From 47123aeb1e5b042747876af8ee45863cceecfa28 Mon Sep 17 00:00:00 2001 From: leonard_montalbano Date: Fri, 4 Mar 2022 17:16:08 +0100 Subject: [PATCH] permissions non fonctionnel --- app/api/absences.py | 8 ++++++++ app/api/departements.py | 11 +++++++++-- app/api/etudiants.py | 20 +++++++++++--------- app/api/evaluations.py | 5 +++++ app/api/formations.py | 11 +++++++++-- app/api/formsemestres.py | 6 ++++++ app/api/logos.py | 5 +++++ app/api/partitions.py | 5 +++++ app/api/test_api.py | 26 ++++++++++++++++++++------ app/scodoc/sco_permissions.py | 8 ++++---- 10 files changed, 82 insertions(+), 23 deletions(-) diff --git a/app/api/absences.py b/app/api/absences.py index 4f53c064..38ec33fb 100644 --- a/app/api/absences.py +++ b/app/api/absences.py @@ -7,13 +7,16 @@ from app import models from app.api import bp from app.api.auth import token_auth from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_abs import add_absence, add_justif, annule_absence, annule_justif, list_abs_date from app.scodoc.sco_groups import get_group_members +from app.scodoc.sco_permissions import Permission @bp.route("/absences/etudid/", methods=["GET"]) @bp.route("/absences/nip/", methods=["GET"]) @bp.route("/absences/ine/", methods=["GET"]) +@permission_required(Permission.APIView) def absences(etudid: int = None, nip: int = None, ine: int = None): """ Retourne la liste des absences d'un étudiant donné @@ -50,6 +53,7 @@ def absences(etudid: int = None, nip: int = None, ine: int = None): @bp.route("/absences/etudid//abs_just_only", methods=["GET"]) @bp.route("/absences/nip//abs_just_only", methods=["GET"]) @bp.route("/absences/ine//abs_just_only", methods=["GET"]) +@permission_required(Permission.APIView) def absences_justify(etudid: int = None, nip: int = None, ine: int = None): """ Retourne la liste des absences justifiées d'un étudiant donné @@ -92,6 +96,7 @@ def absences_justify(etudid: int = None, nip: int = None, ine: int = None): @bp.route("/absences/abs_signale?ine=&date=&matin=&justif=" "&description=&moduleimpl_id=", methods=["POST"]) @token_auth.login_required +@permission_required(Permission.APIAbsChange) def abs_signale(date: datetime, matin: bool, justif: bool, etudid: int = None, nip: int = None, ine: int = None, description: str = None, moduleimpl_id: int = None): """ @@ -214,6 +219,7 @@ def abs_signale(date: datetime, matin: bool, justif: bool, etudid: int = None, n @bp.route("/absences/abs_annule?nip=&jour=&matin=", methods=["POST"]) @bp.route("/absences/abs_annule?ine=&jour=&matin=", methods=["POST"]) @token_auth.login_required +@permission_required(Permission.APIAbsChange) def abs_annule(jour: datetime, matin: str, etudid: int = None, nip: int = None, ine: int = None): """ Retourne un html @@ -251,6 +257,7 @@ def abs_annule(jour: datetime, matin: str, etudid: int = None, nip: int = None, @bp.route("/absences/abs_annule_justif?nip=&jour=&matin=", methods=["POST"]) @bp.route("/absences/abs_annule_justif?ine=&jour=&matin=", methods=["POST"]) @token_auth.login_required +@permission_required(Permission.APIAbsChange) def abs_annule_justif(jour: datetime, matin: str, etudid: int = None, nip: int = None, ine: int = None): """ Retourne un html @@ -285,6 +292,7 @@ def abs_annule_justif(jour: datetime, matin: str, etudid: int = None, nip: int = @bp.route("/absences/abs_group_etat/?group_id=&date_debut=date_debut&date_fin=date_fin", methods=["GET"]) +@permission_required(Permission.APIView) def abs_groupe_etat(group_id: int, date_debut, date_fin, with_boursier=True, format="html"): """ Retoune la liste des absences d'un ou plusieurs groupes entre deux dates diff --git a/app/api/departements.py b/app/api/departements.py index 6e4d2e5d..063b0b7e 100644 --- a/app/api/departements.py +++ b/app/api/departements.py @@ -5,7 +5,9 @@ from app import models from app.api import bp from app.api.auth import token_auth from app.api.errors import error_response +from app.decorators import permission_required from app.models import ApcReferentielCompetences +from app.scodoc.sco_permissions import Permission from app.scodoc.sco_prepajury import feuille_preparation_jury from app.scodoc.sco_pvjury import formsemestre_pvjury from app.scodoc.sco_recapcomplet import formsemestre_recapcomplet @@ -14,7 +16,8 @@ from app.scodoc.sco_saisie_notes import notes_add @bp.route("/departements", methods=["GET"]) -#@token_auth.login_required # Commenté le temps des tests +@token_auth.login_required # Commenté le temps des tests +@permission_required(Permission.APIView) def departements(): """ Retourne la liste des ids de départements visibles @@ -33,7 +36,8 @@ def departements(): @bp.route("/departements//etudiants/liste", methods=["GET"]) @bp.route("/departements//etudiants/liste/", methods=["GET"]) # @token_auth.login_required -def liste_etudiants(dept: str, formsemestre_id=None): # XXX TODO A REVOIR +@permission_required(Permission.APIView) +def liste_etudiants(dept: str, formsemestre_id=None): """ Retourne la liste des étudiants d'un département @@ -137,6 +141,7 @@ def liste_etudiants(dept: str, formsemestre_id=None): # XXX TODO A REVOIR @bp.route("/departements//semestres_courants", methods=["GET"]) # @token_auth.login_required # Commenté le temps des tests +# @permission_required(Permission.APIView) def liste_semestres_courant(dept: str): """ Liste des semestres actifs d'un départements donné @@ -195,6 +200,7 @@ def liste_semestres_courant(dept: str): @bp.route("/departements//formations//referentiel_competences", methods=["GET"]) +@permission_required(Permission.APIView) def referenciel_competences(dept: str, formation_id: int): """ Retourne le référentiel de compétences @@ -221,6 +227,7 @@ def referenciel_competences(dept: str, formation_id: int): @bp.route("/departements//formsemestre//programme", methods=["GET"]) +@permission_required(Permission.APIView) def semestre_index(dept: str, formsemestre_id: int): """ Retourne la liste des Ues, ressources et SAE d'un semestre diff --git a/app/api/etudiants.py b/app/api/etudiants.py index 5b0ac28a..ae406e27 100644 --- a/app/api/etudiants.py +++ b/app/api/etudiants.py @@ -4,11 +4,14 @@ from flask import jsonify from app import models from app.api import bp from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_bulletins_json import make_json_formsemestre_bulletinetud from app.scodoc.sco_groups import get_etud_groups +from app.scodoc.sco_permissions import Permission @bp.route("/etudiants", methods=["GET"]) +@permission_required(Permission.APIView) def etudiants(): """ Retourne la liste de tous les étudiants @@ -49,6 +52,7 @@ def etudiants(): @bp.route("/etudiants/courant", methods=["GET"]) +@permission_required(Permission.APIView) def etudiants_courant(): """ Retourne la liste des étudiants courant @@ -94,6 +98,7 @@ def etudiants_courant(): @bp.route("/etudiant/etudid/", methods=["GET"]) @bp.route("/etudiant/nip/", methods=["GET"]) @bp.route("/etudiant/ine/", methods=["GET"]) +@permission_required(Permission.APIView) def etudiant(etudid: int = None, nip: int = None, ine: int = None): """ Retourne les informations de l'étudiant correspondant à l'id passé en paramètres. @@ -138,6 +143,7 @@ def etudiant(etudid: int = None, nip: int = None, ine: int = None): @bp.route("/etudiant/etudid//formsemestres") @bp.route("/etudiant/nip//formsemestres") @bp.route("/etudiant/ine//formsemestres") +@permission_required(Permission.APIView) def etudiant_formsemestres(etudid: int = None, nip: int = None, ine: int = None): """ Retourne la liste des semestres qu'un étudiant a suivis @@ -225,6 +231,7 @@ def etudiant_formsemestres(etudid: int = None, nip: int = None, ine: int = None) @bp.route("/etudiant/etudid//formsemestre//bulletin", methods=["GET"]) @bp.route("/etudiant/nip//formsemestre//bulletin", methods=["GET"]) @bp.route("/etudiant/ine//formsemestre//bulletin", methods=["GET"]) +@permission_required(Permission.APIView) def etudiant_bulletin_semestre(formsemestre_id, etudid: int = None, nip: int = None, ine: int = None): """ Retourne le bulletin d'un étudiant en fonction de son id et d'un semestre donné @@ -252,15 +259,10 @@ def etudiant_bulletin_semestre(formsemestre_id, etudid: int = None, nip: int = N # return error_response(501, message="Not implemented") -@bp.route( - "/etudiant/etudid//semestre//groups", methods=["GET"] -) -@bp.route( - "/etudiant/nip//semestre//groups", methods=["GET"] -) -@bp.route( - "/etudiant/ine//semestre//groups", methods=["GET"] -) +@bp.route("/etudiant/etudid//semestre//groups", methods=["GET"]) +@bp.route("/etudiant/nip//semestre//groups", methods=["GET"]) +@bp.route("/etudiant/ine//semestre//groups", methods=["GET"]) +@permission_required(Permission.APIView) def etudiant_groups(formsemestre_id: int, etudid: int = None, nip: int = None, ine: int = None): """ Retourne la liste des groupes auxquels appartient l'étudiant dans le semestre indiqué diff --git a/app/api/evaluations.py b/app/api/evaluations.py index 2ca92d58..db1b7e84 100644 --- a/app/api/evaluations.py +++ b/app/api/evaluations.py @@ -5,10 +5,13 @@ from app import models from app.api import bp from app.api.auth import token_auth from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_evaluation_db import do_evaluation_get_all_notes +from app.scodoc.sco_permissions import Permission @bp.route("/evaluations/", methods=["GET"]) +@permission_required(Permission.APIView) def evaluations(moduleimpl_id: int): """ Retourne la liste des évaluations à partir de l'id d'un moduleimpl @@ -26,6 +29,7 @@ def evaluations(moduleimpl_id: int): @bp.route("/evaluations/eval_notes/", methods=["GET"]) +@permission_required(Permission.APIView) def evaluation_notes(evaluation_id: int): """ Retourne la liste des notes à partir de l'id d'une évaluation donnée @@ -47,6 +51,7 @@ def evaluation_notes(evaluation_id: int): @bp.route("/evaluations/eval_set_notes?eval_id=&nip=¬e=", methods=["POST"]) @bp.route("/evaluations/eval_set_notes?eval_id=&ine=¬e=", methods=["POST"]) @token_auth.login_required +@permission_required(Permission.APIEditAllNotes) def evaluation_set_notes(eval_id: int, note: float, etudid: int = None, nip: int = None, ine: int = None): """ Set les notes d'une évaluation pour un étudiant donnée diff --git a/app/api/formations.py b/app/api/formations.py index 327d0c14..84c84b9c 100644 --- a/app/api/formations.py +++ b/app/api/formations.py @@ -4,11 +4,14 @@ from flask import jsonify from app import models from app.api import bp from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_formations import formation_export from app.scodoc.sco_moduleimpl import moduleimpl_list +from app.scodoc.sco_permissions import Permission @bp.route("/formations", methods=["GET"]) +@permission_required(Permission.APIView) def formations(): """ Retourne la liste des formations @@ -23,6 +26,7 @@ def formations(): @bp.route("/formations/", methods=["GET"]) +@permission_required(Permission.APIView) def formations_by_id(formation_id: int): """ Retourne une formation en fonction d'un id donné @@ -39,6 +43,7 @@ def formations_by_id(formation_id: int): @bp.route("/formations/formation_export/", methods=["GET"]) +@permission_required(Permission.APIView) def formation_export_by_formation_id(formation_id: