mirror/peeringdb-peeringdb
1
0
Fork 0
mirror of https://github.com/peeringdb/peeringdb.git synced 2024-05-11 05:55:09 +00:00
Code Releases Activity
Files
b07baf3092df9fcd334ee4d9f586011911ecd458
peeringdb-peeringdb/peeringdb_server/org_admin_views.py
Matt Griswold b07baf3092 Support 202011 (#917) 
* install django-grainy

* nsp to grainy first iteration

* Fix validation error message overflow

* Add migration, update views.py and template to add help_text to UI

* nsp to grainy second iteration

* grainy and django-grainy pinned to latest releases

* deskpro ticket cc (#875)

* black formatting

* move ac link to bottom for ticket body

* Fix typo

* Update djangorestframework, peeringdb, django-ratelimit

* Rewrite login view ratelimit decorator

* Relock pipfile

* add list() to make copy of dictionaries before iterating

* respect ix-f url visibilty in ix-f conflict emails

* Add type coercion to settings taken from environment variables

* Add bool handling

* relock pipfile with python3.9
change docker to use python3.9

* Check bool via isinstance

* add ordering to admin search queryset for deskproticket and email

* update settings with envvar_type option

* Add tooltips to add ix and add exchange views (in org)

* Add tooltip to suggest fac view

* get phone information in view

* add missing migration

* add migration and make org a geo model

* Wire normalization to put/create requests for Facility

* Update admin with new address fields

* Refactor serializer using mixin

* Add floor and suite to address API

* Write command to geonormalize existing entries

* Remove unnecessary method from model

* Add floor and suite to views

* Add ignore geo status

* Force refresh for fac and org updates

* adjust frontend typo

* add checking if update needs geosync

* redo error handling for geosync

* remove save keyword from geonormalize command script

* change raw_id_fields

* alternate autocomplete lookup field depending on where inline is called

* remove unnecessary error handling

* Add  csv option

* Fix bug
 with None vs empty string

* add regex parsing for suite and floor conversion

* Add migration that removes geo error as a field

* add geostatus update to command

* Ignore suite floor and address2 changes for api normalization

* update geomodel by removing geo_error

* Black models.py

* Black serializers.py

* remove geocode error from admin

* Add function for reversing pretty speed

* add conversion to export method

* fix typo

* fix speed value feedback after submit

* remove conditional

* Add error handling to create endpoint

* Refine floor and suite parsing regex

* Add geocoding tests

* Add json for tests

* IX-F Importer: Bogus output of "Preview" tool #896

* remove cruft

* black formatting

* IX-F Importer: history of changes per ixlan & netixlan #893

* 6 add geocode to org view

* 4 update geocode without refresh

* Update error display

* Fix bug with formatting translated string

* Add DateTimeFields to model

* Add update signals

* add last updated fields to views and serializers

* Add last updated model migration

* Add the data migration for last updated fields

* add test that tests a normal org user with create org permissions

* grainy to 1.7
django grainy to 1.9.1

* Fix formatting issues

* Adjust var names

* Refactor signals

* Temporary: save override from network model

* Empty vlan lists no longer cause error

* typo in ixf.py

* typo in admin

* Typos in model verbose names

* Add serializer IXLAN validation for ixf_ixp_import_enabled

* Add model validation to IXLan

* relock pipfile

* relock pipfile

* begin signal test file

* Remove full clean from save in ixlan

* use post_reversion_commit signal instead

* remove redundant save override

* remove cruft / debug code

* Add signal tests

* exclude organizations with city missing from commandline geosync

* Skip geosync if the only address information we have is a country

* initial commit for vlan matcher in importer

* Add more tests and remove unused imports

* update tests

* Actually add vlan matching to importer

* Add type checking for speed list and state

* Change how we register connection.state

* add bootstrap options

* add rdap cache command

* remove outdated perm docs

* rdap from master and relock

* propagate rdap settings to peeringdb.settings

* add loaddata for initial fixtures

* user friendly error message on RdapNotFound errors (#497)

* update rdap errors

* django-peeringdb to 2.5.0 and relock

* rdap to 1.2.0 and relock

* fix migration hierarchy

* add ignore_recurse_errors option

* add missing fields to mock
remove cruft missed during merge

* rdap to 1.2.1

* dont geo validate during api tests

* fix tests

* Add test file

* fix merge

* RDAP_SELF_BOOTSTRAP to False while running tests

* black formatted

* run black

* add github actions

* add runs on

Co-authored-by: Stefan Pratter <stefan@20c.com>
Co-authored-by: Elliot Frank <elliot@20c.com>
2021-01-13 14:35:07 -06:00

