82 lines
2.7 KiB
Python
82 lines
2.7 KiB
Python
|
##############################################################################
|
||
|
# ScoDoc
|
||
|
# Copyright (c) 1999 - 2022 Emmanuel Viennet. All rights reserved.
|
||
|
# See LICENSE
|
||
|
##############################################################################
|
||
|
|
||
|
"""
|
||
|
ScoDoc 9 API : accès aux utilisateurs
|
||
|
"""
|
||
|
|
||
|
|
||
|
from flask import g, jsonify, request
|
||
|
from flask_login import current_user, login_required
|
||
|
|
||
|
import app
|
||
|
from app import db, log
|
||
|
from app.api import api_bp as bp, api_web_bp
|
||
|
from app.api.errors import error_response
|
||
|
from app.auth.models import User, Role, UserRole
|
||
|
from app.decorators import scodoc, permission_required
|
||
|
from app.models import Departement
|
||
|
from app.scodoc.sco_exceptions import ScoValueError
|
||
|
from app.scodoc.sco_permissions import Permission
|
||
|
|
||
|
|
||
|
@bp.route("/user/<int:uid>")
|
||
|
@api_web_bp.route("/user/<int:uid>")
|
||
|
@login_required
|
||
|
@scodoc
|
||
|
@permission_required(Permission.ScoUsersView)
|
||
|
def user_info(uid: int):
|
||
|
"""
|
||
|
Info sur un compte utilisateur scodoc
|
||
|
"""
|
||
|
user: User = User.query.get(uid)
|
||
|
if user is None:
|
||
|
return error_response(404, "user not found")
|
||
|
if g.scodoc_dept:
|
||
|
allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersView)
|
||
|
if user.dept not in allowed_depts:
|
||
|
return error_response(404, "user not found")
|
||
|
|
||
|
return jsonify(user.to_dict())
|
||
|
|
||
|
|
||
|
@bp.route("/users/query")
|
||
|
@api_web_bp.route("/users/query")
|
||
|
@login_required
|
||
|
@scodoc
|
||
|
@permission_required(Permission.ScoView)
|
||
|
def users_info_query():
|
||
|
"""Utilisateurs, filtrés par dept, active ou début nom
|
||
|
/users/query?departement=dept_acronym&active=1&starts_with=<str:nom>
|
||
|
|
||
|
Si accès via API web, seuls les utilisateurs "accessibles" (selon les
|
||
|
permissions) sont retournés: le département de l'URL est ignoré, seules
|
||
|
les permissions de l'utilisateur sont prises en compte.
|
||
|
"""
|
||
|
query = User.query
|
||
|
active = request.args.get("active")
|
||
|
if active is not None:
|
||
|
active = bool(str(active))
|
||
|
query = query.filter_by(active=active)
|
||
|
departement = request.args.get("departement")
|
||
|
if departement is not None:
|
||
|
query = query.filter_by(dept=departement or None)
|
||
|
starts_with = request.args.get("starts_with")
|
||
|
if starts_with is not None:
|
||
|
# remove % and _ for security
|
||
|
starts_with = starts_with.translate({ord(c): None for c in "%_"})
|
||
|
query = query.filter(User.nom.ilike(starts_with + "%"))
|
||
|
# Filtre selon permissions:
|
||
|
query = (
|
||
|
query.join(UserRole, (UserRole.dept == User.dept) | (UserRole.dept == None))
|
||
|
.filter(UserRole.user == current_user)
|
||
|
.join(Role, UserRole.role_id == Role.id)
|
||
|
.filter(Role.permissions.op("&")(Permission.ScoUsersView) != 0)
|
||
|
)
|
||
|
|
||
|
query = query.order_by(User.user_name)
|
||
|
return jsonify([u.to_dict() for u in query])
|