ScoDocMM/app/api/users.py

##############################################################################
# ScoDoc
# Copyright (c) 1999 - 2022 Emmanuel Viennet.  All rights reserved.
# See LICENSE
##############################################################################

"""
  ScoDoc 9 API : accès aux utilisateurs
"""


from flask import g, jsonify, request
from flask_login import current_user, login_required

import app
from app import db, log
from app.api import api_bp as bp, api_web_bp
from app.api.errors import error_response
from app.auth.models import User, Role, UserRole
from app.decorators import scodoc, permission_required
from app.models import Departement
from app.scodoc.sco_exceptions import ScoValueError
from app.scodoc.sco_permissions import Permission


@bp.route("/user/<int:uid>")
@api_web_bp.route("/user/<int:uid>")
@login_required
@scodoc
@permission_required(Permission.ScoUsersView)
def user_info(uid: int):
    """
    Info sur un compte utilisateur scodoc
    """
    user: User = User.query.get(uid)
    if user is None:
        return error_response(404, "user not found")
    if g.scodoc_dept:
        allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersView)
        if user.dept not in allowed_depts:
            return error_response(404, "user not found")

    return jsonify(user.to_dict())


@bp.route("/users/query")
@api_web_bp.route("/users/query")
@login_required
@scodoc
@permission_required(Permission.ScoView)
def users_info_query():
    """Utilisateurs, filtrés par dept, active ou début nom
    /users/query?departement=dept_acronym&active=1&starts_with=<str:nom>

    Si accès via API web, seuls les utilisateurs "accessibles" (selon les
    permissions) sont retournés: le département de l'URL est ignoré, seules
    les permissions de l'utilisateur sont prises en compte.
    """
    query = User.query
    active = request.args.get("active")
    if active is not None:
        active = bool(str(active))
        query = query.filter_by(active=active)
    departement = request.args.get("departement")
    if departement is not None:
        query = query.filter_by(dept=departement or None)
    starts_with = request.args.get("starts_with")
    if starts_with is not None:
        # remove % and _ for security
        starts_with = starts_with.translate({ord(c): None for c in "%_"})
        query = query.filter(User.nom.ilike(starts_with + "%"))
    # Filtre selon permissions:
    query = (
        query.join(UserRole, (UserRole.dept == User.dept) | (UserRole.dept == None))
        .filter(UserRole.user == current_user)
        .join(Role, UserRole.role_id == Role.id)
        .filter(Role.permissions.op("&")(Permission.ScoUsersView) != 0)
    )

    query = query.order_by(User.user_name)
    return jsonify([u.to_dict() for u in query])
API: utilisateurs /user, /users/query + tests unitaires 2022-08-05 17:05:24 +02:00			`##############################################################################`
			`# ScoDoc`
			`# Copyright (c) 1999 - 2022 Emmanuel Viennet. All rights reserved.`
			`# See LICENSE`
			`##############################################################################`

			`"""`
			`ScoDoc 9 API : accès aux utilisateurs`
			`"""`


			`from flask import g, jsonify, request`
			`from flask_login import current_user, login_required`

			`import app`
			`from app import db, log`
			`from app.api import api_bp as bp, api_web_bp`
			`from app.api.errors import error_response`
			`from app.auth.models import User, Role, UserRole`
			`from app.decorators import scodoc, permission_required`
			`from app.models import Departement`
			`from app.scodoc.sco_exceptions import ScoValueError`
			`from app.scodoc.sco_permissions import Permission`


			`@bp.route("/user/<int:uid>")`
			`@api_web_bp.route("/user/<int:uid>")`
			`@login_required`
			`@scodoc`
			`@permission_required(Permission.ScoUsersView)`
			`def user_info(uid: int):`
			`"""`
			`Info sur un compte utilisateur scodoc`
			`"""`
			`user: User = User.query.get(uid)`
			`if user is None:`
			`return error_response(404, "user not found")`
			`if g.scodoc_dept:`
			`allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersView)`
			`if user.dept not in allowed_depts:`
			`return error_response(404, "user not found")`

			`return jsonify(user.to_dict())`


			`@bp.route("/users/query")`
			`@api_web_bp.route("/users/query")`
			`@login_required`
			`@scodoc`
			`@permission_required(Permission.ScoView)`
			`def users_info_query():`
			`"""Utilisateurs, filtrés par dept, active ou début nom`
			`/users/query?departement=dept_acronym&active=1&starts_with=<str:nom>`

			`Si accès via API web, seuls les utilisateurs "accessibles" (selon les`
			`permissions) sont retournés: le département de l'URL est ignoré, seules`
			`les permissions de l'utilisateur sont prises en compte.`
			`"""`
			`query = User.query`
			`active = request.args.get("active")`
			`if active is not None:`
			`active = bool(str(active))`
			`query = query.filter_by(active=active)`
			`departement = request.args.get("departement")`
			`if departement is not None:`
			`query = query.filter_by(dept=departement or None)`
			`starts_with = request.args.get("starts_with")`
			`if starts_with is not None:`
			`# remove % and _ for security`
			`starts_with = starts_with.translate({ord(c): None for c in "%_"})`
			`query = query.filter(User.nom.ilike(starts_with + "%"))`
			`# Filtre selon permissions:`
			`query = (`
			`query.join(UserRole, (UserRole.dept == User.dept) \| (UserRole.dept == None))`
			`.filter(UserRole.user == current_user)`
			`.join(Role, UserRole.role_id == Role.id)`
			`.filter(Role.permissions.op("&")(Permission.ScoUsersView) != 0)`
			`)`

			`query = query.order_by(User.user_name)`
			`return jsonify([u.to_dict() for u in query])`