538 lines
15 KiB
Python
Raw Blame History

"""
Views for organization administrative actions
"""
from django.contrib.auth.decorators import login_required
from django.views.decorators.csrf import csrf_protect
from django.http import JsonResponse
from django.template import loader
from django.conf import settings
from .forms import OrgAdminUserPermissionForm
from grainy.const import *
from django_grainy.models import UserPermission
from django_namespace_perms.constants import *
from django_handleref.models import HandleRefModel
from django.utils.translation import ugettext_lazy as _
from django.utils.translation import override
from peeringdb_server.util import check_permissions
from peeringdb_server.models import (
User,
Organization,
Network,
NetworkContact,
InternetExchange,
Facility,
UserOrgAffiliationRequest,
)
def save_user_permissions(org, user, perms):
"""
Save user permissions for the specified org and user
perms should be a dict of permissioning ids and permission levels
"""
# wipe all the user's perms for the targeted org
user.grainy_permissions.filter(namespace__startswith=org.grainy_namespace).delete()
# collect permissioning namespaces from the provided permissioning ids
grainy_perms = {}
for id, permissions in list(perms.items()):
if not permissions & PERM_READ:
permissions = permissions | PERM_READ
if id == "org.%d" % org.id:
grainy_perms[org.grainy_namespace] = permissions
grainy_perms[
f"{org.grainy_namespace}.network.*.poc_set.private"
] = permissions
elif id == "net":
grainy_perms[f"{org.grainy_namespace}.network"] = permissions
grainy_perms[
f"{org.grainy_namespace}.network.*.poc_set.private"
] = permissions
elif id == "ix":
grainy_perms[f"{org.grainy_namespace}.internetexchange"] = permissions
elif id == "fac":
grainy_perms[f"{org.grainy_namespace}.facility"] = permissions
elif id.find(".") > -1:
id = id.split(".")
if id[0] == "net":
grainy_perms[f"{org.grainy_namespace}.network.{id[1]}"] = permissions
grainy_perms[
f"{org.grainy_namespace}.network.{id[1]}.poc_set.private"
] = permissions
elif id[0] == "ix":
grainy_perms[
f"{org.grainy_namespace}.internetexchange.{id[1]}"
] = permissions
elif id[0] == "fac":
grainy_perms[f"{org.grainy_namespace}.facility.{id[1]}"] = permissions
# save
for ns, p in list(grainy_perms.items()):
UserPermission.objects.create(namespace=ns, permission=p, user=user)
return grainy_perms
def load_all_user_permissions(org):
"""
Returns dict of all users with all their permissions for
the given org
"""
rv = {}
for user in org.usergroup.user_set.all():
uperms, perms = load_user_permissions(org, user)
rv[user.id] = {
"id": user.id,
"perms": perms,
"name": f"{user.full_name} <{user.email}> {user.username}",
}
return rv
def load_user_permissions(org, user):
"""
Returns user's permissions for the specified org
"""
# load all of the user's permissions related to this org
uperms = {
p.namespace: p.permission
for p in user.grainy_permissions.filter(
namespace__startswith=org.grainy_namespace
)
}
perms = {}
extract_permission_id(uperms, perms, org, org)
# extract user's permissioning ids from grainy_namespaces targeting
# organization's entities
for model in [Network, InternetExchange, Facility]:
extract_permission_id(uperms, perms, model, org)
# extract user's permissioning ids from grainy_namespaces targeting
# organization's entities by their id (eg user has perms only
# to THAT specific network)
for net in org.net_set_active:
extract_permission_id(uperms, perms, net, org)
for net in org.ix_set_active:
extract_permission_id(uperms, perms, net, org)
for net in org.fac_set_active:
extract_permission_id(uperms, perms, net, org)
return uperms, perms
def permission_ids(org):
"""
returns a dict of a valid permissioning ids for
the specified organization
"""
perms = {
"org.%d" % org.id: _("Organization and all Entities it owns"),
"net": _("Any Network"),
"fac": _("Any Facility"),
"ix": _("Any Exchange"),
}
perms.update(
{
"net.%d" % net.id: _("Network - %(net_name)s") % {"net_name": net.name}
for net in org.net_set_active
}
)
perms.update(
{
