Add API views for admin user to become / stop being "root"

2019-11-26 16:42:27 -06:00 · 2019-11-26 16:42:27 -06:00 · 6c029382d9
parent 31ae68f96e
commit 6c029382d9
1 changed files with 31 additions and 0 deletions
--- a/tailbone/api/auth.py
+++ b/tailbone/api/auth.py
@ -56,6 +56,7 @@ class AuthenticationView(APIView):
        data = {'ok': True}
        if self.request.user:
            data = self.user_info(self.request.user)
+            data['user']['is_admin'] = self.request.is_admin
            data['user']['is_root'] = self.request.is_root

        data['permissions'] = list(self.request.tailbone_cached_permissions)
@ -103,6 +104,28 @@ class AuthenticationView(APIView):
        logout_user(self.request)
        return {'ok': True}

+    @api
+    def become_root(self):
+        """
+        Elevate the current request to 'root' for full system access.
+        """
+        if not self.request.is_admin:
+            raise self.forbidden()
+        self.request.user.record_event(self.enum.USER_EVENT_BECOME_ROOT)
+        self.request.session['is_root'] = True
+        return self.user_info(self.request.user)
+
+    @api
+    def stop_root(self):
+        """
+        Lower the current request from 'root' back to normal access.
+        """
+        if not self.request.is_admin:
+            raise self.forbidden()
+        self.request.user.record_event(self.enum.USER_EVENT_STOP_ROOT)
+        self.request.session['is_root'] = False
+        return self.user_info(self.request.user)
+
    @classmethod
    def defaults(cls, config):

@ -118,6 +141,14 @@ class AuthenticationView(APIView):
        config.add_route('api.logout', '/logout', request_method=('OPTIONS', 'POST'))
        config.add_view(cls, attr='logout', route_name='api.logout', renderer='json')

+        # become root
+        config.add_route('api.become_root', '/become-root', request_method=('OPTIONS', 'POST'))
+        config.add_view(cls, attr='become_root', route_name='api.become_root', renderer='json')
+
+        # stop root
+        config.add_route('api.stop_root', '/stop-root', request_method=('OPTIONS', 'POST'))
+        config.add_view(cls, attr='stop_root', route_name='api.stop_root', renderer='json')
+

 def includeme(config):
    AuthenticationView.defaults(config)