From c6ec8bb6feac32f74f438e3a982dafdcf11b6e30 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Tue, 31 May 2016 14:28:48 -0700 Subject: [PATCH 1/7] fix bugs in adding device permissions and add restrictions on input email" --- applications/server/controllers/default.py | 3 +-- applications/server/controllers/edit_permission.py | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/applications/server/controllers/default.py b/applications/server/controllers/default.py index a9a52ea5..1bcbfb2b 100644 --- a/applications/server/controllers/default.py +++ b/applications/server/controllers/default.py @@ -70,8 +70,6 @@ def add(): form = SQLFORM(db.device) form.custom.widget.name['requires'] = IS_NOT_EMPTY() if form.process().accepted: - device_id = form.vars.device_id - access.add_permission(user_email=auth.user.email, perm_type='a', device_id=device_id) session.flash = "Device added!" redirect(URL('default', 'new_device', args=[form.vars.id], user_signature=True)) return dict(form=form) @@ -83,6 +81,7 @@ def new_device(): device = db.device[request.args(0)] db.device.user_email.readable = False form = SQLFORM(db.device, record=device, readonly=True) + access.add_permission(user_email=auth.user.email, perm_type='a', device_id=device.device_id) if form.process().accepted: session.flash = T(form.vars.name + ' added!') redirect(URL('default', 'manage', vars=dict(device=device.id))) diff --git a/applications/server/controllers/edit_permission.py b/applications/server/controllers/edit_permission.py index e4d7a1f0..67b564b5 100644 --- a/applications/server/controllers/edit_permission.py +++ b/applications/server/controllers/edit_permission.py @@ -15,7 +15,7 @@ def edit_view(): user_emails = [u.perm_user_email for u in filter(lambda x: x.perm_type=='v', user_list)] # Let's get a nice form for editing this. form = SQLFORM.factory( - Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!')), default=user_emails) + Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails) ) if form.process().accepted: new_users = set(form.vars.users) if type(form.vars.users) == type([]) else set([form.vars.users]) From ef53f42e8c0b4ba4ee79b6ced1aa4567d6bc3a38 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Thu, 2 Jun 2016 12:37:25 -0700 Subject: [PATCH 2/7] add multiple permissions control form in one page --- applications/server/controllers/share.py | 78 ++++++++++++++++++++++ applications/server/views/share/index.html | 13 ++++ 2 files changed, 91 insertions(+) create mode 100644 applications/server/controllers/share.py create mode 100644 applications/server/views/share/index.html diff --git a/applications/server/controllers/share.py b/applications/server/controllers/share.py new file mode 100644 index 00000000..84c9a96e --- /dev/null +++ b/applications/server/controllers/share.py @@ -0,0 +1,78 @@ +import access + +@auth.requires_login() +def index(): + """"This allows us to edit permissions for a device. We imagine we deal only + with the view permission here.""" + device_id = request.vars['device_id'] + procedure_id = request.vars['procedure_id'] + # validate them: user has to be manager. + if not access.can_share_procedure(auth.user.email, device_id, procedure_id): + raise HTTP(403) + # Gets list of users who can view. + user_list = db((db.user_permission.device_id == device_id)&(db.user_permission.procedure_id == procedure_id)).select() + user_emails = [u.perm_user_email for u in filter(lambda x: x.perm_type=='v', user_list)] + # Let's get a nice form for editing this. + form = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails) + ) + if form.process(formname='form').accepted: + new_users = set(form.vars.users) if type(form.vars.users) == type([]) else set([form.vars.users]) + old_users = set(user_emails) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id,u,'v',procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + """"This allows us to edit permissions for a device. We imagine we deal only + with the view permission here.""" + device_id = request.vars['device_id'] + procedure_id = request.vars['procedure_id'] + # validate them: user has to be manager. + if not access.can_share_procedure(auth.user.email, device_id, procedure_id): + raise HTTP(403) + # Gets list of users who can view. + user_emails_2 = [u.perm_user_email for u in filter(lambda x: x.perm_type=='e', user_list)] + # Let's get a nice form for editing this. + form2 = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails_2) + ) + if form2.process(formname='form2').accepted: + new_users = set(form2.vars.users) if type(form2.vars.users) == type([]) else set([form2.vars.users]) + old_users = set(user_emails_2) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id,u,'e',procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + + user_emails_3 = [u.perm_user_email for u in filter(lambda x: x.perm_type == 'a', user_list)] + # Let's get a nice form for editing this. + form3 = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF( + IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email, '%(email)s')), + default=user_emails_3) + ) + if form3.process(formname='form3').accepted: + new_users = set(form3.vars.users) if type(form3.vars.users) == type([]) else set([form3.vars.users]) + old_users = set(user_emails_3) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id, user_email=u, procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id, u, 'a', procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id': device_id, 'procedure_id': procedure_id})) + + + return dict(form=form,form2=form2,form3=form3) diff --git a/applications/server/views/share/index.html b/applications/server/views/share/index.html new file mode 100644 index 00000000..da7b6baa --- /dev/null +++ b/applications/server/views/share/index.html @@ -0,0 +1,13 @@ +{{extend 'layout.html'}} +
+