int, export_ids=False): """ Retourne la formation, avec UE, matières, modules @@ -55,6 +60,7 @@ def formation_export_by_formation_id(formation_id: int, export_ids=False): @bp.route("/formations/apo/", methods=["GET"]) +@permission_required(Permission.APIView) def formsemestre_apo(etape_apo: int): """ Retourne les informations sur les formsemestres @@ -75,6 +81,7 @@ def formsemestre_apo(etape_apo: int): @bp.route("/formations/moduleimpl/", methods=["GET"]) +@permission_required(Permission.APIView) def moduleimpls(moduleimpl_id: int): """ Retourne la liste des moduleimpl @@ -90,8 +97,8 @@ def moduleimpls(moduleimpl_id: int): return jsonify(data) -@bp.route( - "/formations/moduleimpl//formsemestre/", methods=["GET"]) +@bp.route("/formations/moduleimpl//formsemestre/", methods=["GET"]) +@permission_required(Permission.APIView) def moduleimpls_sem(moduleimpl_id: int, formsemestre_id: int): """ Retourne la liste des moduleimpl d'un semestre diff --git a/app/api/formsemestres.py b/app/api/formsemestres.py index 5b87de66..2466562e 100644 --- a/app/api/formsemestres.py +++ b/app/api/formsemestres.py @@ -4,12 +4,15 @@ from flask import jsonify from app import models from app.api import bp from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_bulletins import formsemestre_bulletinetud_dict +from app.scodoc.sco_permissions import Permission from app.scodoc.sco_pvjury import formsemestre_pvjury from app.scodoc.sco_recapcomplet import formsemestre_recapcomplet @bp.route("/formations/formsemestre/", methods=["GET"]) +@permission_required(Permission.APIView) def formsemestre(formsemestre_id: int): """ Retourne l'information sur le formsemestre correspondant au formsemestre_id @@ -38,6 +41,7 @@ def formsemestre(formsemestre_id: int): "/formsemestre//departements//etudiant/ine//bulletin", methods=["GET"], ) +@permission_required(Permission.APIView) def etudiant_bulletin(formsemestre_id, dept, etudid, format="json", *args, size): """ Retourne le bulletin de note d'un étudiant @@ -63,6 +67,7 @@ def etudiant_bulletin(formsemestre_id, dept, etudid, format="json", *args, size) @bp.route("/formsemestre//bulletins", methods=["GET"]) +@permission_required(Permission.APIView) def bulletins(formsemestre_id: int): """ Retourne les bulletins d'un formsemestre donné @@ -81,6 +86,7 @@ def bulletins(formsemestre_id: int): @bp.route("/formsemestre//jury", methods=["GET"]) +@permission_required(Permission.APIView) def jury(formsemestre_id: int): """ Retourne le récapitulatif des décisions jury diff --git a/app/api/logos.py b/app/api/logos.py index e32f6595..be689d72 100644 --- a/app/api/logos.py +++ b/app/api/logos.py @@ -36,6 +36,7 @@ from app.api import bp from app.api import requested_format from app.api.auth import token_auth from app.api.errors import error_response +from app.decorators import permission_required from app.models import Departement from app.scodoc.sco_logos import list_logos, find_logo from app.scodoc.sco_permissions import Permission @@ -43,6 +44,7 @@ from app.scodoc.sco_permissions import Permission @bp.route("/logos", methods=["GET"]) @token_auth.login_required +@permission_required(Permission.APIView) def api_get_glob_logos(): if not g.current_user.has_permission(Permission.ScoSuperAdmin, None): return error_response(401, message="accès interdit") @@ -55,6 +57,7 @@ def api_get_glob_logos(): @bp.route("/logos/", methods=["GET"]) @token_auth.login_required +@permission_required(Permission.APIView) def api_get_glob_logo(logoname): if not g.current_user.has_permission(Permission.ScoSuperAdmin, None): return error_response(401, message="accès interdit") @@ -71,6 +74,7 @@ def api_get_glob_logo(logoname): @bp.route("/departements//logos", methods=["GET"]) @token_auth.login_required +@permission_required(Permission.APIView) def api_get_local_logos(departement): dept_id = Departement.from_acronym(departement).id if not g.current_user.has_permission(Permission.ScoChangePreferences, departement): @@ -81,6 +85,7 @@ def api_get_local_logos(departement): @bp.route("/departements//logos/", methods=["GET"]) @token_auth.login_required +@permission_required(Permission.APIView) def api_get_local_logo(departement, logoname): # format = requested_format("jpg", ['png', 'jpg']) XXX ? dept_id = Departement.from_acronym(departement).id diff --git a/app/api/partitions.py b/app/api/partitions.py index 1a61beff..3847bac4 100644 --- a/app/api/partitions.py +++ b/app/api/partitions.py @@ -5,10 +5,13 @@ from app import models from app.api import bp from app.api.auth import token_auth from app.api.errors import error_response +from app.decorators import permission_required from app.scodoc.sco_groups import get_group_members, setGroups +from app.scodoc.sco_permissions import Permission @bp.route("/partitions/", methods=["GET"]) +@permission_required(Permission.APIView) def partition(formsemestre_id: int): """ Retourne la liste de toutes les partitions d'un formsemestre @@ -31,6 +34,7 @@ def partition(formsemestre_id: int): # ) @bp.route("/partitions/groups/", methods=["GET"]) @bp.route("/partitions/groups//etat/", methods=["GET"]) +@permission_required(Permission.APIView) def etud_in_group(group_id: int, etat=None): """ Retourne la liste des étudiants dans un groupe @@ -61,6 +65,7 @@ def etud_in_group(group_id: int, etat=None): "groups_to_create=&groups_to_delete=", methods=["POST"], ) @token_auth.login_required +@permission_required(Permission.APIEtudChangeGroups) def set_groups(partition_id: int, groups_lists: int, groups_to_delete: int, groups_to_create: int): """ Set les groups diff --git a/app/api/test_api.py b/app/api/test_api.py index db498cc6..4f3ff1bd 100644 --- a/app/api/test_api.py +++ b/app/api/test_api.py @@ -13,11 +13,19 @@ SCODOC_PASSWORD = "admin" SCODOC_URL = "http://192.168.1.12:5000" CHECK_CERTIFICATE = bool(int(os.environ.get("CHECK_CERTIFICATE", False))) -# r0 = requests.post( -# SCODOC_URL + "/ScoDoc/api/tokens", auth=(SCODOC_USER, SCODOC_PASSWORD) -# ) -# token = r0.json()["token"] -# HEADERS = {"Authorization": f"Bearer {token}"} +HEADERS = None + +def get_token(): + """ + Permet de set le token dans le header + """ + global HEADERS + r0 = requests.post( + SCODOC_URL + "/ScoDoc/api/tokens", auth=(SCODOC_USER, SCODOC_PASSWORD) + ) + token = r0.json()["token"] + HEADERS = {"Authorization": f"Bearer {token}"} + DEPT = None FORMSEMESTRE = None @@ -29,10 +37,16 @@ def get_departement(): """ Permet de tester departements() mais également de set un département dans DEPT pour la suite des tests """ + + get_token() + + global HEADERS + + print(HEADERS) # departements r = requests.get( SCODOC_URL + "/ScoDoc/api/departements", - auth=(SCODOC_USER, SCODOC_PASSWORD) + headers=HEADERS, verify=CHECK_CERTIFICATE ) if r.status_code == 200: diff --git a/app/scodoc/sco_permissions.py b/app/scodoc/sco_permissions.py index 78cbc1c5..4915f290 100644 --- a/app/scodoc/sco_permissions.py +++ b/app/scodoc/sco_permissions.py @@ -48,10 +48,10 @@ _SCO_PERMISSIONS = ( (1 << 25, "RelationsEntreprisesSend", "Envoyer des offres"), (1 << 26, "RelationsEntreprisesValidate", "Valide les entreprises"), # Api scodoc9 - (1 << 27, "APIView", ""), - (1 << 28, "APIEtudChangeGroups", ""), - (1 << 29, "APIEditAllNotes", ""), - (1 << 30, "APIAbsChange", ""), + (1 << 27, "APIView", "Voir"), + (1 << 28, "APIEtudChangeGroups", "Modifier les groupes"), + (1 << 29, "APIEditAllNotes", "Modifier toutes les notes"), + (1 << 30, "APIAbsChange", "Saisir des absences"), )