +203,7 @@ class UserItem:
@staticmethod
def on_get(req, resp, id_):
# todo: add access control
access_control(req)
if not id_.isdigit() or int(id_) <= 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_USER_ID')
@ -291,6 +248,7 @@ class UserItem:
@staticmethod
@user_logger
def on_delete(req, resp, id_):
access_control(req)
if not id_.isdigit() or int(id_) <= 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_USER_ID')
@ -320,6 +278,7 @@ class UserItem:
@user_logger
def on_put(req, resp, id_):
"""Handles PUT requests"""
access_control(req)
try:
raw_json = req.stream.read().decode('utf-8')
except Exception as ex:

57
myems-api/core/userlogger.py → myems-api/core/useractivity.py
View File

@ -9,6 +9,58 @@ import simplejson as json
import falcon
def access_control(req):
"""
Check administrator privilege in request headers to protect resources from invalid access
:param req: HTTP request
:return: HTTPError if invalid else None
"""
if 'USER-UUID' not in req.headers or \
not isinstance(req.headers['USER-UUID'], str) or \
len(str.strip(req.headers['USER-UUID'])) == 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_USER_UUID')
admin_user_uuid = str.strip(req.headers['USER-UUID'])
if 'TOKEN' not in req.headers or \
not isinstance(req.headers['TOKEN'], str) or \
len(str.strip(req.headers['TOKEN'])) == 0:
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.INVALID_TOKEN')
admin_token = str.strip(req.headers['TOKEN'])
# Check administrator privilege
cnx = mysql.connector.connect(**config.myems_user_db)
cursor = cnx.cursor()
query = (" SELECT utc_expires "
" FROM tbl_sessions "
" WHERE user_uuid = %s AND token = %s")
cursor.execute(query, (admin_user_uuid, admin_token,))
row = cursor.fetchone()
if row is None:
cursor.close()
cnx.disconnect()
raise falcon.HTTPError(falcon.HTTP_404, title='API.NOT_FOUND',
description='API.ADMINISTRATOR_SESSION_NOT_FOUND')
else:
utc_expires = row[0]
if datetime.utcnow() > utc_expires:
cursor.close()
cnx.disconnect()
raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
description='API.ADMINISTRATOR_SESSION_TIMEOUT')
query = (" SELECT name "
" FROM tbl_users "
" WHERE uuid = %s AND is_admin = true ")
cursor.execute(query, (admin_user_uuid,))
row = cursor.fetchone()
cursor.close()
cnx.disconnect()
if row is None:
raise falcon.HTTPError(falcon.HTTP_400, 'API.BAD_REQUEST', 'API.INVALID_PRIVILEGE')
def write_log(user_uuid, request_method, resource_type, resource_id, request_body):
"""
:param user_uuid: user_uuid
@ -43,6 +95,11 @@ def write_log(user_uuid, request_method, resource_type, resource_id, request_bod
def user_logger(func):
"""
Decorator for logging user activities
:param func: the decorated function
:return: the decorator
"""
@wraps(func)
def logger(*args, **kwargs):
qualified_name = func.__qualname__

2
myems-api/core/virtualmeter.py
View File

@ -3,7 +3,7 @@ import simplejson as json
import mysql.connector
import config
import uuid
from core.userlogger import user_logger
from core.useractivity import user_logger
class VirtualMeterCollection:

2
myems-api/core/webmessage.py
View File

@ -3,7 +3,7 @@ import json
import mysql.connector
import config
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class WebMessageCollection:

2
myems-api/core/wechatmessage.py
View File

@ -3,7 +3,7 @@ import json
import mysql.connector
import config
from datetime import datetime, timedelta, timezone
from core.userlogger import user_logger
from core.useractivity import user_logger
class WechatMessageCollection(object):