From 293fb060ed5ed1e46bc19fce71e1f5a26a808cd4 Mon Sep 17 00:00:00 2001
From: grimhilt <grimhilt@users.noreply.github.com>
Date: Tue, 8 Aug 2023 14:18:18 +0200
Subject: [PATCH] create users

---
 src/api/__init__.py             |  4 +--
 src/api/abl/AuthAbl.py          | 21 ++++++++++---
 src/api/abl/UserAbl.py          | 52 +++++++++++++++++++++++++++++++++
 src/api/controllers/playlist.py |  2 +-
 src/api/controllers/roles.py    | 14 +++++++--
 src/api/controllers/user.py     | 23 ++++++++-------
 6 files changed, 97 insertions(+), 19 deletions(-)
 create mode 100644 src/api/abl/UserAbl.py

diff --git a/src/api/__init__.py b/src/api/__init__.py
index 2e0ee36..7cf0453 100644
--- a/src/api/__init__.py
+++ b/src/api/__init__.py
@@ -28,11 +28,11 @@ def create_api():
     from .controllers.auth import auth
     from .controllers.roles import roles
 
-    app.register_blueprint(user, url_prefix='/api/user')
+    app.register_blueprint(user, url_prefix='/api')
     app.register_blueprint(playlist, url_prefix='/api')
     app.register_blueprint(file, url_prefix='/api/file')
     app.register_blueprint(auth, url_prefix='/api/auth')
-    app.register_blueprint(roles, url_prefix='/api/roles')
+    app.register_blueprint(roles, url_prefix='/api')
 
     from .models import User, Playlist, PlaylistFile, File
     
diff --git a/src/api/abl/AuthAbl.py b/src/api/abl/AuthAbl.py
index 83401f1..16f1491 100644
--- a/src/api/abl/AuthAbl.py
+++ b/src/api/abl/AuthAbl.py
@@ -13,8 +13,8 @@ class AuthAbl:
 
         is_first_user = db.session.query(User).count() == 0
 
-        if not is_first_user and current_user is None:
-            return jsonify(message="You cannot create an account without being authenticated"), 401
+        if not is_first_user:
+            return jsonify(message="You cannot create an account"), 401
 
         user = db.session.query(User).filter_by(login=login).first()
         if user:
@@ -39,8 +39,21 @@ class AuthAbl:
         password = data['password']
 
         user = db.session.query(User).filter_by(login=login).first()
-        if not user or not check_password_hash(user.password, password):
-            return jsonify(message="Incorrect credentials"), 401
+        if not user:
+            nb_users = db.session.query(User).count()
+            if nb_users == 0:
+                user = User(login=login, password=generate_password_hash(password, method='sha256'))
+                db.session.add(user)
+                db.session.flush()
+                new_role = Role(name=login, permissions=0b111, user_id=user.as_dict()['id'])
+                db.session.add(new_role)
+                db.session.flush()
+                user.roles.append(new_role)
+                db.session.commit()
+                login_user(user)
+                return jsonify(user.as_dict())
+            else:
+                return jsonify(message="Incorrect credentials"), 401
 