Manage view permission

+ {{=form}} +
+
+

Manage edit permission

+ {{=form2}} +
+
+

Manage admin permission

+ {{=form3}} +
From c3190314b5d6b2b57125ee4d2b34db958f7d6c6b Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Thu, 2 Jun 2016 13:23:07 -0700 Subject: [PATCH 3/7] resolve conflict --- applications/server/controllers/default.py | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/applications/server/controllers/default.py b/applications/server/controllers/default.py index 228df068..6a113de9 100644 --- a/applications/server/controllers/default.py +++ b/applications/server/controllers/default.py @@ -60,23 +60,6 @@ def login(): return dict() -@auth.requires_login() -def add(): - """ - Description: Controller for the add page, which lets you add a device into the DB - Returns: A form that lets you add things into db.devices (use by including {{=form}} in add.html) - """ - db.device.device_id.writable = False - db.device.device_id.readable = False # We don't want to display it here. - db.device.user_email.readable = False # We know who we are. - form = SQLFORM(db.device) - form.custom.widget.name['requires'] = IS_NOT_EMPTY() - if form.process().accepted: - session.flash = "Device added!" - redirect(URL('default', 'new_device', args=[form.vars.id], user_signature=True)) - return dict(form=form) - - @auth.requires_login() @auth.requires_signature() def new_device(): From c19809af374eceb04c60c1d547189870c1f4c5d4 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Wed, 8 Jun 2016 12:55:16 -0700 Subject: [PATCH 4/7] integrate with Web UI --- applications/server/controllers/default.py | 77 ++++++++++++++++++-- applications/server/views/default/share.html | 74 +++---------------- applications/server/views/new_layout.html | 2 +- 3 files changed, 84 insertions(+), 69 deletions(-) diff --git a/applications/server/controllers/default.py b/applications/server/controllers/default.py index bd1b5ba8..33482f28 100644 --- a/applications/server/controllers/default.py +++ b/applications/server/controllers/default.py @@ -226,12 +226,79 @@ def call(): @auth.requires_login() def share(): - val1 = request.vars['device_id'] - if val1 is not None: - val = db(db.device.id == val1).select()[0].name - response.device_name = val + """"This allows us to edit permissions for a device. We imagine we deal only + with the view permission here.""" + id = request.vars['device_id'] + device_id = db((db.device.id == id)).select().first().device_id - return dict() + procedure_id = request.vars['procedure_id'] + # validate them: user has to be manager. + if not access.can_share_procedure(auth.user.email, device_id, procedure_id): + raise HTTP(403) + # Gets list of users who can view. + user_list = db((db.user_permission.device_id == device_id)&(db.user_permission.procedure_id == procedure_id)).select() + user_emails = [u.perm_user_email for u in filter(lambda x: x.perm_type=='v', user_list)] + # Let's get a nice form for editing this. + form = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails) + ) + if form.process(formname='form').accepted: + new_users = set(form.vars.users) if type(form.vars.users) == type([]) else set([form.vars.users]) + old_users = set(user_emails) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id,u,'v',procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + """"This allows us to edit permissions for a device. We imagine we deal only + with the view permission here.""" + device_id = request.vars['device_id'] + procedure_id = request.vars['procedure_id'] + # Gets list of users who can view. + user_emails_2 = [u.perm_user_email for u in filter(lambda x: x.perm_type=='e', user_list)] + # Let's get a nice form for editing this. + form2 = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails_2) + ) + if form2.process(formname='form2').accepted: + new_users = set(form2.vars.users) if type(form2.vars.users) == type([]) else set([form2.vars.users]) + old_users = set(user_emails_2) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id,u,'e',procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + + user_emails_3 = [u.perm_user_email for u in filter(lambda x: x.perm_type == 'a', user_list)] + # Let's get a nice form for editing this. + form3 = SQLFORM.factory( + Field('users', 'list:string', requires=IS_LIST_OF( + IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email, '%(email)s')), + default=user_emails_3) + ) + if form3.process(formname='form3').accepted: + new_users = set(form3.vars.users) if type(form3.vars.users) == type([]) else set([form3.vars.users]) + old_users = set(user_emails_3) + # Delete old permissions of users who can no longer access. + for u in old_users - new_users: + if u != '': + access.delete_permission(device_id=device_id, user_email=u, procedure_id=procedure_id) + # Add permissions of users who can newly access. + for u in new_users - old_users: + if u != '': + access.add_permission(device_id, u, 'a', procedure_id=procedure_id) + redirect(URL('share', 'index', vars={'device_id': device_id, 'procedure_id': procedure_id})) + + + return dict(form=form,form2=form2,form3=form3) """ diff --git a/applications/server/views/default/share.html b/applications/server/views/default/share.html index 76cf4beb..ae17f8ec 100644 --- a/applications/server/views/default/share.html +++ b/applications/server/views/default/share.html @@ -1,65 +1,13 @@ {{extend 'new_layout.html'}} - - - - - -
- -

