diff --git a/app/classes/shared/controller.py b/app/classes/shared/controller.py index 3e0c3b1b..74c69e5f 100644 --- a/app/classes/shared/controller.py +++ b/app/classes/shared/controller.py @@ -10,7 +10,7 @@ from distutils import dir_util from app.classes.shared.helpers import helper from app.classes.shared.console import console -from app.classes.shared.models import db_helper, Servers +from app.classes.shared.models import db_helper, Servers, User_Servers from app.classes.shared.server import Server from app.classes.minecraft.server_props import ServerProps @@ -106,6 +106,13 @@ class Controller: def list_defined_servers(): servers = db_helper.get_all_defined_servers() return servers + + @staticmethod + def list_authorized_servers(userId): + #servers = db_helper.get_authorized_servers(userId) + servers = db_helper.get_authorized_servers_from_roles(userId) + logger.debug("servers list = {}".format(servers)) + return servers def get_server_data(self, server_id): for s in self.servers_list: @@ -329,6 +336,7 @@ class Controller: self.stop_server(server_id) # remove the server from the DB + User_Servers.delete().where(User_Servers.server_id == server_id).execute() Servers.delete().where(Servers.server_id == server_id).execute() # remove the server from servers list @@ -336,5 +344,4 @@ class Controller: counter += 1 - controller = Controller() diff --git a/app/classes/shared/models.py b/app/classes/shared/models.py index 2ac6f602..05892fb9 100644 --- a/app/classes/shared/models.py +++ b/app/classes/shared/models.py @@ -269,6 +269,36 @@ class db_shortcuts: def get_all_defined_servers(): query = Servers.select() return db_helper.return_rows(query) + + @staticmethod + def get_authorized_servers(userId): + userServers = User_Servers.select().where(User_Servers.user_id == userId) + server_data = [] + + for u in userServers: + server_data.append(db_helper.get_server_data_by_id(u.server_id)) + + return server_data + + @staticmethod + def get_authorized_servers_from_roles(userId): + userRoles = User_Roles.select().where(User_Roles.user_id == userId) + roles_list = [] + roleServer = [] + server_data = [] + + for u in userRoles: + roles_list.append(db_helper.get_role(u.role_id)) + + for r in roles_list: + role_test = Role_Servers.select().where(Role_Servers.role_id == r.get('role_id')) + for t in role_test: + roleServer.append(t) + + for s in roleServer: + server_data.append(db_helper.get_server_data_by_id(s.server_id)) + + return server_data @staticmethod def get_all_servers_stats(): @@ -280,6 +310,45 @@ class db_shortcuts: server_data.append({'server_data': s, "stats": db_helper.return_rows(latest)}) return server_data + @staticmethod + def get_authorized_servers_stats(userId): + userServers = User_Servers.select().where(User_Servers.user_id == userId) + authorizedServers = [] + server_data = [] + + for u in userServers: + authorizedServers.append(db_helper.get_server_data_by_id(u.server_id)) + + for s in authorizedServers: + latest = Server_Stats.select().where(Server_Stats.server_id == s.get('server_id')).order_by(Server_Stats.created.desc()).limit(1) + server_data.append({'server_data': s, "stats": db_helper.return_rows(latest)}) + return server_data + + + @staticmethod + def get_authorized_servers_stats_from_roles(userId): + userRoles = User_Roles.select().where(User_Roles.user_id == userId) + roles_list = [] + roleServer = [] + authorizedServers = [] + server_data = [] + + for u in userRoles: + roles_list.append(db_helper.get_role(u.role_id)) + + for r in roles_list: + role_test = Role_Servers.select().where(Role_Servers.role_id == r.get('role_id')) + for t in role_test: + roleServer.append(t) + + for s in roleServer: + authorizedServers.append(db_helper.get_server_data_by_id(s.server_id)) + + for s in authorizedServers: + latest = Server_Stats.select().where(Server_Stats.server_id == s.get('server_id')).order_by(Server_Stats.created.desc()).limit(1) + server_data.append({'server_data': s, "stats": db_helper.return_rows(latest)}) + return server_data + @staticmethod def get_server_stats_by_id(server_id): stats = Server_Stats.select().where(Server_Stats.server_id == server_id).order_by(Server_Stats.created.desc()).limit(1) @@ -290,6 +359,38 @@ class db_shortcuts: if not db_helper.get_server_data_by_id(server_id): return False return True + + @staticmethod + def server_id_authorized(serverId, userId): + userServer = User_Servers.select().where(User_Servers.server_id == serverId) + authorized = userServer.select().where(User_Servers.user_id == userId) + #authorized = db_helper.return_rows(authorized) + + if authorized.count() == 0: + return False + return True + + @staticmethod + def