From 9def4143397d60a72ceecbb862966b577a42ed29 Mon Sep 17 00:00:00 2001 From: Holger Frey Date: Thu, 19 Oct 2017 12:11:45 +0200 Subject: [PATCH] added resources for tokens --- ordr2/resources/account.py | 75 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 4 deletions(-) diff --git a/ordr2/resources/account.py b/ordr2/resources/account.py index 62a09b5..c6f96fc 100644 --- a/ordr2/resources/account.py +++ b/ordr2/resources/account.py @@ -1,22 +1,67 @@ ''' Resources for account registraion and settings ''' - +from datetime import datetime from pyramid.security import Allow, Authenticated, Everyone, Deny, DENY_ALL +from ordr2.models.account import Token, TokenSubject from ordr2.resources.base import BaseResource +class RegistrationToken(BaseResource): + ''' representing :class:`ordr2.models.account.Token` for registration ''' + + def __acl__(self): + ''' access controll list for the resource ''' + return [ + (Deny, Authenticated, 'register'), + (Allow, Everyone, 'register'), + DENY_ALL + ] + + +class EmailVerificationToken(BaseResource): + ''' representing :class:`ordr2.models.account.Token` for email change ''' + + def __acl__(self): + ''' access controll list for the resource + + a logged in user might only access his own tokens + ''' + # self.model is a :class:`ordr2.models.account.Token` instance + return [ + (Allow, self.model.user.principal, 'settings'), + DENY_ALL + ] + + +class ForgottenPasswordToken(BaseResource): + ''' representing :class:`ordr2.models.account.Token` for password reset ''' + + def __acl__(self): + ''' access controll list for the resource ''' + return [ + (Allow, Everyone, 'reset password'), + DENY_ALL + ] + + class AccountResource(BaseResource): ''' Resouce class for account registration and settings ''' #: name of the main navigation section for template highlighting nav_section = 'account' + #: mapping token subjects to token resouce classes + token_resources = { + TokenSubject.USER_REGISTRATION: RegistrationToken, + TokenSubject.CHANGE_EMAIL: EmailVerificationToken, + TokenSubject.RESET_PASSWORD: ForgottenPasswordToken + } + def __init__(self, name, parent, model=None): ''' Create a base resource ''' - super().__init__(name, parent) - # the current model depends is the current logged in user or None - self.model = self.request.user + # the current model is the current logged in user or None + super().__init__(name, parent, self.request.user) def __acl__(self): ''' access controll list for the resource @@ -31,6 +76,28 @@ class AccountResource(BaseResource): (Allow, Everyone, 'logout'), (Deny, Authenticated, 'register'), (Allow, Everyone, 'register'), + (Allow, Everyone, 'reset password'), (Allow, Authenticated, 'settings'), DENY_ALL ] + + def __getitem__(self, key): + ''' provides the dict like interface to access child resources + + :param str key: + token hash or path segment for a child resource + :rtype: + subclass of ordr2.resources.base.BaseResource + :raises: + KeyError if token hash or path segment is not found + ''' + token = self.request.dbsession.query(Token).filter_by(hash=key).first() + if token is None: + # no token found, search for child node + return super().__getitem__(key) + elif token.expires < datetime.utcnow(): + # token has expired, delete it + self.request.dbsession.delete(token) + raise KeyError(f'Token {key} has expired on {token.expires}') + resource_class = self.token_resources[token.subject] + return resource_class(key, self, model=token)