timApp.auth package

Subpackages

• timApp.auth.access package
  • Submodules
  • timApp.auth.access.routes module
  • timApp.auth.access.util module
  • Module contents
• timApp.auth.oauth2 package
  • Submodules
  • timApp.auth.oauth2.models module
  • timApp.auth.oauth2.oauth2 module
  • timApp.auth.oauth2.routes module
  • Module contents
• timApp.auth.session package
  • Submodules
  • timApp.auth.session.model module
  • timApp.auth.session.routes module
  • timApp.auth.session.util module
  • Module contents

Submodules

timApp.auth.accesshelper module

exception timApp.auth.accesshelper.AccessDenied

Bases: Exception

exception timApp.auth.accesshelper.ItemLockedException(access: timApp.auth.auth_models.BlockAccess, msg: Optional[str] = None, next_doc: Optional[timApp.document.docinfo.DocInfo] = None)

Bases: Exception

The exception that is raised (in /view route) when a user attempts to access an item for which he has a duration access that has not yet begun or the access has expired.

class timApp.auth.accesshelper.TaskAccessVerification(plugin: timApp.plugin.plugin.Plugin, access: timApp.auth.auth_models.BlockAccess, is_expired: bool, is_invalid: bool = False, invalidate_reason: str | None = None)

Bases: object

access: timApp.auth.auth_models.BlockAccess

invalidate_reason: str | None = None

is_expired: bool

is_invalid: bool = False

plugin: timApp.plugin.plugin.Plugin

timApp.auth.accesshelper.abort_if_not_access_and_required(access_obj: timApp.auth.auth_models.BlockAccess, user: timApp.user.user.User, block: Union[timApp.item.item.ItemBase, timApp.item.block.Block], access_type: timApp.auth.accesstype.AccessType, require=True, message=None, check_duration=False)

timApp.auth.accesshelper.can_see_par_source(u: timApp.user.user.User, p: timApp.document.docparagraph.DocParagraph)

timApp.auth.accesshelper.check_admin_access(block_id=None, user=None) → timApp.auth.auth_models.BlockAccess | None

timApp.auth.accesshelper.check_inherited_right(u: timApp.user.user.User, b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], access_type: timApp.auth.accesstype.AccessType, grace_period: datetime.timedelta) → timApp.auth.auth_models.BlockAccess | None

timApp.auth.accesshelper.del_attr_if_exists(obj, attr_name: str)

timApp.auth.accesshelper.get_doc_or_abort(doc_id: int, msg: Optional[str] = None) → timApp.document.docinfo.DocInfo

timApp.auth.accesshelper.get_folder_or_abort(folder_id: int)

timApp.auth.accesshelper.get_inherited_right_blocks(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block]) → list[timApp.item.block.Block]

timApp.auth.accesshelper.get_ipblocklist_path() → pathlib.Path

timApp.auth.accesshelper.get_item_or_abort(item_id: int)

timApp.auth.accesshelper.get_origin_from_request() → timApp.document.viewcontext.OriginInfo | None

timApp.auth.accesshelper.get_plugin_from_request(doc: timApp.document.document.Document, task_id: timApp.plugin.taskid.TaskId, u: timApp.document.usercontext.UserContext, view_ctx: timApp.document.viewcontext.ViewContext, answernr: Optional[int] = None) → tuple[timApp.document.document.Document, timApp.plugin.plugin.Plugin]

timApp.auth.accesshelper.get_single_view_access(i: timApp.item.item.Item, allow_group: bool = False) → timApp.auth.auth_models.BlockAccess

timApp.auth.accesshelper.grant_access_to_session_users(i: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_comment_right(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_edit_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_manage_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_ownership(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_read_marking_right(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_seeanswers_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_teacher_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.has_view_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.is_allowed_ip() → bool

timApp.auth.accesshelper.is_blocked_ip() → bool

timApp.auth.accesshelper.maybe_auto_confirm(block: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.reset_request_access_cache()

timApp.auth.accesshelper.verify_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], access_type: timApp.auth.accesstype.AccessType, require: bool = True, message: Optional[str] = None, check_duration=False, check_parents=False, grace_period=datetime.timedelta(0), user: Optional[timApp.user.user.User] = None)

