Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User allow/prevent calendar modification by non admin user #375

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

User allow/prevent calendar modification by non admin user #375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5de179b
first commit
Bbillyben Apr 25, 2022
bdd154b
Update __init__.py
Bbillyben Apr 25, 2022
393d855
Update config.yaml
Bbillyben Apr 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions configs/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,9 @@ slack_instance: foobar
# APIs without authentication
require_auth: False

# Setting to determine whether the autheticated user can modify calendar entries.
auth_user_cal_mod: False

###########################
### Oncall bonus management
###########################
Expand Down
11 changes: 9 additions & 2 deletions src/oncall/api/v0/event.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@
from ujson import dumps as json_dumps
from falcon import HTTPNotFound, HTTPBadRequest, HTTPUnauthorized

from ...auth import login_required, check_calendar_auth, check_team_auth
from ...auth import login_required, check_calendar_auth, check_team_auth, check_user_auth_event
from ... import db, constants
from ...utils import (
load_json_body, user_in_team_by_name, create_notification, create_audit
)
from ...constants import EVENT_DELETED, EVENT_EDITED
from ...constants import EVENT_DELETED, EVENT_EDITED, AUTH_USER_CAL_MOD

from .events import columns, all_columns

Expand Down Expand Up @@ -99,6 +99,8 @@ def on_put(req, resp, event_id):

"""
data = load_json_body(req)
if not AUTH_USER_CAL_MOD:
check_user_auth_event(event_id, req)

if 'end' in data and 'start' in data and data['start'] >= data['end']:
raise HTTPBadRequest('Invalid event update', 'Event must start before it ends')
Expand Down Expand Up @@ -190,6 +192,11 @@ def on_delete(req, resp, event_id):
:statuscode 403: Delete not allowed; logged in user is not a team member
:statuscode 404: Event not found
"""

if not AUTH_USER_CAL_MOD:
check_user_auth_event(event_id, req)


connection = db.connect()
cursor = connection.cursor(db.DictCursor)

Expand Down
9 changes: 5 additions & 4 deletions src/oncall/api/v0/events.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@
import time
from falcon import HTTP_201, HTTPError, HTTPBadRequest
from ujson import dumps as json_dumps
from ...auth import login_required, check_calendar_auth
from ...auth import login_required, check_calendar_auth, check_team_auth
from ... import db, constants
from ...utils import (
load_json_body, user_in_team_by_name, create_notification, create_audit
)
from ...constants import EVENT_CREATED
from ...constants import EVENT_CREATED, AUTH_USER_CAL_MOD

columns = {
'id': '`event`.`id` as `id`',
Expand Down Expand Up @@ -204,7 +204,6 @@ def on_get(req, resp):
connection.close()
resp.body = json_dumps(data)


@login_required
def on_post(req, resp):
"""
Expand Down Expand Up @@ -255,7 +254,9 @@ def on_post(req, resp):
if data['start'] >= data['end']:
raise HTTPBadRequest('Invalid event', 'Event must start before it ends')
check_calendar_auth(data['team'], req)

global AUTH_USER_CAL_MOD
if not AUTH_USER_CAL_MOD:
check_team_auth(data['team'], req)
columns = ['`start`', '`end`', '`user_id`', '`team_id`', '`role_id`']
values = ['%(start)s', '%(end)s',
'(SELECT `id` FROM `user` WHERE `name`=%(user)s)',
Expand Down
21 changes: 21 additions & 0 deletions src/oncall/auth/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,27 @@ def is_god(challenger):
def check_ical_key_admin(challenger):
return is_god(challenger)

def check_user_auth_event(eventId, req):
"""
Check if the event Id is on a team where user is admin
"""
if 'app' in req.context:
return
challenger = req.context['user']
connection = db.connect()
cursor = connection.cursor()
get_allowed_query = '''SELECT DISTINCT(event.id )
from event JOIN team on team.id = event.team_id
JOIN team_admin on team.id = team_admin.team_id
JOIN user on team_admin.user_id = user.id
WHERE event.id = %s and user.name = %s'''
cursor.execute(get_allowed_query, (eventId, challenger))
user_in_query = cursor.rowcount
cursor.close()
connection.close()
if user_in_query != 0 or is_god(challenger):
return
raise HTTPForbidden('Unauthorized', 'Action not allowed for "%s"' % challenger)

def check_user_auth(user, req):
"""
Expand Down
3 changes: 3 additions & 0 deletions src/oncall/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,18 @@

SUPPORTED_TIMEZONES = None

AUTH_USER_CAL_MOD = None

def init(config):
global DEFAULT_ROLES
global DEFAULT_MODES
global DEFAULT_TIMES
global SUPPORTED_TIMEZONES
global GRACE_PERIOD
global AUTH_USER_CAL_MOD
DEFAULT_ROLES = config['notifications']['default_roles']
DEFAULT_MODES = config['notifications']['default_modes']
DEFAULT_TIMES = config['notifications']['default_times']
SUPPORTED_TIMEZONES = config['supported_timezones']
GRACE_PERIOD = config.get('grace_period', 86400)
AUTH_USER_CAL_MOD = config.get('auth_user_cal_mod')