Enter the email address of the user to share

-
- User email: - -
-
- +
+

Manage view permission

+ {{=form}} +
+
+

Manage edit permission

+ {{=form2}} +
+
+

Manage admin permission

+ {{=form3}}
- - -
-
-

Select the device to share

- -
-
-{{=A(T('Share'), _class='btn btn-success', _href=URL('default', 'index'))}} - - - \ No newline at end of file diff --git a/applications/server/views/new_layout.html b/applications/server/views/new_layout.html index 2b7bbb91..dccc6cbd 100644 --- a/applications/server/views/new_layout.html +++ b/applications/server/views/new_layout.html @@ -137,7 +137,7 @@ {{pass}} - + From 5bde06ba7525ab1d8fe8e0fe32f99df2987aebb2 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Wed, 8 Jun 2016 13:09:51 -0700 Subject: [PATCH 5/7] fix redirect bug --- applications/server/controllers/default.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/applications/server/controllers/default.py b/applications/server/controllers/default.py index 33482f28..3a39762e 100644 --- a/applications/server/controllers/default.py +++ b/applications/server/controllers/default.py @@ -229,7 +229,7 @@ def share(): """"This allows us to edit permissions for a device. We imagine we deal only with the view permission here.""" id = request.vars['device_id'] - device_id = db((db.device.id == id)).select().first().device_id + device_id = str(db((db.device.id == id)).select().first().device_id) procedure_id = request.vars['procedure_id'] # validate them: user has to be manager. @@ -253,11 +253,9 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id,u,'v',procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + redirect(URL('default', 'share', vars={'device_id' : id})) """"This allows us to edit permissions for a device. We imagine we deal only with the view permission here.""" - device_id = request.vars['device_id'] - procedure_id = request.vars['procedure_id'] # Gets list of users who can view. user_emails_2 = [u.perm_user_email for u in filter(lambda x: x.perm_type=='e', user_list)] # Let's get a nice form for editing this. @@ -275,7 +273,7 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id,u,'e',procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) + redirect(URL('default', 'share', vars={'device_id' : id})) user_emails_3 = [u.perm_user_email for u in filter(lambda x: x.perm_type == 'a', user_list)] # Let's get a nice form for editing this. @@ -295,7 +293,7 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id, u, 'a', procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id': device_id, 'procedure_id': procedure_id})) + redirect(URL('default', 'share', vars={'device_id': id})) return dict(form=form,form2=form2,form3=form3) From 489fdf53841d14e9d1fc436adfa9d00f0ef26556 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Wed, 8 Jun 2016 14:39:45 -0700 Subject: [PATCH 6/7] now share button can choose procedure --- applications/server/controllers/default.py | 9 ++++----- applications/server/views/new_layout.html | 18 ++++++++++++++++-- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/applications/server/controllers/default.py b/applications/server/controllers/default.py index 3a39762e..a491daf1 100644 --- a/applications/server/controllers/default.py +++ b/applications/server/controllers/default.py @@ -226,8 +226,7 @@ def