server_id_authorized_from_roles(serverId, userId): + cpt_authorized = 0 + roles_list = [] + roleServer = [] + authorized = [] + userRoles = User_Roles.select().where(User_Roles.user_id == userId) + + for u in userRoles: + roles_list.append(db_helper.get_role(u.role_id)) + + for r in roles_list: + role_test = Role_Servers.select().where(Role_Servers.role_id == r.get('role_id')) + + for s in role_test: + if s.server_id.server_id == serverId: + cpt_authorized += 1 + + if cpt_authorized == 0: + return False + return True @staticmethod def get_latest_hosts_stats(): @@ -407,6 +508,7 @@ class db_shortcuts: @staticmethod def remove_user(user_id): + User_Servers.delete().where(User_Servers.user_id == user_id).execute() user = Users.get(Users.user_id == user_id) return user.delete_instance() @@ -474,6 +576,7 @@ class db_shortcuts: @staticmethod def remove_role(role_id): + Role_Servers.delete().where(Role_Servers.role_id == role_id).execute() role = Roles.get(Roles.role_id == role_id) return role.delete_instance() diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 0ec639d1..008f2a86 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -29,13 +29,25 @@ class PanelHandler(BaseHandler): now = time.time() formatted_time = str(datetime.datetime.fromtimestamp(now).strftime('%Y-%m-%d %H:%M:%S')) - defined_servers = controller.list_defined_servers() + userId = user_data['user_id'] + user = db_helper.get_user(userId) + + user_role = [] + if user['superuser'] == 1: + defined_servers = controller.list_defined_servers() + user_role = {"Super User"} + else: + defined_servers = controller.list_authorized_servers(userId) + for r in user['roles']: + role = db_helper.get_role(r) + user_role.append(role['role_name']) page_data = { # todo: make this actually pull and compare version data 'update_available': False, 'version_data': helper.get_version_string(), 'user_data': user_data, + 'user_role' : user_role, 'server_stats': { 'total': len(defined_servers), 'running': len(controller.list_running_servers()), @@ -81,7 +93,11 @@ class PanelHandler(BaseHandler): return elif page == 'dashboard': - page_data['servers'] = db_helper.get_all_servers_stats() + if user['superuser'] == 1: + page_data['servers'] = db_helper.get_all_servers_stats() + else: + #page_data['servers'] = db_helper.get_authorized_servers_stats(userId) + page_data['servers'] = db_helper.get_authorized_servers_stats_from_roles(userId) for s in page_data['servers']: try: @@ -107,6 +123,12 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid Server ID") return False + if user['superuser'] != 1: + #if not db_helper.server_id_authorized(server_id, userId): + if not db_helper.server_id_authorized_from_roles(int(server_id), userId): + self.redirect("/panel/error?error=Invalid Server ID") + return False + valid_subpages = ['term', 'logs', 'config', 'files', 'admin_controls'] if subpage not in valid_subpages: @@ -164,7 +186,7 @@ class PanelHandler(BaseHandler): page_data['user']['created'] = "N/A" page_data['user']['last_login'] = "N/A" page_data['user']['last_ip'] = "N/A" - page_data['role']['last_update'] = "N/A" + page_data['user']['last_update'] = "N/A" page_data['user']['roles'] = set() page_data['user']['servers'] = set() diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index 381c0827..16c2cd75 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -32,6 +32,19 @@ class ServerHandler(BaseHandler): def get(self, page): # name = tornado.escape.json_decode(self.current_user) user_data = json.loads(self.get_secure_cookie("user_data")) + + userId = user_data['user_id'] + user = db_helper.get_user(userId) + + user_role = [] + if user['superuser'] == 1: + defined_servers = controller.list_defined_servers() + user_role = "Super User" + else: + defined_servers = controller.list_authorized_servers(userId) + for r in user['roles']: + role = db_helper.get_role(r) + user_role.append(role['role_name']) template = "public/404.html" @@ -40,6 +53,7 @@ class ServerHandler(BaseHandler): page_data = { 'version_data': helper.get_version_string(), 'user_data': user_data, + 'user_role' : user_role, 'server_stats': { 'total': len(controller.list_defined_servers()), 'running': len(controller.list_running_servers()), diff --git a/app/frontend/templates/notify.html b/app/frontend/templates/notify.html index bf23c043..09e6c7da 100644 --- a/app/frontend/templates/notify.html +++ b/app/frontend/templates/notify.html @@ -23,7 +23,10 @@ Activity Sign Out diff --git a/requirements.txt b/requirements.txt index 96759daa..558c3658 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ certifi==2020.6.20 cffi==1.14.1 chardet==3.0.4 colorama==0.4.3 -cryptography==3.0 +cryptography==3.4 idna==2.10 packaging==20.4 peewee==3.13.3