"ix.%d" % ix.id: _("Exchange - %(ix_name)s") % {"ix_name": ix.name}
for ix in org.ix_set_active
}
)
perms.update(
{
"fac.%d" % fac.id: _("Facility - %(fac_name)s") % {"fac_name": fac.name}
for fac in org.fac_set_active
}
)
return perms
def extract_permission_id(source, dest, entity, org):
"""
extract a user's permissioning id for the specified
entity from source <dict> and store it in dest <dict>
source should be a dict containing django-namespace-perms
(namespace, level) items
dest should be a dict where permission ids are to be
exracted to
entity can either be a HandleRef instance or clas
org needs to be an Organization instance that owns the
entity
"""
if isinstance(entity, HandleRefModel):
# instance
k = entity.grainy_namespace
j = "%s.%d" % (entity.ref_tag, entity.id)
else:
# class
j = entity.handleref.tag
namespace = entity.Grainy.namespace()
k = f"{org.grainy_namespace}.{namespace}"
if k in source:
dest[j] = source[k]
def org_admin_required(fnc):
"""
Decorator function that ensures that the requesting user
has administrative rights to the targeted organization
Also sets "org" in kwargs
"""
def callback(request, **kwargs):
org_id = request.POST.get("org_id", request.GET.get("org_id"))
if not org_id:
return JsonResponse({}, status=400)
try:
org = Organization.objects.get(id=org_id)
if not check_permissions(request.user, org.grainy_namespace_manage, "u"):
return JsonResponse({}, status=403)
kwargs["org"] = org
return fnc(request, **kwargs)
except Organization.DoesNotExist:
return JsonResponse(
{"non_field_errors": [_("Invalid organization specified")]}, status=400
)
return callback
def target_user_validate(fnc):
"""
Decorator function that ensures that the targeted user
is a member of the targeted organization
Should be below org_admin_required
Also sets "user" in kwargs
"""
def callback(request, **kwargs):
user_id = request.POST.get("user_id", request.GET.get("user_id"))
org = kwargs.get("org")
if not user_id:
return JsonResponse({}, status=400)
try:
user = User.objects.get(id=user_id)
except User.DoesNotExist:
return JsonResponse({}, status=400)
if not user.is_org_member(org) and not user.is_org_admin(org):
return JsonResponse({}, status=403)
kwargs["user"] = user
return fnc(request, **kwargs)
return callback
@login_required
@org_admin_required
def users(request, **kwargs):
"""
Returns JsonResponse with a list of all users in the specified org
"""
org = kwargs.get("org")
rv = {
"users": [
{
"id": user.id,
"name": f"{user.full_name} <{user.email}, {user.username}>",
}
for user in org.usergroup.user_set.all()
]
}
rv.update({"status": "ok"})
return JsonResponse(rv)
@login_required
@org_admin_required
@target_user_validate
def manage_user_delete(request, **kwargs):
"""
remove user from org
"""
org = kwargs.get("org")
user = kwargs.get("user")
save_user_permissions(org, user, {})
org.usergroup.user_set.remove(user)
org.admin_usergroup.user_set.remove(user)
return JsonResponse({"status": "ok"})
@login_required
@org_admin_required
@target_user_validate
def manage_user_update(request, **kwargs):
"""
udpate a user in the org
right now this only allows for moving the user either
to admin or member group
"""
org = kwargs.get("org")
user = kwargs.get("user")
group = request.POST.get("group")
if group not in ["member", "admin"]:
return JsonResponse({"group": _("Needs to be member or admin")}, status=400)
if group == "admin":
org.usergroup.user_set.remove(user)
org.admin_usergroup.user_set.add(user)
elif group == "member":
org.usergroup.user_set.add(user)
org.admin_usergroup.user_set.remove(user)
return JsonResponse({"status": "ok"})
@login_required
@org_admin_required
def user_permissions(request, **kwargs):
"""
Returns JsonRespone with list of user's permissions for the targeted
org an entities under it
Permisions are returned as a dict of permissioning ids and permission
levels.
Permissioning ids serve as a wrapper for actual permissioning namespaces
so we can expose them to the organization admins for changes without allowing
them to set permissioning namespaces directly.
"""
org = kwargs.get("org")
