store user id in cookie

This commit is contained in:
Davide Alberani 2017-03-27 22:17:34 +02:00
parent d0776487a2
commit ed21f8e05a

View file

@ -181,13 +181,13 @@ class BaseHandler(tornado.web.RequestHandler):
permissions = set([k for (k, v) in self.permissions.items() if v is True]) permissions = set([k for (k, v) in self.permissions.items() if v is True])
user_info = {'permissions': permissions} user_info = {'permissions': permissions}
if current_user: if current_user:
user_info['username'] = current_user user_info['_id'] = current_user
res = self.db.query('users', {'username': current_user}) user = self.db.getOne('users', {'_id': current_user})
if res: if user:
user = res[0]
user_info = user user_info = user
permissions.update(set(user.get('permissions') or [])) permissions.update(set(user.get('permissions') or []))
user_info['permissions'] = permissions user_info['permissions'] = permissions
user_info['isRegistered'] = True
self._users_cache[current_user] = user_info self._users_cache[current_user] = user_info
return user_info return user_info
@ -756,7 +756,7 @@ class EventsHandler(CollectionHandler):
ticket = self._get_ticket_data(ticket_id, doc.get('tickets') or []) ticket = self._get_ticket_data(ticket_id, doc.get('tickets') or [])
env = dict(ticket) env = dict(ticket)
env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_, env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_,
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user, 'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user_info.get('username', ''),
'WEB_REMOTE_IP': self.request.remote_ip}) 'WEB_REMOTE_IP': self.request.remote_ip})
stdin_data = {'new': ticket, stdin_data = {'new': ticket,
'event': doc, 'event': doc,
@ -798,7 +798,7 @@ class EventsHandler(CollectionHandler):
# always takes the ticket_id from the new ticket # always takes the ticket_id from the new ticket
ticket_id = str(new_ticket_data.get('_id')) ticket_id = str(new_ticket_data.get('_id'))
env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_, env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_,
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user, 'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user_info.get('username', ''),
'WEB_REMOTE_IP': self.request.remote_ip}) 'WEB_REMOTE_IP': self.request.remote_ip})
stdin_data = {'old': old_ticket_data, stdin_data = {'old': old_ticket_data,
'new': new_ticket_data, 'new': new_ticket_data,
@ -831,7 +831,7 @@ class EventsHandler(CollectionHandler):
self.send_ws_message('event/%s/tickets/updates' % id_, json.dumps(ret)) self.send_ws_message('event/%s/tickets/updates' % id_, json.dumps(ret))
env = dict(ticket) env = dict(ticket)
env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_, env.update({'PERSON_ID': ticket_id, 'TICKED_ID': ticket_id, 'EVENT_ID': id_,
'EVENT_TITLE': rdoc.get('title', ''), 'WEB_USER': self.current_user, 'EVENT_TITLE': rdoc.get('title', ''), 'WEB_USER': self.current_user_info.get('username', ''),
'WEB_REMOTE_IP': self.request.remote_ip}) 'WEB_REMOTE_IP': self.request.remote_ip})
stdin_data = {'old': ticket, stdin_data = {'old': ticket,
'event': rdoc, 'event': rdoc,
@ -876,7 +876,7 @@ class UsersHandler(CollectionHandler):
@authenticated @authenticated
def get(self, id_=None, resource=None, resource_id=None, acl=True, **kwargs): def get(self, id_=None, resource=None, resource_id=None, acl=True, **kwargs):
if id_ is not None: if id_ is not None:
if (self.has_permission('user|read') or str(self.current_user_info.get('_id')) == id_): if (self.has_permission('user|read') or self.current_user == id_):
acl = False acl = False
super(UsersHandler, self).get(id_, resource, resource_id, acl=acl, **kwargs) super(UsersHandler, self).get(id_, resource, resource_id, acl=acl, **kwargs)
@ -900,7 +900,8 @@ class UsersHandler(CollectionHandler):
if new_pwd is not None: if new_pwd is not None:
del data['new_password'] del data['new_password']
authorized, user = self.user_authorized(data['username'], old_pwd) authorized, user = self.user_authorized(data['username'], old_pwd)
if not (self.has_permission('user|update') or (authorized and self.current_user == data['username'])): if not (self.has_permission('user|update') or (authorized and
self.current_user_info.get('username') == data['username'])):
raise InputException('not authorized to change password') raise InputException('not authorized to change password')
data['password'] = utils.hash_password(new_pwd) data['password'] = utils.hash_password(new_pwd)
if '_id' in data: if '_id' in data:
@ -913,7 +914,7 @@ class UsersHandler(CollectionHandler):
def put(self, id_=None, resource=None, resource_id=None, **kwargs): def put(self, id_=None, resource=None, resource_id=None, **kwargs):
if id_ is None: if id_ is None:
return self.build_error(status=404, message='unable to access the resource') return self.build_error(status=404, message='unable to access the resource')
if not (self.has_permission('user|update') or str(self.current_user_info.get('_id')) == id_): if not (self.has_permission('user|update') or self.current_user == id_):
return self.build_error(status=401, message='insufficient permissions: user|update or current user') return self.build_error(status=401, message='insufficient permissions: user|update or current user')
super(UsersHandler, self).put(id_, resource, resource_id, **kwargs) super(UsersHandler, self).put(id_, resource, resource_id, **kwargs)
@ -1083,10 +1084,11 @@ class LoginHandler(RootHandler):
self.write({'error': True, 'message': 'missing username or password'}) self.write({'error': True, 'message': 'missing username or password'})
return return
authorized, user = self.user_authorized(username, password) authorized, user = self.user_authorized(username, password)
if authorized and user.get('username'): if authorized and 'username' in user and '_id' in user:
id_ = str(user['_id'])
username = user['username'] username = user['username']
logging.info('successful login for user %s' % username) logging.info('successful login for user %s (id: %s)' % (username, id_))
self.set_secure_cookie("user", username) self.set_secure_cookie("user", id_)
self.write({'error': False, 'message': 'successful login'}) self.write({'error': False, 'message': 'successful login'})
return return
logging.info('login failed for user %s' % username) logging.info('login failed for user %s' % username)