Merge pull request #105 from nebulabroadcast/v6_0_8-clean-up

Quality of life improvements for version 6.0.8

Author: martastain

backend/api/delete.py

@@ -64,8 +64,7 @@ async def handle(
                     )
 
             case ObjectType.ASSET | ObjectType.EVENT:
-                # TODO: ACL HERE?
-                # In general, normal users don't need to
+                # normal users don't need to
                 # delete assets or events directly
                 if not user.is_admin:
                     raise nebula.ForbiddenException(

backend/api/init/init_request.py

@@ -1,4 +1,4 @@
-from typing import Annotated, Any
+from typing import Annotated, Any, get_args
 
 import fastapi
 from pydantic import Field
@@ -111,10 +111,18 @@ async def handle(
                 experimental=nebula.config.enable_experimental or None,
             )
 
-        # TODO: get preferred user language
-        lang: LanguageCode = user.language
+        # User preferred language
+
+        lang: LanguageCode = "en"
+        accept_language = request.headers.get("Accept-Language", "en")
+        preferred_language = accept_language.split(",")[0].strip().lower()
+        if len(preferred_language) > 2:
+            preferred_language = preferred_language[:2]
+        if preferred_language in get_args(LanguageCode):
+            lang = user.meta.get("language") or preferred_language  # type: ignore
 
         # Construct client settings
+
         client_settings = await get_client_settings(lang)
         client_settings.server_url = f"{request.url.scheme}://{request.url.netloc}"
         plugins = get_frontend_plugins()

backend/api/playout/playout_request.py

@@ -23,7 +23,10 @@ def handle(
         if not channel:
             raise nebula.NotFoundException("Channel not found")
 
-        # TODO: Check if user has access to this channel
+        if not user.can("mcr", channel.id):
+            raise nebula.ForbiddenException(
+                "You are not allowed to control this channel"
+            )
 
         # For dummy engine, return empty response
         if channel.engine == "dummy":
@@ -35,13 +38,6 @@ def handle(
 
         controller_url = f"http://{channel.controller_host}:{channel.controller_port}"
 
-        # async with httpx.AsyncClient() as client:
-        #     response = await client.post(
-        #         f"{controller_url}/{request.action.value}",
-        #         json=request.payload,
-        #         timeout=4,
-        #     )
-
         # HTTPx stopped working for some reason, raising asyncio.CancelledError
         # when trying to send a request. Using requests for now.
 

backend/api/rundown/get_rundown.py

@@ -197,6 +197,7 @@ async def get_rundown(request: RundownRequestModel) -> RundownResponseModel:
             item_role=imeta.get("item_role"),
             title=item["title"],
             subtitle=item["subtitle"],
+            note=item["note"] or None,
             id_asset=id_asset,
             id_bin=id_bin,
             id_event=id_event,

backend/api/rundown/models.py

@@ -25,6 +25,7 @@ class RundownRow(ResponseModel):
 
     title: str | None = Field(None)
     subtitle: str | None = Field(None)
+    note: str | None = Field(None)
     id_asset: int | None = Field(None)
     id_folder: int | None = Field(None)
     asset_mtime: float | None = Field(None)

backend/api/services.py

@@ -63,21 +63,34 @@ async def handle(
         request: ServiceRequestModel,
         user: CurrentUser,
     ) -> ServicesResponseModel:
+        if not user.can("service_control", anyval=True):
+            msg = "You do not have permission to list or control services"
+            raise nebula.ForbiddenException(msg)
+
         if request.stop:
+            if not user.can("service_control", request.stop):
+                msg = f"You do not have permission to stop service {request.stop}"
+                raise nebula.ForbiddenException(msg)
             nebula.log.info(f"Stopping service {request.stop}", user=user.name)
             await nebula.db.execute(
                 "UPDATE services SET state = $1  WHERE id = $2",
                 ServiceState.STOPPING,
                 request.stop,
             )
         if request.start:
+            if not user.can("service_control", request.start):
+                msg = f"You do not have permission to start service {request.start}"
+                raise nebula.ForbiddenException(msg)
             nebula.log.info(f"Starting service {request.start}", user=user.name)
             await nebula.db.execute(
                 "UPDATE services SET state = $1  WHERE id = $2",
                 ServiceState.STARTING,
                 request.start,
             )
         if request.auto:
+            if not user.can("service_control", request.auto):
+                msg = f"You do not have permission to toggle service {request.start}"
+                raise nebula.ForbiddenException(msg)
             nebula.log.info(
                 f"Toggling autostart for service {request.auto}", user=user.name
             )

backend/api/set.py

@@ -145,6 +145,16 @@ async def can_modify_object(obj: BaseObject, user: nebula.User) -> None:
         acl = user.get("can/rundown_edit", False)
         if not acl:
             raise nebula.ForbiddenException("You are not allowed to edit rundown")
+        elif isinstance(acl, list):
+            q = "SELECT id_channel FROM events WHERE id_magic = $1"
+            res = await nebula.db.fetch(q, obj["id_bin"])
+            if not res:
+                raise nebula.NotFoundException("Bin not found")
+            if res[0]["id_channel"] not in acl:
+                raise nebula.ForbiddenException(
+                    "You are not allowed to edit rundown for this channel"
+                )
+
         # TODO: Check if user can edit rundown for this channel
 
     elif isinstance(obj, nebula.Bin):

backend/api/users/save_user_request.py

@@ -3,6 +3,7 @@
 import nebula
 from server.dependencies import CurrentUser
 from server.request import APIRequest
+from server.session import Session
 
 from .user_model import UserModel
 
@@ -14,10 +15,10 @@ class SaveUserRequest(APIRequest):
     title = "Save user data"
     responses = [204, 201]
 
-    async def handle(self, user: CurrentUser, payload: UserModel) -> Response:
+    async def handle(self, current_user: CurrentUser, payload: UserModel) -> Response:
         new_user = payload.id is None
 
-        if not user.is_admin:
+        if not current_user.is_admin:
             raise nebula.ForbiddenException("You are not allowed to edit users")
 
         meta = payload.dict()
@@ -46,6 +47,9 @@ async def handle(self, user: CurrentUser, payload: UserModel) -> Response:
 
         await user.save()
 
+        async for session in Session.list(user_name=user.name):
+            await Session.update(session.token, user)
+
         if new_user:
             return Response(status_code=201)
         else:

backend/api/users/user_model.py

@@ -44,13 +44,18 @@ class UserModel(ResponseModel):
         title="Can edit rundown",
         description="List of channel IDs user can edit. Use 'true' for all channels",
     )
+    can_mcr: bool | list[int] = Field(
+        False,
+        title="Can control playout",
+        description="List of channel IDs user can control",
+    )
     can_job_control: bool | list[int] = Field(
         False,
         title="Can control jobs",
         description="Use list of action IDs to grant access to specific actions",
     )
-    can_mcr: bool | list[int] = Field(
+    can_service_control: bool | list[int] = Field(
         False,
-        title="Can control playout",
-        description="List of channel IDs user can control",
+        title="Can control services",
+        description="List of service IDs user can control",
     )

backend/nebula/settings/common.py

@@ -7,4 +7,4 @@ class SettingsModel(BaseModel):
     pass
 
 
-LanguageCode = Literal["en", "cs", "fi"]
+LanguageCode = Literal["en", "cs"]