44
44
# password, nick, email, studentid
46
# userservice/get_user
48
# Required cap: None to see yourself.
49
# CAP_GETUSER to see another user.
50
# Gets the login details of a user. Returns as a JSON object.
51
# login = Optional login name of user to get. If omitted, get yourself.
53
# userservice/update_user
54
# Required cap: None to update yourself.
55
# CAP_UPDATEUSER to update another user (and also more fields).
56
# (This is all-powerful so should be only for admins)
57
# login = Optional login name of user to update. If omitted, update yourself.
58
# Other fields are optional, and will set the given field of the user.
59
# Without CAP_UPDATEUSER, you may change the following fields of yourself:
60
# password, nick, email
61
# With CAP_UPDATEUSER, you may also change the following fields of any user:
62
# password, nick, email, login, rolenm, unixid, fullname, studentid
63
# (You can't change "state", but see userservice/[en|dis]able_user).
66
47
# userservice/enable_user
67
48
# Required cap: CAP_UPDATEUSER
158
139
USER_DECLARATION = "I accept the IVLE Terms of Service"
160
# List of fields returned as part of the user JSON dictionary
161
# (as returned by the get_user action)
163
"login", "state", "unixid", "email", "nick", "fullname",
164
"admin", "studentid", "acct_exp", "pass_exp", "last_login",
168
141
class UserServiceView(BaseView):
169
142
subpath_allowed = True
329
302
req.content_type = "text/plain"
330
303
req.write(str(user.unixid))
332
update_user_fields_anyone = [
333
'password', 'nick', 'email'
335
update_user_fields_admin = [
336
'password', 'nick', 'email', 'admin', 'unixid', 'fullname',
340
@require_method('POST')
341
def handle_update_user(req, fields):
342
"""Update a user's account details.
343
This can be done in a limited form by any user, on their own account,
344
or with full powers by an admin user on any account.
346
# Only give full powers if this user is an admin.
347
fullpowers = req.user.admin
348
# List of fields that may be changed
349
fieldlist = (update_user_fields_admin if fullpowers
350
else update_user_fields_anyone)
353
login = fields.getfirst('login')
355
raise AttributeError()
356
if not fullpowers and login != req.user.login:
357
# Not allowed to edit other users
359
except AttributeError:
360
# If login not specified, update yourself
361
login = req.user.login
363
user = ivle.database.User.get_by_login(req.store, login)
365
oldpassword = fields.getfirst('oldpass')
366
if oldpassword is not None: # It was specified.
367
oldpassword = oldpassword.value
369
# If the user is trying to set a new password, check that they have
370
# entered old password and it authenticates.
371
if fields.getfirst('password') is not None:
373
authenticate.authenticate(req.config, req.store, login,
377
req.headers_out['X-IVLE-Action-Error'] = \
378
urllib.quote("Old password incorrect.")
379
raise BadRequest("Old password incorrect.")
381
# Make a dict of fields to update
383
val = fields.getfirst(f)
385
# Note: May be rolled back if auth check below fails
386
setattr(user, f, val.value.decode('utf-8'))
390
req.content_type = "text/plain"
393
def handle_get_user(req, fields):
395
Retrieve a user's account details. This returns all details which the db
396
module is willing to give up, EXCEPT the following fields:
399
# Only give full powers if this user is an admin
400
fullpowers = req.user.admin
403
login = fields.getfirst('login')
405
raise AttributeError()
406
if not fullpowers and login != req.user.login:
408
except AttributeError:
409
# If login not specified, update yourself
410
login = req.user.login
412
# Just talk direct to the DB
413
userobj = ivle.database.User.get_by_login(req.store, login)
414
user = ivle.util.object_to_dict(user_fields_list, userobj)
415
# Convert time stamps to nice strings
416
for k in 'pass_exp', 'acct_exp', 'last_login':
417
if user[k] is not None:
418
user[k] = unicode(user[k])
420
user['local_password'] = userobj.passhash is not None
422
response = cjson.encode(user)
423
req.content_type = "text/plain"
426
305
def handle_get_enrolments(req, fields):
428
307
Retrieve a user's enrolment details. Each enrolment includes any group
721
600
"activate_me": handle_activate_me,
722
601
"create_user": handle_create_user,
723
"update_user": handle_update_user,
724
"get_user": handle_get_user,
725
602
"get_enrolments": handle_get_enrolments,
726
603
"get_active_offerings": handle_get_active_offerings,
727
604
"get_project_groups": handle_get_project_groups,