permissions 1.1 and hash_password issue solve
This commit is contained in:
@@ -5,7 +5,7 @@ from fastapi.security import OAuth2PasswordRequestForm
|
||||
|
||||
from pydantic import EmailStr
|
||||
|
||||
from . import pydentic, JWT, password
|
||||
from . import pydentic, JWT, password, permissions
|
||||
from server.database import db
|
||||
|
||||
from datetime import datetime, timedelta
|
||||
@@ -32,13 +32,13 @@ async def protected(current_user: str = Depends(JWT.current_user)):
|
||||
return {"msg": f"Hello, {current_user}"}
|
||||
|
||||
@api.get("/", response_model=list[pydentic.UserOut]) #список!
|
||||
async def get_all_rows(current_user: str = Depends(JWT.current_user)):
|
||||
async def get_all_rows(current_user: str = Depends(JWT.current_user), user=Depends(permissions.check_permission("is_admin"))):
|
||||
users = await db.get_all_rows()
|
||||
if not users:
|
||||
raise HTTPException(status_code=401, detail="The user isn't found")
|
||||
return users
|
||||
@api.get("/get_user_by_email/{email}", response_model=pydentic.UserOut)
|
||||
async def get_user_by_email(email:str, current_user: str = Depends(JWT.current_user)):
|
||||
async def get_user_by_email(email:str, current_user: str = Depends(JWT.current_user), user=Depends(permissions.check_permission("can_view"))):
|
||||
user = await db.get_user_by_email(email)
|
||||
if user:
|
||||
return user
|
||||
@@ -54,41 +54,45 @@ async def create_user(row:pydentic.CreateUser):
|
||||
user = await db.get_user_by_email(row.email)
|
||||
return user
|
||||
@api.delete("/user_delete/{email}", response_model=pydentic.UserOut)
|
||||
async def delete_user(email:str,current_user: str = Depends(JWT.current_user)):
|
||||
async def delete_user(email:str,current_user: str = Depends(JWT.current_user), user = Depends(permissions.check_permission("can_delete"))):
|
||||
user = await db.get_user_by_email(email)
|
||||
if not user:
|
||||
raise HTTPException(status_code=401, detail="The user isn't found")
|
||||
await db.delete_user(email)
|
||||
return user
|
||||
@api.put("/user_update/{email}", response_model=pydentic.UserOut)
|
||||
async def update_user(email:str, updated_row: pydentic.UserUpdate, current_user: str = Depends(JWT.current_user)):
|
||||
user = await db.get_user_by_email(email)
|
||||
perm = user.permissions[0]
|
||||
async def update_user(email:str, updated_row: pydentic.UserUpdate, current_user: str = Depends(JWT.current_user), user = Depends(permissions.check_permission("can_edit"))):
|
||||
user = await db.get_user_by_email(email) #user из бд, которого запросили
|
||||
perm = user.permissions[0] #права по запрошенному user
|
||||
current = await db.get_user_by_email(current_user) #user из бд по jwt
|
||||
current_perms = current.permissions[0] #Права по jwt
|
||||
|
||||
|
||||
if not user:
|
||||
raise HTTPException(status_code=401, detail="The user isn't found")
|
||||
changed = False
|
||||
if updated_row.email is not None and updated_row.email != user.email:
|
||||
user.email = updated_row.email
|
||||
changed = True
|
||||
if updated_row.description is not None and updated_row.description != user.description:
|
||||
user.description = updated_row.description
|
||||
changed = True
|
||||
if updated_row.activated is not None and updated_row.activated != user.activated:
|
||||
user.activated = updated_row.activated
|
||||
changed = True
|
||||
if updated_row.password is not None and updated_row.password != user.password:
|
||||
user.password = updated_row.password
|
||||
changed = True
|
||||
if updated_row.can_edit is not None and updated_row.can_edit != perm.can_edit:
|
||||
perm.can_edit = updated_row.can_edit
|
||||
changed = True
|
||||
if updated_row.can_delete is not None and updated_row.can_delete != perm.can_delete:
|
||||
perm.can_delete = updated_row.can_delete
|
||||
changed = True
|
||||
#изменение только определенных колонок
|
||||
updatable_fields = ["email", "description", "activated"]
|
||||
for field in updatable_fields:
|
||||
new_value = getattr(updated_row, field)
|
||||
if new_value is not None and new_value != getattr(user, field):
|
||||
setattr(user, field, new_value)
|
||||
changed = True
|
||||
# пароль
|
||||
if updated_row.password:
|
||||
if not verify_password(updated_row.password, user.password):
|
||||
user.password = updated_row.password
|
||||
changed = True
|
||||
# права (только для админа)
|
||||
if current_perms.is_admin:
|
||||
perm_fields = ["can_edit", "can_delete", "can_view", "is_admin"]
|
||||
for field in perm_fields:
|
||||
new_value = getattr(updated_row, field)
|
||||
if new_value is not None and new_value != getattr(perm, field):
|
||||
setattr(perm, field, new_value)
|
||||
changed = True
|
||||
if changed:
|
||||
user = await db.update_user(user_info=user, perm_info=perm)
|
||||
else:
|
||||
pass
|
||||
return user
|
||||
@api.post("/login")
|
||||
async def login_user(form_data: OAuth2PasswordRequestForm = Depends()):
|
||||
@@ -114,4 +118,9 @@ async def reset_user(row:pydentic.UserReset):
|
||||
password.send_password(new_row)
|
||||
user = await db.reset_user(new_row)
|
||||
return user
|
||||
|
||||
@api.get("/admin/{email}")
|
||||
async def admin_stuff(
|
||||
email: str,
|
||||
user = Depends(permissions.check_permission("can_delete"))
|
||||
):
|
||||
return {"msg": f"Добро пожаловать, {user.email}"}
|
||||
30
server/backend/permissions.py
Normal file
30
server/backend/permissions.py
Normal file
@@ -0,0 +1,30 @@
|
||||
from fastapi import Depends, HTTPException, status, Path, Request
|
||||
from . import JWT
|
||||
from server.database import db
|
||||
|
||||
def check_permission(required: str):
|
||||
async def wrapper(
|
||||
request: Request,
|
||||
current_user = Depends(JWT.current_user),
|
||||
):
|
||||
requested_email = request.path_params.get("email")
|
||||
user = await db.get_user_by_email(current_user)
|
||||
perms = user.permissions[0]
|
||||
# если админ → разрешено всегда
|
||||
if perms.is_admin:
|
||||
return user
|
||||
# проверяем, что у пользователя есть нужное право
|
||||
if not getattr(perms, required, False):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail=f"You don't have a permission"
|
||||
)
|
||||
# проверяем, что работает только со своим email
|
||||
if current_user.lower() != requested_email.lower():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail=f"You can only do this with your own account"
|
||||
)
|
||||
|
||||
return user
|
||||
return wrapper
|
||||
@@ -34,6 +34,7 @@ class UserUpdate(BaseModel):
|
||||
password:Optional[constr(min_length=8)] = Field(None, description="Password with min 8 chars, letters and digits")
|
||||
can_edit:Optional[bool] = Field(None, description="The user can edit something")
|
||||
can_delete:Optional[bool] = Field(None, description="The user can delete something")
|
||||
can_view:Optional[bool]=Field(None, descriptiopn="The user can view something")
|
||||
@validator('password')
|
||||
def password_validator(cls, password):
|
||||
return check_password_complexity(cls, password)
|
||||
|
||||
Reference in New Issue
Block a user