timApp.auth.accesshelper.verify_admin(require: bool = True, user: Optional[timApp.user.user.User] = None) → bool

timApp.auth.accesshelper.verify_admin_no_ret(require=True)

timApp.auth.accesshelper.verify_comment_right(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.verify_copy_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False)

timApp.auth.accesshelper.verify_edit_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False)

timApp.auth.accesshelper.verify_ip_ok(user: timApp.user.user.User | None, msg: str = 'IPNotAllowed')

timApp.auth.accesshelper.verify_logged_in() → None

timApp.auth.accesshelper.verify_manage_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False)

timApp.auth.accesshelper.verify_ownership(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False)

timApp.auth.accesshelper.verify_read_marking_right(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block])

timApp.auth.accesshelper.verify_seeanswers_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False, user=None)

timApp.auth.accesshelper.verify_task_access(d: timApp.document.docinfo.DocInfo, task_id: timApp.plugin.taskid.TaskId, access_type: timApp.auth.accesstype.AccessType, required_task_access_level: timApp.plugin.taskid.TaskIdAccess, context_user: timApp.document.usercontext.UserContext, view_ctx: timApp.document.viewcontext.ViewContext, allow_grace_period: bool = False, answernr: Optional[int] = None) → timApp.auth.accesshelper.TaskAccessVerification

timApp.auth.accesshelper.verify_teacher_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False, user=None)

timApp.auth.accesshelper.verify_view_access(b: Union[timApp.item.item.ItemBase, timApp.item.block.Block], require=True, message=None, check_duration=False, check_parents=False, user=None)

timApp.auth.accesstype module

class timApp.auth.accesstype.AccessType(value)

Bases: enum.Enum

An enumeration.

copy = 7

edit = 2

manage = 4

owner = 6

see_answers = 5

teacher = 3

view = 1

timApp.auth.auth_models module

class timApp.auth.auth_models.AccessTypeModel(**kwargs)

Bases: sqlalchemy.ext.declarative.api.Model

A kind of access that a UserGroup may have to a Block.

accesses

id

Access type identifier.

name

Access type name, such as ‘view’, ‘edit’, ‘manage’, etc.

to_enum()

class timApp.auth.auth_models.BlockAccess(**kwargs)

Bases: sqlalchemy.ext.declarative.api.Model

A single permission. Relates a UserGroup with a Block along with an AccessType.

property access_type

accessible_from

accessible_to

atype

block

property block_collection_key

block_id

do_confirm() → None

duration

property duration_expired

duration_from

property duration_future

property duration_now

duration_to

property expired

property future

property group_collection_key

property info_str

require_confirm

property seconds_left

property time_until_access_start: float | None

to_json()

type

property unlockable

usergroup

usergroup_id

timApp.auth.auth_models.do_confirm(a: BlockAccess | Right, curr_time: datetime)

timApp.auth.auth_models.get_duration_now(a: BlockAccess | Right, curr_time: datetime)

timApp.auth.get_user_rights_for_item module

class timApp.auth.get_user_rights_for_item.UserItemRights

Bases: TypedDict

browse_own_answers: bool

can_comment: bool

can_mark_as_read: bool

editable: bool

manage: bool

owner: bool

see_answers: bool

teacher: bool

timApp.auth.get_user_rights_for_item.get_user_rights_for_item(d: ItemBase, u: User, allow_duration: bool = False) → UserItemRights

timApp.auth.login module

Routes related to email signup and login.

timApp.auth.login.check_password_and_stripped(user: timApp.user.user.User, password: str) → bool

timApp.auth.login.check_temp_password(email: str, token: str) → flask.wrappers.Response

Checks that the temporary password provided by user is correct. Sends the real name of the user if the email already exists so that the name field can be prefilled.

timApp.auth.login.check_temp_pw(email_or_username: str, oldpass: str) → timApp.user.newuser.NewUser

timApp.auth.login.create_or_update_user(info: timApp.user.user.UserInfo, group_to_add: Optional[timApp.user.usergroup.UserGroup] = None, update_username: bool = True, update_email: bool = True) → timApp.user.user.User

timApp.auth.login.do_email_login(email_or_u: str, password: str) → dict

timApp.auth.login.do_email_signup_or_password_reset(email_or_u: str, url: Optional[str] = None, force_fail: bool = False, only_password_reset: bool = False) → flask.wrappers.Response

timApp.auth.login.email_login(email: str, password: str, add_user: bool = False) → flask.wrappers.Response

Logs a user in.

