Merge pull request #660 from coreos-inc/superuser

Superuser Panel Improvements
2015-10-30 14:32:16 -04:00 · 2015-10-30 14:32:16 -04:00 · 4ae940aede
commit 4ae940aede
parent 3f35265858 d464af4cce
3 changed files with 80 additions and 5 deletions
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@ -9,7 +9,7 @@ from flask import request

 import features

-from app import app, avatar, superusers, authentication
+from app import app, avatar, superusers, authentication, config_provider
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request,
                           internal_only, require_scope, show_if, parse_args,
                           query_param, abort, require_fresh_login, path_param, verify_not_prod)
@ -131,6 +131,7 @@ class SuperUserLogs(ApiResource):
 def org_view(org):
  return {
    'name': org.username,
+    'email': org.email,
    'avatar': avatar.get_data_for_org(org),
  }

@ -236,6 +237,10 @@ class SuperUserList(ApiResource):
  @require_scope(scopes.SUPERUSER)
  def post(self):
    """ Creates a new user. """
+    # Ensure that we are using database auth.
+    if app.config['AUTHENTICATION_TYPE'] != 'Database':
+      abort(400)
+
    user_information = request.get_json()
    if SuperUserPermission().can():
      username = user_information['username']
@ -274,6 +279,10 @@ class SuperUserSendRecoveryEmail(ApiResource):
  @nickname('sendInstallUserRecoveryEmail')
  @require_scope(scopes.SUPERUSER)
  def post(self, username):
+    # Ensure that we are using database auth.
+    if app.config['AUTHENTICATION_TYPE'] != 'Database':
+      abort(400)
+
    if SuperUserPermission().can():
      user = model.user.get_nonrobot_user(username)
      if not user:
@ -370,9 +379,17 @@ class SuperUserManagement(ApiResource):

      user_data = request.get_json()
      if 'password' in user_data:
+        # Ensure that we are using database auth.
+        if app.config['AUTHENTICATION_TYPE'] != 'Database':
+          abort(400)
+
        model.user.change_password(user, user_data['password'])

      if 'email' in user_data:
+        # Ensure that we are using database auth.
+        if app.config['AUTHENTICATION_TYPE'] != 'Database':
+          abort(400)
+
        model.user.update_email(user, user_data['email'], auto_verify=True)

      if 'enabled' in user_data:
@ -380,6 +397,18 @@ class SuperUserManagement(ApiResource):
        user.enabled = bool(user_data['enabled'])
        user.save()

+      if 'superuser' in user_data:
+        config_object = config_provider.get_config()
+        superusers_set = set(config_object['SUPER_USERS'])
+
+        if user_data['superuser']:
+          superusers_set.add(username)
+        elif username in superusers_set:
+          superusers_set.remove(username)
+
+        config_object['SUPER_USERS'] = list(superusers_set)
+        config_provider.save_config(config_object)
+
      return user_view(user, password=user_data.get('password'))

    abort(403)