technicalkiwi/python-editor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d682cce8dc564339519af12276e3d9cd99efabd
python-editor/src/editor_app/deps.py
jimmy 7d682cce8d Add admin invites and user workspace management tools. 
Implement invite-token registration with optional email delivery, add admin UI actions for creating invites and opening user workspaces, and support superuser workspace override while preserving per-user code isolation with shared read-only lib.

Made-with: Cursor
2026-05-01 21:13:13 +12:00

97 lines
3.3 KiB
Python
Raw Blame History

from __future__ import annotations
import os
import re
from pathlib import Path
from fastapi import Cookie, Depends, Header, HTTPException, Query
from sqlalchemy.orm import Session
from editor_app.db.session import get_db
from editor_app.db.models import User
from editor_app import config
from editor_app.services import accounts
def api_key_valid(authorization: str | None) -> bool:
expected = (os.environ.get("EDITOR_API_KEY") or "").strip()
if not expected:
return False
return (authorization or "").strip() == f"Bearer {expected}"
async def require_api_access(
db: Session = Depends(get_db),
authorization: str | None = Header(None),
editor_session: str | None = Cookie(None),
) -> None:
"""API key, or (when auth off) open access, or (when auth on) valid session — see README."""
if api_key_valid(authorization):
return
key_configured = bool((os.environ.get("EDITOR_API_KEY") or "").strip())
if key_configured:
if accounts.auth_enabled():
user = accounts.get_session_user(db, editor_session)
if user:
return
raise HTTPException(status_code=401, detail="Invalid or missing API key")
if not accounts.auth_enabled():
return
user = accounts.get_session_user(db, editor_session)
if user is None:
raise HTTPException(status_code=401, detail="Not authenticated")
async def get_current_user_optional(
db: Session = Depends(get_db),
authorization: str | None = Header(None),
editor_session: str | None = Cookie(None),
) -> User | None:
if api_key_valid(authorization):
return None
if not accounts.auth_enabled():
return None
return accounts.get_session_user(db, editor_session)
async def require_superuser(
user: User | None = Depends(get_current_user_optional),
) -> User:
if not accounts.auth_enabled():
raise HTTPException(status_code=400, detail="User management requires AUTH_ENABLED=true")
if user is None:
raise HTTPException(status_code=401, detail="Not authenticated")
if not user.is_superuser:
raise HTTPException(status_code=403, detail="Superuser required")
return user
def _safe_workspace_leaf(user: User) -> str:
base = re.sub(r"[^a-zA-Z0-9._-]+", "-", user.username).strip("-").lower() or "user"
return f"{base}-{user.id}"
def _seed_user_workspace(user_root: Path) -> None:
(user_root / "code").mkdir(parents=True, exist_ok=True)
async def get_workspace_root(
user: User | None = Depends(get_current_user_optional),
workspace_user_id: int | None = Query(default=None),
db: Session = Depends(get_db),
) -> Path:
root = config.WORKSPACE_ROOT.resolve()
if not accounts.auth_enabled() or user is None:
return root
target_user = user
if workspace_user_id is not None:
if not user.is_superuser:
raise HTTPException(status_code=403, detail="Superuser required for workspace override")
lookup = accounts.get_user_by_id(db, int(workspace_user_id))
if lookup is None:
raise HTTPException(status_code=404, detail="Workspace user not found")
target_user = lookup
user_root = root / "users" / _safe_workspace_leaf(target_user)
_seed_user_workspace(user_root)
return user_root
Reference in New Issue View Git Blame Copy Permalink