Sending invitation and validating allowed roles

modules/api/auth.py

@@ -11,6 +11,7 @@ from    scripts             	import loggorilla, saltedkey, googly, tokenguard, s
 
 import  procedure.validation	as procedure_validation
 import  procedure.webmail	as procedure_webmail
+import  procedure.grant		as procedure_grant
 
 class auth:
 
@@ -237,10 +238,10 @@ class auth:
         return response
 
     def invite(self, params):
-        APIADDR			= "/api/auth/invite"
+        APIADDR		= "/api/auth/invite"
-        response		= {}
+        response	= {}
-        allowed_roles		= [1,2]
+        allowed_roles	= [1,2]
-        allowed_invitation 	= globalvar.allowed_invitation
+        allowed_grant 	= globalvar.allowed_grant
         self.cursor.execute("BEGIN;")
         try:
             loggorilla.prcss(APIADDR, "Define parameters")
@@ -256,6 +257,37 @@ class auth:
             loggorilla.prcss(APIADDR, "Account validation")
             user_validation 	= procedure_validation.validation().account(APIADDR, allowed_roles, token)
             user 		= user_validation['data']
+            loggorilla.prcss(APIADDR, "Validating")
+            if not procedure_grant.is_grant_allowed(user['profile']['roles'], roles, allowed_grant):
+                loggorilla.accss(APIADDR, f"{user['profile']['username']} do invitation with unallowed role(s)")
+                loggorilla.accss(APIADDR, f"Rejected roles: {procedure_grant.get_disallowed_roles(user['profile']['roles'], roles, allowed_grant)}")
+                loggorilla.prcss(APIADDR, "Giving response")
+                response["status"	] = "failed"
+                response["desc"		] = "Invitation roles is not allowed"
+            else:
+                loggorilla.prcss(APIADDR, "Set expired datetime")
+                expired 		= globalvar.invitation_link_expiration
+                expired_isoformat 	= expired.isoformat()
+                loggorilla.prcss(APIADDR, "Generate URL")
+                payload 		= {
+                    "expired"	: expired_isoformat,
+                    "roles" 	: roles,
+                    "email" 	: email,
+                    "username"	: username
+                }
+                token_encrypt	= tokenguard.encode(payload, globalvar.ssh['key']['private'], globalvar.ssh['passphrase'])
+                invitation_url	= globalvar.invitation_url(token_encrypt)
+                loggorilla.prcss(APIADDR, "Sending email")
+                webmail_data 	= {"accept": invitation_url}
+                result_webmail	= procedure_webmail.webmail().invitation(APIADDR, params, webmail_data)
+                self.smtpconfig['to'        ] = email
+                self.smtpconfig['subject'   ] = result_webmail['subject'	]
+                self.smtpconfig['text'      ] = result_webmail['text'	]
+                self.smtpconfig['html'      ] = result_webmail['html'	]
+                sendwave.smtp(self.smtpconfig)
+                loggorilla.prcss(APIADDR, "Giving response")
+                response["status"	] = "success"
+                response["desc"	] = "Sending invitation success."
         except Exception as e:
             self.cursor.execute("ROLLBACK;")
             loggorilla.error(APIADDR, str(e) )

procedure/grant.py

@@ -0,0 +1,15 @@
+def is_grant_allowed(my_roles, target_roles, allowed_grant):
+    allowed = {
+        role
+        for r in my_roles
+        for role in next((g['allowed'] for g in allowed_grant if g['roles'] == r), [])
+    }
+    return all(role in allowed for role in target_roles)
+
+def get_disallowed_roles(my_roles, target_roles, allowed_grant):
+    allowed = {
+        role
+        for r in my_roles
+        for role in next((g['allowed'] for g in allowed_grant if g['roles'] == r), [])
+    }
+    return [r for r in target_roles if r not in allowed]