Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).
This commit is contained in:
Joseph Schorr
parent
da4bcbbee0
commit
28d319ad26
6 changed files with 51 additions and 12 deletions
|
|
@ -7,7 +7,7 @@ from endpoints.api import (ApiResource, nickname, resource, internal_only, show_
|
|||
require_fresh_login, request, validate_json_request, verify_not_prod)
|
||||
|
||||
from endpoints.common import common_login
|
||||
from app import app, CONFIG_PROVIDER
|
||||
from app import app, CONFIG_PROVIDER, superusers
|
||||
from data import model
|
||||
from auth.permissions import SuperUserPermission
|
||||
from auth.auth_context import get_authenticated_user
|
||||
|
|
@ -49,7 +49,7 @@ class SuperUserRegistryStatus(ApiResource):
|
|||
'file_exists': file_exists,
|
||||
'is_testing': app.config['TESTING'],
|
||||
'valid_db': database_is_valid(),
|
||||
'ready': not app.config['TESTING'] and file_exists and bool(app.config['SUPER_USERS'])
|
||||
'ready': not app.config['TESTING'] and file_exists and superusers.has_superusers()
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -215,7 +215,7 @@ class SuperUserCreateInitialSuperUser(ApiResource):
|
|||
CONFIG_PROVIDER.save_yaml(config_object)
|
||||
|
||||
# Update the in-memory config for the new superuser.
|
||||
app.config['SUPER_USERS'] = [username]
|
||||
superusers.register_superuser(username)
|
||||
|
||||
# Conduct login with that user.
|
||||
common_login(superuser)
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import json
|
|||
import os
|
||||
|
||||
from random import SystemRandom
|
||||
from app import app, avatar
|
||||
from app import app, avatar, superusers
|
||||
from flask import request
|
||||
|
||||
from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
|
||||
|
|
@ -109,7 +109,7 @@ def user_view(user):
|
|||
'email': user.email,
|
||||
'verified': user.verified,
|
||||
'avatar': avatar.compute_hash(user.email, name=user.username),
|
||||
'super_user': user.username in app.config['SUPER_USERS']
|
||||
'super_user': superusers.is_superuser(user.username)
|
||||
}
|
||||
|
||||
@resource('/v1/superuser/usage/')
|
||||
|
|
@ -217,7 +217,7 @@ class SuperUserSendRecoveryEmail(ApiResource):
|
|||
if not user or user.organization or user.robot:
|
||||
abort(404)
|
||||
|
||||
if username in app.config['SUPER_USERS']:
|
||||
if superusers.is_superuser(username):
|
||||
abort(403)
|
||||
|
||||
code = model.create_reset_password_email_code(user.email)
|
||||
|
|
@ -277,7 +277,7 @@ class SuperUserManagement(ApiResource):
|
|||
if not user or user.organization or user.robot:
|
||||
abort(404)
|
||||
|
||||
if username in app.config['SUPER_USERS']:
|
||||
if superusers.is_superuser(username):
|
||||
abort(403)
|
||||
|
||||
model.delete_user(user)
|
||||
|
|
@ -296,7 +296,7 @@ class SuperUserManagement(ApiResource):
|
|||
if not user or user.organization or user.robot:
|
||||
abort(404)
|
||||
|
||||
if username in app.config['SUPER_USERS']:
|
||||
if superusers.is_superuser(username):
|
||||
abort(403)
|
||||
|
||||
user_data = request.get_json()
|
||||
|
|
|
|||
Reference in a new issue