Parameters

• email – Email or username.

• password – Password.

• add_user – Whether the user is adding a user to the session.

Returns

See login_user_data().

timApp.auth.login.email_signup(email: str, url: str | None = None, reset_password: bool = False) → flask.wrappers.Response

Begins email signup process or resets a password for a user.

Parameters

• email – Email or username.

• url – A fake parameter that should not be provided by human users. This is a primitive method for catching bots.

• reset_password – Whether the user is resetting a password.

Returns

ok_response()

timApp.auth.login.email_signup_finish(email: str, passconfirm: str, password: str, realname: str | None, token: str) → flask.wrappers.Response

Finished the email signup or password reset process.

Parameters

• email – Email or username.

• passconfirm – New password.

• password – New password again.

• realname – Full name of the user. Will be disregarded if the user already has a name set.

• token – The temporary password provided by TIM.

Returns

{‘status’: ‘updated’ | ‘registered’}

timApp.auth.login.get_real_name(email: str) → str

timApp.auth.login.is_email_registration_enabled() → bool

timApp.auth.login.is_possibly_home_org_account(email_or_username: str) → bool

timApp.auth.login.is_simple_email_login_enabled() → bool

timApp.auth.login.log_in_as_anonymous(sess: flask.sessions.SecureCookieSession) → timApp.user.user.User

timApp.auth.login.login(anchor: str | None = None) → flask.wrappers.Response | str

timApp.auth.login.login_response() → flask.wrappers.Response

timApp.auth.login.login_user_data() → dict

timApp.auth.login.logout(user_id: int | None = None) → flask.wrappers.Response

timApp.auth.login.quick_login(username: str) → flask.wrappers.Response

Logs in as another user.

timApp.auth.login.save_came_from() → None

timApp.auth.login.set_single_user_to_session(user: timApp.user.user.User) → None

timApp.auth.login.set_user_to_session(user: timApp.user.user.User) → None

timApp.auth.login.simple_login(email: str) → flask.wrappers.Response

Begins simple email login process if simple email login is enabled.

Parameters

email – Email or username.

Returns

ok_response().

timApp.auth.login.simple_login_password(email: str, password: str) → flask.wrappers.Response

Continues simple email login process if simple email login is enabled.

Parameters

• email – Email or username.

• password – Password. If the user is signing up, this is the temporary password provided by TIM. Otherwise, it is the user’s self-made password.

timApp.auth.login.verify_simple_email_login_enabled() → None

timApp.auth.saml module

exception timApp.auth.saml.FingerPrintException

Bases: Exception

class timApp.auth.saml.IdentityAssuranceProofing(highest_refeds_level: timApp.auth.saml.RefedsIapLevel, local_enterprise: bool)

Bases: object

Represents user’s Identity Assurance Proofing (IAP) level. IAP describes how the user’s identity is assured (e.g. email, government ID, etc.)

Attributes:

highest_refeds_level: Highest IAP level according to REFEDS Assurance Framework local_enterprise: If True, user’s identity proofing is good enough to access Home Organisations’

administrative systems.

highest_refeds_level: timApp.auth.saml.RefedsIapLevel

local_enterprise: bool

class timApp.auth.saml.RefedsIapLevel(value)

Bases: enum.Enum

Valid Identity Assurance Proofing levels for REFEDS Assurance Framework ver 1.0 based on https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0

static as_list()

static from_string(s: str) → Optional[timApp.auth.saml.RefedsIapLevel]

high = 'https://refeds.org/assurance/IAP/high'

low = 'https://refeds.org/assurance/IAP/low'

medium = 'https://refeds.org/assurance/IAP/medium'

class timApp.auth.saml.SSOData(return_to: str, entityID: str, debug: bool = False, addUser: bool = False)

Bases: object

addUser: bool = False

debug: bool = False

entityID: str

return_to: str

exception timApp.auth.saml.SamlProcessingError

Bases: Exception

class timApp.auth.saml.TimRequestedAttributes(saml_auth: onelogin.saml2.auth.OneLogin_Saml2_Auth)

Bases: object

property cn

property derived_username

property display_name

property edu_person_assurance: list[str]

property edu_person_principal_name

property eppn_parts

friendly_name_map: dict

get_attribute_by_friendly_name(name: str) → str | None

get_attributes_by_friendly_name(name: str) → list[str] | None

property given_name

property identity_assurance_proofing: timApp.auth.saml.IdentityAssuranceProofing

Parses and returns the best Identity Assurance Proofing (IAP) level from eduPersonAssurance based on REFEDS Assurance Framework ver 1.0 spec.