         login_user(user)
         return jsonify(user.as_dict())
diff --git a/src/api/abl/UserAbl.py b/src/api/abl/UserAbl.py
new file mode 100644
index 0000000..5858890
--- /dev/null
+++ b/src/api/abl/UserAbl.py
@@ -0,0 +1,52 @@
+from flask import Blueprint, request, jsonify
+from werkzeug.security import generate_password_hash, check_password_hash
+from flask_login import current_user
+from ..models import User, Role
+from .. import db
+
+class UserAbl:
+
+    @staticmethod
+    def create(data):
+        login = data['login']
+        password = data['password']
+        permissions = data['permissions']
+
+        # check if the user exists
+        user = db.session.query(User).filter_by(login=login).first()
+        if user:
+            return jsonify(user.as_dict()), 302
+
+        # check the user has the permissions he gives to the new user
+        user_perms = bin(current_user.as_dict()['roles'][0]['permissions'])
+        for (position, bit) in enumerate(bin(permissions)):
+            if bit == '1' and bit != user_perms[position]:
+                return jsonify(message="You don't have the permission to give permission(s) you don't have"), 403
+
+        # create the user
+        new_user = User( \
+                login=login, \
+                password=generate_password_hash(password, method='sha256') \
+                )
+
+        db.session.add(new_user)
+        db.session.flush()
+
+        # create the permissions for the user
+        new_role = Role( \
+                name=login, \
+                user_id=new_user.as_dict()['id'], \
+                permissions=permissions)
+        db.session.add(new_role)
+        new_user.roles.append(new_role)
+        db.session.flush()
+
+        db.session.commit()
+        return jsonify(new_user.as_dict())
+
+    @staticmethod
+    def list():
+        query = db.session.query(User).all()
+        return jsonify([user.as_dict() for user in query])
+
+
diff --git a/src/api/controllers/playlist.py b/src/api/controllers/playlist.py
index 551057e..ac26c24 100644
--- a/src/api/controllers/playlist.py
+++ b/src/api/controllers/playlist.py
@@ -43,7 +43,7 @@ def add_file(playlist_id):
 def change_order(playlist_id):
     return PlaylistAbl.change_order(playlist_id, request.get_json())
 
-@playlist.route('/playlits/<int:playlist_id>/seconds', methods=["POST"])
+@playlist.route('/playlists/<int:playlist_id>/seconds', methods=["POST"])
 @login_required
 @permissions.require([Perm.EDIT_PLAYLIST])
 def change_seconds(playlist_id):
diff --git a/src/api/controllers/roles.py b/src/api/controllers/roles.py
index 7caec36..71dc652 100644
--- a/src/api/controllers/roles.py
+++ b/src/api/controllers/roles.py
@@ -6,7 +6,7 @@ from .. import db
 
 roles = Blueprint('roles', __name__)
 
-@roles.route('/', methods=['POST'])
+@roles.route('/roles', methods=['POST'])
 @login_required
 def create():
     data = request.get_json()
@@ -25,7 +25,7 @@ def create():
     db.session.commit()
     return jsonify(new_role.as_dict())
 
-@roles.route('/<int:role_id>', methods=['GET'])
+@roles.route('/roles/<int:role_id>', methods=["GET"])
 @login_required
 def get(role_id):
     role = db.session.query(Role).filter_by(id=role_id).first()
@@ -33,3 +33,13 @@ def get(role_id):
         return jsonify(role.as_dict())
     return jsonify(), 404
 
+@roles.route('/roles', methods=["GET"])
+@login_required
+def list():
+    res = db.session.query(Role).all()
+    roles = []
+    for role in roles:
+        roles.append(role.as_dict())
+        
+    return jsonify(roles)
+
diff --git a/src/api/controllers/user.py b/src/api/controllers/user.py
index 2efc2bf..9b99924 100644
--- a/src/api/controllers/user.py
+++ b/src/api/controllers/user.py
@@ -1,22 +1,25 @@
-from flask import Blueprint, request
+from flask import Blueprint, request, jsonify
 from ..models import User
 from werkzeug.security import generate_password_hash, check_password_hash
+from ..models import User
+from .. import db
+from flask_login import login_required, current_user
+from ..abl.UserAbl import UserAbl
+from ..permissions import Perm, permissions
 
 user = Blueprint('user', __name__)
 
-@user.route('create', methods=['PUT'])
+@user.route('/users', methods=['POST'])
+@login_required
+@permissions.require([Perm.CREATE_USER])
 def create():
-    print(request.get_json()) 
-    return "ok"
-    generate_password_hash("i", method='sha256')
-    db.session.add(new_user)
-    db.session.commit()
-    return "ok"
+    return UserAbl.create(request.get_json())
 
 @user.route('delete', methods=['DELETE'])
 def delete():
     return "ok"
 
-@user.route('list', methods=['GET'])
+@user.route('/users', methods=['GET'])
+@login_required
 def list():
-    return "ok"
+    return UserAbl.list()