authnzerver.actions.admin module

This contains functions to drive admin related actions (listing users, editing users, change user roles).

authnzerver.actions.admin.edit_user(payload, raiseonfail=False, override_permissions_json=None, override_authdb_path=None)[source]

This edits users.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • user_id: int, user ID of an admin user or == target_userid
    • user_role: str, == ‘superuser’ or == target_userid user_role
    • session_token: str, session token of admin or target_userid token
    • target_userid: int, the user to edit
    • update_dict: dict, the update dict

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str

    Only these items can be edited:

    {'full_name', 'email',     <- by user and superuser
 'is_active','user_role', 'email_verified'}  <- by superuser only

    User IDs 2 and 3 are reserved for the system-wide anonymous and locked users respectively, and can’t be edited.

  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_permissions_json (str or None) –

    If given as a str, is the alternative path to the permissions JSON to load and use for this request. Normally, the path to the permissions JSON has already been specified as a process-local variable by the main authnzerver start up routines. If you want to use some other permissions model JSON (e.g. for testing), provide that here.

    Note that we load the permissions JSON from disk every time we need to take a decision. This might be a bit slower, but allows for much faster policy changes by just changing the permissions JSON file and not having to restart the authnzerver.

  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'user_info': dict, with new user info,
 'messages': list of str messages if any}

Return type:

dict
authnzerver.actions.admin.internal_toggle_user_lock(payload, raiseonfail=False, override_authdb_path=None)[source]

Locks/unlocks user accounts.

This version of the function should only be run internally (i.e. not called by a client). The use-case is automatically locking user accounts if there are too many incorrect password attempts. The lock can be permanent or temporary.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • target_userid: int, the user to lock/unlock
    • action: str {‘unlock’,’lock’}

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'user_info': dict, with new user info,
 'messages': list of str messages if any}

Return type:

dict
authnzerver.actions.admin.list_users(payload, raiseonfail=False, override_authdb_path=None)[source]

This lists users.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • user_id: int or None. If None, all users will be returned

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'user_info': list of dicts, one per user,
 'messages': list of str messages if any}

The dicts per user will contain the following items:

{'user_id','full_name', 'email',
 'is_active','created_on','user_role',
 'last_login_try','last_login_success'}

Return type:

dict
authnzerver.actions.admin.toggle_user_lock(payload, raiseonfail=False, override_authdb_path=None)[source]

Locks/unlocks user accounts.

Can only be run by superusers and is suitable for use when called from a frontend.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • user_id: int, user ID of a superuser
    • user_role: str, == ‘superuser’
    • session_token: str, session token of superuser
    • target_userid: int, the user to lock/unlock
    • action: str {‘unlock’,’lock’}

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'user_info': dict, with new user info,
 'messages': list of str messages if any}

Return type:

dict