/
page_admin_users.py
271 lines (243 loc) · 10 KB
/
page_admin_users.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
# -*- coding: utf-8 -*-
# rdiffweb, A web interface to rdiff-backup repositories
# Copyright (C) 2012-2021 rdiffweb contributors
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import logging
import cherrypy
import humanfriendly
from wtforms import validators, widgets
from wtforms.fields import Field, HiddenField, PasswordField, SelectField, StringField
from wtforms.fields.html5 import EmailField
from rdiffweb.controller import Controller, flash
from rdiffweb.controller.form import CherryForm
from rdiffweb.core.model import UserObject
from rdiffweb.tools.i18n import gettext_lazy as _
# Define the logger
logger = logging.getLogger(__name__)
# Max root directory path length
MAX_PATH = 260
class SizeField(Field):
"""
A text field which stores a file size as GiB or GB format.
"""
widget = widgets.TextInput()
def __init__(self, label=None, validators=None, **kwargs):
super(SizeField, self).__init__(label, validators, **kwargs)
def _value(self):
if self.raw_data:
return ' '.join(self.raw_data)
else:
return self.data and humanfriendly.format_size(self.data, binary=True) or ''
def process_formdata(self, valuelist):
if valuelist:
value_str = ''.join(valuelist)
# parse_size doesn't handle locales.this mean we need to
# replace ',' by '.' to get parse and prefix number with 0
value_str = value_str.replace(',', '.').strip()
# a value must start with a number.
if value_str.startswith('.'):
value_str = '0' + value_str
try:
self.data = humanfriendly.parse_size(value_str)
except humanfriendly.InvalidSize:
self.data = None
raise ValueError(self.gettext('Not a valid file size value'))
class UserForm(CherryForm):
userid = HiddenField(_('UserID'))
username = StringField(
_('Username'),
validators=[
validators.data_required(),
validators.length(max=256, message=_('Username too long.')),
],
)
fullname = StringField(
_('Fullname'),
validators=[
validators.optional(),
validators.length(max=256, message=_('Fullname too long.')),
],
)
email = EmailField(
_('Email'),
validators=[
validators.optional(),
validators.length(max=256, message=_('Email too long.')),
],
)
password = PasswordField(
_('Password'),
validators=[validators.optional()],
description=_('To create an LDAP user, you must leave the password empty.'),
)
mfa = SelectField(
_('Two-Factor Authentication (2FA)'),
coerce=int,
choices=[
(UserObject.DISABLED_MFA, _("Disabled")),
(UserObject.ENABLED_MFA, _("Enabled")),
],
default=UserObject.DISABLED_MFA,
description=_(
"When Two-Factor Authentication (2FA) is enabled for a user, a verification code get sent by email when user login from a new location."
),
render_kw={'data-beta': 1},
)
user_root = StringField(
_('Root directory'),
description=_("Absolute path defining the location of the repositories for this user."),
validators=[
validators.length(max=MAX_PATH, message=_('Root directory too long.')),
],
)
role = SelectField(
_('User Role'),
coerce=int,
choices=[
(UserObject.ADMIN_ROLE, _("Admin")),
(UserObject.MAINTAINER_ROLE, _("Maintainer")),
(UserObject.USER_ROLE, _("User")),
],
default=UserObject.USER_ROLE,
description=_(
"Admin: may browse and delete everything. Maintainer: may browse and delete their own repo. User: may only browser their own repo."