call(): @auth.requires_login() def share(): - """"This allows us to edit permissions for a device. We imagine we deal only - with the view permission here.""" + """"This allows us to edit permissions for a device""" id = request.vars['device_id'] device_id = str(db((db.device.id == id)).select().first().device_id) @@ -253,7 +252,7 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id,u,'v',procedure_id=procedure_id) - redirect(URL('default', 'share', vars={'device_id' : id})) + redirect(URL('default', 'share', vars={'device_id' : id, 'procedure_id': procedure_id})) """"This allows us to edit permissions for a device. We imagine we deal only with the view permission here.""" # Gets list of users who can view. @@ -273,7 +272,7 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id,u,'e',procedure_id=procedure_id) - redirect(URL('default', 'share', vars={'device_id' : id})) + redirect(URL('default', 'share', vars={'device_id' : id, 'procedure_id': procedure_id})) user_emails_3 = [u.perm_user_email for u in filter(lambda x: x.perm_type == 'a', user_list)] # Let's get a nice form for editing this. @@ -293,7 +292,7 @@ def share(): for u in new_users - old_users: if u != '': access.add_permission(device_id, u, 'a', procedure_id=procedure_id) - redirect(URL('default', 'share', vars={'device_id': id})) + redirect(URL('default', 'share', vars={'device_id': id,'procedure_id': procedure_id})) return dict(form=form,form2=form2,form3=form3) diff --git a/applications/server/views/new_layout.html b/applications/server/views/new_layout.html index dccc6cbd..7aba44a6 100644 --- a/applications/server/views/new_layout.html +++ b/applications/server/views/new_layout.html @@ -136,8 +136,22 @@ {{pass}} - - + + {{if request.vars['device_id'] is None: }} + + {{else:}} +
  • + + +
    • + {{pass}} From 4b5c70e4fea77c33c9ad877d3bad72f808d1dde0 Mon Sep 17 00:00:00 2001 From: jerrycjw Date: Wed, 8 Jun 2016 14:44:21 -0700 Subject: [PATCH 7/7] remove redundant files --- applications/server/controllers/share.py | 78 ---------------------- applications/server/views/share/index.html | 13 ---- 2 files changed, 91 deletions(-) delete mode 100644 applications/server/controllers/share.py delete mode 100644 applications/server/views/share/index.html diff --git a/applications/server/controllers/share.py b/applications/server/controllers/share.py deleted file mode 100644 index 84c9a96e..00000000 --- a/applications/server/controllers/share.py +++ /dev/null @@ -1,78 +0,0 @@ -import access - -@auth.requires_login() -def index(): - """"This allows us to edit permissions for a device. We imagine we deal only - with the view permission here.""" - device_id = request.vars['device_id'] - procedure_id = request.vars['procedure_id'] - # validate them: user has to be manager. - if not access.can_share_procedure(auth.user.email, device_id, procedure_id): - raise HTTP(403) - # Gets list of users who can view. - user_list = db((db.user_permission.device_id == device_id)&(db.user_permission.procedure_id == procedure_id)).select() - user_emails = [u.perm_user_email for u in filter(lambda x: x.perm_type=='v', user_list)] - # Let's get a nice form for editing this. - form = SQLFORM.factory( - Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails) - ) - if form.process(formname='form').accepted: - new_users = set(form.vars.users) if type(form.vars.users) == type([]) else set([form.vars.users]) - old_users = set(user_emails) - # Delete old permissions of users who can no longer access. - for u in old_users - new_users: - if u != '': - access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) - # Add permissions of users who can newly access. - for u in new_users - old_users: - if u != '': - access.add_permission(device_id,u,'v',procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) - """"This allows us to edit permissions for a device. We imagine we deal only - with the view permission here.""" - device_id = request.vars['device_id'] - procedure_id = request.vars['procedure_id'] - # validate them: user has to be manager. - if not access.can_share_procedure(auth.user.email, device_id, procedure_id): - raise HTTP(403) - # Gets list of users who can view. - user_emails_2 = [u.perm_user_email for u in filter(lambda x: x.perm_type=='e', user_list)] - # Let's get a nice form for editing this. - form2 = SQLFORM.factory( - Field('users', 'list:string', requires=IS_LIST_OF(IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email,'%(email)s')), default=user_emails_2) - ) - if form2.process(formname='form2').accepted: - new_users = set(form2.vars.users) if type(form2.vars.users) == type([]) else set([form2.vars.users]) - old_users = set(user_emails_2) - # Delete old permissions of users who can no longer access. - for u in old_users - new_users: - if u != '': - access.delete_permission(device_id=device_id,user_email=u,procedure_id=procedure_id) - # Add permissions of users who can newly access. - for u in new_users - old_users: - if u != '': - access.add_permission(device_id,u,'e',procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id' : device_id, 'procedure_id': procedure_id})) - - user_emails_3 = [u.perm_user_email for u in filter(lambda x: x.perm_type == 'a', user_list)] - # Let's get a nice form for editing this. - form3 = SQLFORM.factory( - Field('users', 'list:string', requires=IS_LIST_OF( - IS_EMAIL(error_message='must be email!') and IS_IN_DB(db, db.auth_user.email, '%(email)s')), - default=user_emails_3) - ) - if form3.process(formname='form3').accepted: - new_users = set(form3.vars.users) if type(form3.vars.users) == type([]) else set([form3.vars.users]) - old_users = set(user_emails_3) - # Delete old permissions of users who can no longer access. - for u in old_users - new_users: - if u != '': - access.delete_permission(device_id=device_id, user_email=u, procedure_id=procedure_id) - # Add permissions of users who can newly access. - for u in new_users - old_users: - if u != '': - access.add_permission(device_id, u, 'a', procedure_id=procedure_id) - redirect(URL('share', 'index', vars={'device_id': device_id, 'procedure_id': procedure_id})) - - - return dict(form=form,form2=form2,form3=form3) diff --git a/applications/server/views/share/index.html b/applications/server/views/share/index.html deleted file mode 100644 index da7b6baa..00000000 --- a/applications/server/views/share/index.html +++ /dev/null @@ -1,13 +0,0 @@ -{{extend 'layout.html'}} -
    -

    Manage view permission

    - {{=form}} -
    -
    -

    Manage edit permission

    - {{=form2}} -
    -
    -

    Manage admin permission

    - {{=form3}} -