perms_rv = {}
for user in org.usergroup.user_set.all():
uperms, perms = load_user_permissions(org, user)
perms_rv[user.id] = perms
return JsonResponse({"status": "ok", "user_permissions": perms_rv})
@login_required
@csrf_protect
@org_admin_required
@target_user_validate
def user_permission_update(request, **kwargs):
"""
Update/Add a user's permission
perms = permission level
entity = permission id
"""
org = kwargs.get("org")
user = kwargs.get("user")
uperms, perms = load_user_permissions(org, user)
form = OrgAdminUserPermissionForm(request.POST)
if not form.is_valid():
return JsonResponse(form.errors, status=400)
level = form.cleaned_data.get("perms")
entity = form.cleaned_data.get("entity")
perms[entity] = level
save_user_permissions(org, user, perms)
return JsonResponse({"status": "ok"})
@login_required
@csrf_protect
@org_admin_required
@target_user_validate
def user_permission_remove(request, **kwargs):
"""
Remove a user's permission
entity = permission id
"""
org = kwargs.get("org")
user = kwargs.get("user")
entity = request.POST.get("entity")
uperms, perms = load_user_permissions(org, user)
if entity in perms:
del perms[entity]
save_user_permissions(org, user, perms)
return JsonResponse({"status": "ok"})
@login_required
@org_admin_required
def permissions(request, **kwargs):
"""
Returns list of permissioning ids with labels that
are valid to be permissioned out to regular org users
Permissioning ids serve as a wrapper for actual permissioning namespaces
so we can expose them to the organization admins for changes without allowing
them to set permissioning namespaces directly.
"""
org = kwargs.get("org")
perms = [{"id": id, "name": name} for id, name in list(permission_ids(org).items())]
perms = sorted(perms, key=lambda x: x.get("name"))
return JsonResponse({"status": "ok", "permissions": perms})
@login_required
@csrf_protect
@org_admin_required
def uoar_approve(request, **kwargs):
"""
Approve a user request to affiliate with the organization
"""
org = kwargs.get("org")
try:
uoar = UserOrgAffiliationRequest.objects.get(id=request.POST.get("id"))
if uoar.org != org:
return JsonResponse({}, status=403)
try:
user = uoar.user
except User.DoesNotExist:
uoar.delete()
return JsonResponse({"status": "ok"})
uoar.approve()
# notify rest of org admins that the affiliation request has been
# approved
for admin_user in org.admin_usergroup.user_set.all():
if admin_user != request.user:
with override(admin_user.locale):
admin_user.email_user(
_("%(user_name)s's affiliation request has been approved")
% {"user_name": uoar.user.full_name},
loader.get_template(
"email/notify-org-admin-user-affil-approved.txt"
).render(
{
"user": request.user,
"uoar": uoar,
"org_management_url": "%s/org/%d#users"
% (settings.BASE_URL, org.id),
}
),
)
return JsonResponse(
{
"status": "ok",
"full_name": user.full_name,
"id": user.id,
"email": user.email,
}
)
except UserOrgAffiliationRequest.DoesNotExist:
return JsonResponse({"status": "ok"})
return JsonResponse({"status": "ok"})
@login_required
@csrf_protect
@org_admin_required
def uoar_deny(request, **kwargs):
"""
Approve a user request to affiliate with the organization
"""
org = kwargs.get("org")
try:
uoar = UserOrgAffiliationRequest.objects.get(id=request.POST.get("id"))
if uoar.org != org:
return JsonResponse({}, status=403)
try:
user = uoar.user
uoar.deny()
except User.DoesNotExist:
uoar.delete()
return JsonResponse({"status": "ok"})
# notify rest of org admins that the affiliation request has been
# approved
for user in org.admin_usergroup.user_set.all():
if user != request.user:
with override(user.locale):
user.email_user(
_("%(user_name)s's affiliation request has been denied")
% {"user_name": uoar.user.full_name},
loader.get_template(
"email/notify-org-admin-user-affil-denied.txt"
).render(
{
"user": request.user,
"uoar": uoar,
"org_management_url": "%s/org/%d#users"
% (settings.BASE_URL, org.id),
}
),
)
except UserOrgAffiliationRequest.DoesNotExist:
return JsonResponse({"status": "ok"})
return JsonResponse({"status": "ok"})
View Git Blame Copy Permalink