MultiQC · multimeric · Oct 22, 2020 · Oct 14, 2020 · Oct 14, 2020 · Oct 14, 2020
diff --git a/.github/workflows/python-ci.yaml b/.github/workflows/python-ci.yaml
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,9 @@
+.idea
+megaqc/static/js/admin*
+megaqc/static/js/trend*
+venv/
+*.db
+
 # Uploads
 uploads/*
 !uploads/README.md

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -0,0 +1,25 @@
+# Changelog
+
+## 0.3.0
+
+### Breaking Changes
+
+- [[#138]](https://github.com/ewels/MegaQC/issues/138) Added `USER_REGISTRATION_APPROVAL` as a config variable, which defaults to true. This means that the admin must explicitly activate new users in the user management page (`/users/admin/users`) before they can login. To disable this feature, you need to create a config file (for example `megaqc.conf.yaml`) with the contents:
+  ```yaml
+  STRICT_REGISTRATION: false
+  ```
+  Then, whenever you run MegaQC, you need to `export MEGAQC_CONFIG /path/to/megaqc.conf.yaml
+- Much stricter REST API permissions. You now need an API token for almost all requests. One exception is creating a new account, which you can do without a token, but it will be deactivated by default, unless it is the first account created
+
+### New Features
+
+- [[#140]](https://github.com/ewels/MegaQC/issues/140) Added a changelog. It's here! You're reading it!
+
+### Bug Fixes
+
+- [[#139]](https://github.com/ewels/MegaQC/issues/139) Fixed the user management page (`/users/admin/users`), which lost its JavaScript
+
+### Internal Changes
+
+- Tests for the REST API permissions
+- Enforce inactive users (by default) in the model layer
diff --git a/megaqc/api/views.py b/megaqc/api/views.py
@@ -186,6 +186,7 @@ def admin_add_users(user, *args, **kwargs):
     except:
         abort(400)
     new_user = User(**data)
+    new_user.enforce_admin()
     password = new_user.reset_password()
     new_user.active = True
     new_user.save()

diff --git a/megaqc/public/views.py b/megaqc/public/views.py
@@ -10,6 +10,7 @@
     Blueprint,
     Request,
     abort,
+    current_app,
     flash,
     json,
     redirect,
@@ -108,18 +109,23 @@ def register():
     """
     form = RegisterForm(request.form)
     if form.validate_on_submit():
-        user_cnt = db.session.query(User).count()
-        u = User.create(
+        u = User(
             username=form.username.data,
             email=form.email.data,
             password=form.password.data,
             first_name=form.first_name.data,
             last_name=form.last_name.data,
-            active=True,
-            is_admin=True if user_cnt == 0 else False,
         )
-        flash("Thanks for registering! You're now logged in.", "success")
-        login_user(u)
+        u.enforce_admin()
+        u.save()
+        if u.active:
+            flash("Thanks for registering! You're now logged in.", "success")
+            login_user(u)
+        else:
+            flash(
+                "Thanks for registering! You will now need to wait for your admin to approve this account.",
+                "success",
+            )
         return redirect(url_for("public.home"))
     else:
         flash_errors(form)

diff --git a/megaqc/rest_api/schemas.py b/megaqc/rest_api/schemas.py
@@ -363,7 +363,7 @@ class Meta:
     email = f.String()
     salt = f.String()
     password = f.String()
-    created_at = f.DateTime()
+    created_at = f.DateTime(dump_only=True)
     first_name = f.String()
     last_name = f.String()
     active = f.Boolean()

diff --git a/megaqc/rest_api/utils.py b/megaqc/rest_api/utils.py
@@ -3,7 +3,8 @@
 from functools import wraps
 from uuid import uuid4
 
-from flask import request
+from flapison.exceptions import JsonApiException
+from flask import abort, request
 from flask.globals import current_app
 
 from megaqc.user.models import User
@@ -26,39 +27,56 @@ def get_unique_filename():
 
 
 class Permission(IntEnum):
-    VIEWER = auto()
+    NONUSER = auto()
     USER = auto()
     ADMIN = auto()
 
 
-def check_perms(function):
+def api_perms(min_level: Permission = Permission.NONUSER):
     """
-    Adds a "user" and "permission" kwarg to the view function.
+    Adds a "user" and "permission" kwarg to the view function. Also verifies a
+    minimum permissions level.
 
-    :param function:
-    :return:
+    :param min_level: If provided, this is the minimum permission level required by this endpoint
     """
 
-    @wraps(function)
-    def user_wrap_function(*args, **kwargs):
-        if not request.headers.has_key("access_token"):
-            perms = Permission.VIEWER
-            user = None
-        else:
-            user = User.query.filter_by(
-                api_token=request.headers.get("access_token")
-            ).first()
-            if not user:
-                perms = Permission.VIEWER
-            elif user.is_anonymous:
-                perms = Permission.VIEWER
-            elif user.is_admin:
-                perms = Permission.ADMIN
+    def wrapper(function):
+        @wraps(function)
+        def user_wrap_function(*args, **kwargs):
+            extra = None
+            if not request.headers.has_key("access_token"):
+                perms = Permission.NONUSER
+                user = None
+                extra = "No access token provided. Please add a header with the name 'access_token'."
             else:
-                perms = Permission.USER
+                user = User.query.filter_by(
+                    api_token=request.headers.get("access_token")
+                ).first()
+                if not user:
+                    perms = Permission.NONUSER
+                    extra = "The provided access token was invalid."
+                elif user.is_anonymous:
+                    perms = Permission.NONUSER
+                elif user.is_admin:
+                    perms = Permission.ADMIN
+                elif not user.is_active():
+                    perms = Permission.NONUSER
+                    extra = "User is not active."
+                else:
+                    perms = Permission.USER
 
-        kwargs["user"] = user
-        kwargs["permission"] = perms
-        return function(*args, **kwargs)
+            if perms < min_level:
+                title = "Insufficient permissions to access this resource"
+                raise JsonApiException(
+                    title=title,
+                    detail=extra,
+                    status=403,
+                )
 
-    return user_wrap_function
+            kwargs["user"] = user
+            kwargs["permission"] = perms
+            return function(*args, **kwargs)
+
+        return user_wrap_function
+
+    return wrapper