diff --git a/backend/application/api_functions.py b/backend/application/api_functions.py index e123ad3..d89da32 100644 --- a/backend/application/api_functions.py +++ b/backend/application/api_functions.py @@ -29,7 +29,7 @@ def hash_password(salt, password): def db_login(ip, email, password): user = Users.query.filter( Users.email == email - ).first() + ).scalar() # Check User and Hash Pass if user and user.hash_pass == hash_password(user.salt, password): @@ -61,7 +61,7 @@ def db_login(ip, email, password): def db_register(ip, email, nickname, password, is_admin=False): user = Users.query.filter( Users.email == email - ).first() + ).scalar() if user: message = f'{email} already exist.' db_create_log( @@ -121,7 +121,7 @@ def db_register(ip, email, nickname, password, is_admin=False): def db_user_update(ip, user_id, nickname, password): user = Users.query.filter( Users.id == user_id - ).first() + ).scalar() if user: has_succeeded = False status_code = 2 @@ -176,7 +176,20 @@ def db_user_update(ip, user_id, nickname, password): return {'status': 1, 'message': message} -def db_user_delete(ip, user_id): +def db_user_delete(ip, user_id, is_admin=False): + if is_admin and Users.query.filter(Users.is_admin == True).count() <= 1 or user_id == 0: + message = 'Can\'t delete last admin' + db_create_log( + ip=ip, + action='user_delete', + message=message, + has_succeeded=False, + status_code=2, + table='users', + id_user=user_id + ) + return {'status': 2, 'message': message} + test = Users.query.filter(Users.id == user_id).delete() if test == 1: db.session.commit() @@ -203,3 +216,225 @@ def db_user_delete(ip, user_id): id_user=user_id ) return {'status': 1, 'message': message} + + +def db_admin_update_user(ip, user_id, is_admin, password): + user = Users.query.filter( + Users.id == user_id + ).scalar() + if user: + has_succeeded = False + status_code = 2 + if is_admin is not None and password: + # Salt Hash Pass with SHA256 + salt = os.urandom(32) + hash_pass = hash_password(salt, password) + Users.query.filter(Users.id == user_id).update({'is_admin': is_admin, 'hash_pass': hash_pass, 'salt': salt}) + db.session.commit() + message = 'User is_admin and password updated.' + has_succeeded = True + status_code = 0 + elif is_admin is not None: + Users.query.filter(Users.id == user_id).update({'is_admin': is_admin}) + db.session.commit() + message = 'User is_admin updated.' + has_succeeded = True + status_code = 0 + elif password: + # Salt Hash Pass with SHA256 + salt = os.urandom(32) + hash_pass = hash_password(salt, password) + Users.query.filter(Users.id == user_id).update({'hash_pass': hash_pass, 'salt': salt}) + db.session.commit() + message = 'User password updated.' + has_succeeded = True + status_code = 0 + else: + message = 'Only is_admin and/or password can be changed.' + + db_create_log( + ip=ip, + action='user_update', + message=message, + has_succeeded=has_succeeded, + status_code=status_code, + table='users', + id_user=user_id + ) + return {'status': status_code, 'message': message, 'data': user.json()} + else: + message = 'User do not exist.' + db_create_log( + ip=ip, + action='user_update', + message=message, + has_succeeded=False, + status_code=1, + table='users', + id_user=user_id + ) + return {'status': 1, 'message': message} + + +def db_users(ip, user_id, query, by='email,nickname', id=None, is_admin=None, order_by='email'): + # q= or id = + # if q= then by= (default: email,nickname) or email or nickname + # is_admin = + # order_by = email, nickname, id, is_admin + + if query is not id: + if query: + if by == 'email': + if is_admin: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + else: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + elif by == 'nickname': + if is_admin: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + else: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + else: + if is_admin: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + else: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + message = f'query({query}), by({by}), is_admin({is_admin}) and