Returns

Identity assurence proofing level

property mail

property org

property preferred_language

saml_auth: onelogin.saml2.auth.OneLogin_Saml2_Auth

property sn

to_json()

property unique_codes: list[str] | None

timApp.auth.saml.acs()

timApp.auth.saml.do_validate_metadata(idp_metadata_xml: str, fingerprint: str) → None

timApp.auth.saml.get_haka_metadata() → str

timApp.auth.saml.get_haka_metadata_from_url(url: str) → str

timApp.auth.saml.get_idps()

timApp.auth.saml.get_metadata()

timApp.auth.saml.init_saml_auth(req, entity_id: str, try_new_cert: bool) → onelogin.saml2.auth.OneLogin_Saml2_Auth

timApp.auth.saml.load_sp_settings(hostname=None, try_new_cert=False, sp_validation_only=False) → tuple[str, onelogin.saml2.settings.OneLogin_Saml2_Settings]

Loads OneLogin Saml2 settings for the given hostname.

Behaves like OneLogin_Saml2_Settings constructor with custom_base_path set, but allows to dynamically change Assertion Consumer Service URL. If the ACS URL has $hostname variable, it’s replaced with the given hostname argument.

Parameters

• hostname – Hostname for which to generate the ACS callback URL. If None, TIM_HOST is used.

• try_new_cert – If True, settings and certificate from /new folder is used.

• sp_validation_only – If True, the SP settings are only validated.

Returns

Tuple (str, OneLogin_Saml2_Settings) contains path to current Saml2 settings and generated SP settings object

timApp.auth.saml.prepare_and_init(entity_id: str, try_new_cert: bool) → onelogin.saml2.auth.OneLogin_Saml2_Auth

timApp.auth.saml.prepare_flask_request(r: flask.wrappers.Request)

timApp.auth.saml.sso(m: timApp.auth.saml.SSOData)

timApp.auth.saml.try_process_saml_response(entity_id: str, try_new_cert: bool)

timApp.auth.saml.validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False)

Same as OneLogin_Saml2_Utils.validate_node_sign but with the following changes:

• If the certificate fingerprint does not match, an exception is raised (to make debugging easier).

timApp.auth.sessioninfo module

timApp.auth.sessioninfo.clear_session() → None

timApp.auth.sessioninfo.get_current_session_id() → str | None

timApp.auth.sessioninfo.get_current_user() → dict

timApp.auth.sessioninfo.get_current_user_group() → int

timApp.auth.sessioninfo.get_current_user_group_object() → timApp.user.usergroup.UserGroup

timApp.auth.sessioninfo.get_current_user_id() → int

timApp.auth.sessioninfo.get_current_user_name() → str

timApp.auth.sessioninfo.get_current_user_object() → timApp.user.user.User

timApp.auth.sessioninfo.get_other_session_users_objs() → list[timApp.user.user.User]

timApp.auth.sessioninfo.get_other_users() → dict[str, dict[str, str]]

timApp.auth.sessioninfo.get_other_users_as_list() → list[dict[str, str]]

timApp.auth.sessioninfo.get_session_usergroup_ids() → list[int]

timApp.auth.sessioninfo.get_session_users() → list[dict]

timApp.auth.sessioninfo.get_session_users_ids() → list[int]

timApp.auth.sessioninfo.get_session_users_objs() → list[timApp.user.user.User]

timApp.auth.sessioninfo.get_users_objs(lis) → list[timApp.user.user.User]

timApp.auth.sessioninfo.logged_in() → bool

timApp.auth.sessioninfo.save_last_page() → None

timApp.auth.sessioninfo.user_context_with_logged_in(u: timApp.user.user.User | None) → timApp.document.usercontext.UserContext

Module contents