),
)
disk_quota = SizeField(
_('Disk space'),
validators=[validators.optional()],
description=_("Users disk spaces (in bytes). Set to 0 to remove quota (unlimited)."),
)
disk_usage = SizeField(
_('Quota Used'),
validators=[validators.optional()],
description=_("Disk spaces (in bytes) used by this user."),
widget=widgets.HiddenInput(),
)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
cfg = cherrypy.tree.apps[''].cfg
self.password.validators += [
validators.length(
min=cfg.password_min_length,
max=cfg.password_max_length,
message=_('Password must have between %(min)d and %(max)d characters.'),
)
]
def validate_role(self, field):
# Don't allow the user to changes it's "role" state.
currentuser = cherrypy.request.currentuser
if self.username.data == currentuser.username and self.role.data != currentuser.role:
raise ValueError(_('Cannot edit your own role.'))
def validate_mfa(self, field):
# Don't allow the user to changes it's "mfa" state.
currentuser = cherrypy.request.currentuser
if self.username.data == currentuser.username and self.mfa.data != currentuser.mfa:
raise ValueError(_('Cannot change your own two-factor authentication settings.'))
def populate_obj(self, userobj):
# Save password if defined
if self.password.data:
userobj.set_password(self.password.data, old_password=None)
userobj.role = self.role.data
userobj.fullname = self.fullname.data or ''
userobj.email = self.email.data or ''
userobj.user_root = self.user_root.data
if self.mfa.data and not userobj.email:
flash(_("User email is required to enabled Two-Factor Authentication"), level='error')
else:
userobj.mfa = self.mfa.data
if not userobj.valid_user_root():
flash(_("User's root directory %s is not accessible!") % userobj.user_root, level='error')
logger.warning("user's root directory %s is not accessible" % userobj.user_root)
else:
userobj.refresh_repos(delete=True)
# Try to update disk quota if the human readable value changed.
# Report error using flash.
new_quota = self.disk_quota.data or 0
old_quota = humanfriendly.parse_size(humanfriendly.format_size(self.disk_quota.object_data or 0, binary=True))
if old_quota != new_quota:
userobj.disk_quota = new_quota
# Setting quota will silently fail. Check if quota was updated.
if userobj.disk_quota != new_quota:
flash(_("Setting user's quota is not supported"), level='warning')
class EditUserForm(UserForm):
def __init__(self, **kwargs):
super().__init__(**kwargs)
# Make username field read-only
self.username.render_kw = {'readonly': True}
self.username.populate_obj = lambda *args, **kwargs: None
class DeleteUserForm(CherryForm):
username = StringField(_('Username'), validators=[validators.data_required()])
@cherrypy.tools.is_admin()
class AdminUsersPage(Controller):
"""Administration pages. Allow to manage users database."""
def _delete_user(self, action, form):
assert action == 'delete'
assert form
# Validate form.
if not form.validate():
flash(form.error_message, level='error')
return
if form.username.data == self.app.currentuser.username:
flash(_("You cannot remove your own account!"), level='error')
else:
try:
user = UserObject.get_user(form.username.data)
if user:
user.delete()
flash(_("User account removed."))
else:
flash(_("User doesn't exists!"), level='warning')
except ValueError as e:
flash(e, level='error')
@cherrypy.expose
def default(self, username=None, action=u"", **kwargs):
# If we're just showing the initial page, just do that
if action == "add":
form = UserForm()
if form.validate_on_submit():
try:
user = UserObject.add_user(username)
form.populate_obj(user)
flash(_("User added successfully."))
except Exception as e:
flash(str(e), level='error')
else:
flash(form.error_message, level='error')
elif action == "edit":
user = UserObject.get_user(username)
if user:
form = EditUserForm(obj=user)
if form.validate_on_submit():
try:
form.populate_obj(user)
flash(_("User information modified successfully."))
except Exception as e:
flash(str(e), level='error')
else:
flash(form.error_message, level='error')
else:
flash(_("Cannot edit user `%s`: user doesn't exists") % username, level='error')
elif action == 'delete':
form = DeleteUserForm()
if form.validate_on_submit():
self._delete_user(action, form)
params = {
"add_form": UserForm(formdata=None),
"edit_form": EditUserForm(formdata=None),
"users": UserObject.query.all(),
}
# Build users page
return self._compile_template("admin_users.html", **params)