order_by({order_by}): {len(users)} result(s)' + db_create_log( + ip=ip, + action='users', + message=message, + has_succeeded=True, + status_code=0, + table='users', + id_user=user_id + ) + return {'status': 0, 'message': message, 'data': users.json()} + elif id: + if is_admin: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + else: + if order_by == 'nickname': + users = Users.query.filter().all() + + elif order_by == 'id': + users = Users.query.filter().all() + + elif order_by == 'is_admin': + users = Users.query.filter().all() + + else: + users = Users.query.filter().all() + + message = f'id({id}), is_admin({is_admin}) and order_by({order_by}): {len(users)} result(s)' + db_create_log( + ip=ip, + action='users', + message=message, + has_succeeded=True, + status_code=0, + table='users', + id_user=user_id + ) + return {'status': 0, 'message': message, 'data': users.json()} + else: + message = 'Need q and by field if using query and not id' + db_create_log( + ip=ip, + action='users', + message=message, + has_succeeded=False, + status_code=1, + table='users', + id_user=user_id + ) + return {'status': 1, 'message': message} + else: + message = 'Query or id field' + db_create_log( + ip=ip, + action='users', + message=message, + has_succeeded=False, + status_code=1, + table='users', + id_user=user_id + ) + return {'status': 1, 'message': message} diff --git a/backend/application/routes.py b/backend/application/routes.py index 917cd97..19464d1 100644 --- a/backend/application/routes.py +++ b/backend/application/routes.py @@ -1,7 +1,7 @@ from flask import current_app as app from flask import request from .responses import send_message, send_error -from .api_functions import db_login, db_register, db_user_update, db_create_log, db_user_delete +from .api_functions import db_login, db_register, db_user_update, db_create_log, db_user_delete, db_admin_update_user, db_users from .sessionJWT import create_auth_token, check_auth_token @@ -24,9 +24,9 @@ def login(): token = create_auth_token(user) return send_error(404, res['message'], token) else: - return send_error(400, 'Error : Empty email and/or password fields.') + return send_error(400, 'Empty email and/or password fields.') else: - return send_error(400, 'Error : Need email, password fields.') + return send_error(400, 'Need email, password fields.') # Register @@ -47,9 +47,9 @@ def register(): elif res['status'] == 0: return send_message(res['message'], res['data']) else: - return send_error(400, 'Error : Empty email and/or password and/or nickname fields.') + return send_error(400, 'Empty email and/or password and/or nickname fields.') except KeyError as e: - return send_error(400, 'POST Request Error : Need '+str(e)+' field.') + return send_error(400, 'Need '+str(e)+'field.') # Logout @@ -85,12 +85,12 @@ def user_update(): if 'nickname' in post_json: post_nickname = str(post_json['nickname']) else: - fields += 'nickname' + fields += 'nickname ' if 'password' in post_json: post_password = str(post_json['password']) else: - fields += ', password' + fields += 'password ' if post_nickname is not None or post_password is not None: if post_nickname != '' and post_password != '': @@ -102,9 +102,9 @@ def user_update(): elif res['status'] == 0: return send_message(res['message'], res['data']) else: - return send_error(400, 'Error : Empty nickname and/or password fields.') + return send_error(400, 'Empty nickname and/or password fields.') else: - return send_error(400, 'POST Request Error : Need ' + fields + ' field.') + return send_error(400, 'Need ' + fields + 'field.') else: return send_error(500, token['message']) @@ -135,30 +135,206 @@ def user_delete(): # Admin : Create User -@app.route('/api/admin/create/user/', methods=['POST']) -def user_create(): - return send_message('Admin.create.user not implemented', None) +@app.route('/api/admin/create/user', methods=['POST']) +def admin_create_user(): + token = check_auth_token(request) + if token['success']: + ip = request.remote_addr + user_id = token['payload']['id'] + is_admin = token['payload']['is_admin'] + if is_admin: + post_json = request.json + post_email = None + post_nickname = None + post_password = None + post_is_admin = None + fields = '' + if 'email' in post_json: + post_email = str(post_json['email']) + else: + fields += 'email ' + + if 'nickname' in post_json: + post_nickname = str(post_json['nickname']) + else: + fields += 'nickname ' + + if 'password' in post_json: + post_password = str(post_json['password']) + else: + fields += 'password ' + + if 'is_admin' in post_json: + post_is_admin = bool(post_json['is_admin']) + else: + fields += 'is_admin ' + + if post_email is not None or post_nickname is not None or post_password is not None or post_is_admin is not None: + if post_email != '' and post_nickname != '' and post_password != '' and str(post_is_admin) != '': + res = db_register(ip, post_email, post_nickname, post_password, is_admin=post_is_admin) + if res['status'] == 1: + db_create_log( + ip=ip, + action='admin/create/user', + message=res['message'], + has_succeeded=False, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_error(500, res['message']) + elif res['status'] == 0: + db_create_log( + ip=ip, + action='admin/create/user', + message=res['message'], + has_succeeded=True, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_message(res['message'], res['data']) + else: + return send_error(400, 'Empty email and/or nickname and/or password and/or is_admin fields.') + else: + return send_error(400, 'Need ' + fields + 'field.') + else: + return send_error(500, 'User does not have permission.') + else: + return send_error(500, token['message']) -# Admin : Change User password -@app.route('/api/admin/update/user/password', methods=['PUT']) -def admin_update_user_pwd(): - return send_message('Admin.update.user.password not implemented', None) +# Admin : Change User password and/or role +@app.route('/api/admin/update/user', methods=['PUT']) +def admin_update_user(): + token = check_auth_token(request) + if token['success']: + user_id = token['payload']['id'] + is_admin = token['payload']['is_admin'] + if is_admin: + post_json = request.json + post_is_admin = None + post_password = None + post_user_id_delete = None + fields = '' + if 'id' in post_json: + post_user_id_delete = int(post_json['id']) + else: + fields += 'id ' + if 'is_admin' in post_json: + post_is_admin = bool(post_json['is_admin']) + else: + fields += 'is_admin ' -# Admin : Change User role -@app.route('/api/admin/update/user/role', methods=['PUT']) -def admin_update_user_role(): - return send_message('Admin.update.user.role not implemented', None) + if 'password' in post_json: + post_password = str(post_json['password']) + else: + fields += 'password ' + + if post_user_id_delete is not None and (post_is_admin is not None or post_password is not None): + if str(post_is_admin) != '' and post_password != '' and str(post_user_id_delete) != '': + ip = request.remote_addr + res = db_admin_update_user(ip, post_user_id_delete, post_is_admin, post_password) + if res['status'] == 1: + db_create_log( + ip=ip, + action='admin/update/user', + message=res['message'], + has_succeeded=False, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_error(500, res['message']) + elif res['status'] == 0: + db_create_log( + ip=ip, + action='admin/update/user', + message=res['message'], + has_succeeded=True, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_message(res['message'], res['data']) + else: + return send_error(400, 'Empty is_admin and/or password fields.') + else: + return send_error(400, 'Need ' + fields + 'field.') + else: + return send_error(500, 'User does not have permission.') + else: + return send_error(500, token['message']) # Admin : Delete User @app.route('/api/admin/delete/user', methods=['DELETE']) def admin_delete_user(): - return send_message('Admin.delete.user not implemented', None) + token = check_auth_token(request) + if token['success']: + ip = request.remote_addr + user_id = token['payload']['id'] + is_admin = token['payload']['is_admin'] + if is_admin: + post_json = request.json + post_user_id_delete = None + fields = '' + if 'id' in post_json: + post_user_id_delete = int(post_json['id']) + else: + fields += 'id' + if post_user_id_delete is not None: + if str(post_user_id_delete) != '': + res = db_user_delete(ip, post_user_id_delete) + if res['status'] == 1: + db_create_log( + ip=ip, + action='admin/delete/user', + message=res['message'], + has_succeeded=False, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_error(500, res['message']) + elif res['status'] == 0: + db_create_log( + ip=ip, + action='admin/delete/user', + message=res['message'], + has_succeeded=True, + status_code=res['status'], + table='users', + id_user=user_id + ) + return send_message(res['message'], None) + else: + return send_error(400, 'Empty id field.') + else: + return send_error(400, 'Need ' + fields + 'field.') + else: + return send_error(500, 'User does not have permission.') + else: + return send_error(500, token['message']) # List of User (must be authenticated) & Search @app.route('/api/users', methods=['GET']) def users(): - return send_message('Users not implemented', None) + token = check_auth_token(request) + if token['success']: + ip = request.remote_addr + user_id = token['payload']['id'] + get_query = request.args.get('q') + get_by = request.args.get('by') + get_id = request.args.get('id') + get_is_admin = request.args.get('is_admin') + get_order_by = request.args.get('get_order_by') + res = db_users(ip, user_id, get_query, get_by, get_id, get_is_admin, get_order_by) + if res['status'] == 1: + return send_error(500, res['message']) + else: + return send_message(res['message'], None) + else: + return send_error(500, token['message']) diff --git a/backend/init-db1.sql b/backend/init-db1.sql index 0f033e3..bbec183 100644 --- a/backend/init-db1.sql +++ b/backend/init-db1.sql @@ -4,8 +4,10 @@ CREATE TABLE IF NOT EXISTS users ( id serial PRIMARY KEY, email character varying(320) NOT NULL, - nickname character varying(50) NOT NULL + nickname character varying(50) NOT NULL, hash_pass bytea NOT NULL, salt bytea NOT NULL, is_admin boolean NOT NULL DEFAULT FALSE -) \ No newline at end of file +); + +INSERT INTO users VALUES(0,'admin@admin.admin','Admin',decode('e5ed79b503704ed20a1d250770db68182118de7fe0236db9bbfb0dd9684087d6', 'hex'),decode('7012f69f1ac7c23c5dca498c30fa94527b507cc9e40fab9bae284d1465a37724', 'hex'),TRUE); \ No newline at end of file diff --git a/backend/init-db2.sql b/backend/init-db2.sql index 874623e..02ebdc9 100644 --- a/backend/init-db2.sql +++ b/backend/init-db2.sql @@ -11,4 +11,4 @@ CREATE TABLE IF NOT EXISTS logs message character varying(512) NOT NULL, has_succeeded boolean NOT NULL, status_code smallint NOT NULL -) \ No newline at end of file +); \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..41372ca --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,64 @@ +version: '3.8' + +services: + flaskaled-srv1: + image: postgres:latest + container_name: flaskaled-srv1 + ports: + - "5433:5432" + volumes: + - ./backend/init-db1.sql:/docker-entrypoint-initdb.d/init-db1.sql + environment: + - POSTGRES_USER=flaskaled1 + - POSTGRES_PASSWORD=aled1 + - POSTGRES_DB=flaskaledDb1 + restart: unless-stopped + + flaskaled-srv2: + image: postgres:latest + container_name: flaskaled-srv2 + ports: + - "5434:5432" + volumes: + - ./backend/init-db2.sql:/docker-entrypoint-initdb.d/init-db2.sql + environment: + - POSTGRES_USER=flaskaled2 + - POSTGRES_PASSWORD=aled2 + - POSTGRES_DB=flaskaledDb2 + restart: unless-stopped +# +# backend: +# container_name: backend +# build: ./backend +# command: node server.js +# volumes: +# - ./backend:/data/backend +# ports: +# - "5000:5000" +# depends_on: +# - flaskaled-srv1 +# - flaskaled-srv2 +# links: +# - flaskaled-srv1 +# - flaskaled-srv2 +# environment: +# FLASK_ENV: development +# FLASK_DEBUG: 1 +# #DATABASE_URL_USERS: +# #DATABASE_URL_LOGS: +# #SECRET_KEY: +# #ALLOW_ORIGIN: +# +# frontend: +# container_name: frontend +# build: ./frontend +# command: ng serve --host 0.0.0.0 +# volumes: +# - ./frontend/src:/data/frontend/ +# - ./frontend/node_modules:/data/frontend/node_modules +# ports: +# - "4200:4200" +# depends_on: +# - backend +# links: +# - backend \ No newline at end of file