create users

src/api/__init__.py

@@ -28,11 +28,11 @@ def create_api():
     from .controllers.auth import auth
     from .controllers.roles import roles
 
-    app.register_blueprint(user, url_prefix='/api/user')
+    app.register_blueprint(user, url_prefix='/api')
     app.register_blueprint(playlist, url_prefix='/api')
     app.register_blueprint(file, url_prefix='/api/file')
     app.register_blueprint(auth, url_prefix='/api/auth')
-    app.register_blueprint(roles, url_prefix='/api/roles')
+    app.register_blueprint(roles, url_prefix='/api')
 
     from .models import User, Playlist, PlaylistFile, File
     

src/api/abl/AuthAbl.py

@@ -13,8 +13,8 @@ class AuthAbl:
 
         is_first_user = db.session.query(User).count() == 0
 
-        if not is_first_user and current_user is None:
+        if not is_first_user:
-            return jsonify(message="You cannot create an account without being authenticated"), 401
+            return jsonify(message="You cannot create an account"), 401
 
         user = db.session.query(User).filter_by(login=login).first()
         if user:
@@ -39,7 +39,20 @@ class AuthAbl:
         password = data['password']
 
         user = db.session.query(User).filter_by(login=login).first()
-        if not user or not check_password_hash(user.password, password):
+        if not user:
+            nb_users = db.session.query(User).count()
+            if nb_users == 0:
+                user = User(login=login, password=generate_password_hash(password, method='sha256'))
+                db.session.add(user)
+                db.session.flush()
+                new_role = Role(name=login, permissions=0b111, user_id=user.as_dict()['id'])
+                db.session.add(new_role)
+                db.session.flush()
+                user.roles.append(new_role)
+                db.session.commit()
+                login_user(user)
+                return jsonify(user.as_dict())
+            else:
                 return jsonify(message="Incorrect credentials"), 401
 
         login_user(user)

src/api/abl/UserAbl.py

@@ -0,0 +1,52 @@
+from flask import Blueprint, request, jsonify
+from werkzeug.security import generate_password_hash, check_password_hash
+from flask_login import current_user
+from ..models import User, Role
+from .. import db
+
+class UserAbl:
+
+    @staticmethod
+    def create(data):
+        login = data['login']
+        password = data['password']
+        permissions = data['permissions']
+
+        # check if the user exists
+        user = db.session.query(User).filter_by(login=login).first()
+        if user:
+            return jsonify(user.as_dict()), 302
+
+        # check the user has the permissions he gives to the new user
+        user_perms = bin(current_user.as_dict()['roles'][0]['permissions'])
+        for (position, bit) in enumerate(bin(permissions)):
+            if bit == '1' and bit != user_perms[position]:
+                return jsonify(message="You don't have the permission to give permission(s) you don't have"), 403
+
+        # create the user
+        new_user = User( \
+                login=login, \
+                password=generate_password_hash(password, method='sha256') \
+                )
+
+        db.session.add(new_user)
+        db.session.flush()
+
+        # create the permissions for the user
+        new_role = Role( \
+                name=login, \
+                user_id=new_user.as_dict()['id'], \
+                permissions=permissions)
+        db.session.add(new_role)
+        new_user.roles.append(new_role)
+        db.session.flush()
+
+        db.session.commit()
+        return jsonify(new_user.as_dict())
+
+    @staticmethod
+    def list():
+        query = db.session.query(User).all()
+        return jsonify([user.as_dict() for user in query])
+
+

src/api/controllers/playlist.py

@@ -43,7 +43,7 @@ def add_file(playlist_id):
 def change_order(playlist_id):
     return PlaylistAbl.change_order(playlist_id, request.get_json())
 
-@playlist.route('/playlits/<int:playlist_id>/seconds', methods=["POST"])
+@playlist.route('/playlists/<int:playlist_id>/seconds', methods=["POST"])
 @login_required
 @permissions.require([Perm.EDIT_PLAYLIST])
 def change_seconds(playlist_id):

src/api/controllers/roles.py

@@ -6,7 +6,7 @@ from .. import db
 
 roles = Blueprint('roles', __name__)
 
-@roles.route('/', methods=['POST'])
+@roles.route('/roles', methods=['POST'])
 @login_required
 def create():
     data = request.get_json()
@@ -25,7 +25,7 @@ def create():
     db.session.commit()
     return jsonify(new_role.as_dict())
 
-@roles.route('/<int:role_id>', methods=['GET'])
+@roles.route('/roles/<int:role_id>', methods=["GET"])
 @login_required
 def get(role_id):
     role = db.session.query(Role).filter_by(id=role_id).first()
@@ -33,3 +33,13 @@ def get(role_id):
         return jsonify(role.as_dict())
     return jsonify(), 404
 
+@roles.route('/roles', methods=["GET"])
+@login_required
+def list():
+    res = db.session.query(Role).all()
+    roles = []
+    for role in roles:
+        roles.append(role.as_dict())
+        
+    return jsonify(roles)
+

src/api/controllers/user.py

@@ -1,22 +1,25 @@
-from flask import Blueprint, request
+from flask import Blueprint, request, jsonify
 from ..models import User
 from werkzeug.security import generate_password_hash, check_password_hash
+from ..models import User
+from .. import db
+from flask_login import login_required, current_user
+from ..abl.UserAbl import UserAbl
+from ..permissions import Perm, permissions
 
 user = Blueprint('user', __name__)
 
-@user.route('create', methods=['PUT'])
+@user.route('/users', methods=['POST'])
+@login_required
+@permissions.require([Perm.CREATE_USER])
 def create():
-    print(request.get_json()) 
+    return UserAbl.create(request.get_json())
-    return "ok"
-    generate_password_hash("i", method='sha256')
-    db.session.add(new_user)
-    db.session.commit()
-    return "ok"
 
 @user.route('delete', methods=['DELETE'])
 def delete():
     return "ok"
 
-@user.route('list', methods=['GET'])
+@user.route('/users', methods=['GET'])
+@login_required
 def list():
-    return "ok"
+    return UserAbl.list()