# HG changeset patch # User durandn # Date 1460384885 -7200 # Node ID 8fd40139827c80685407d6e460937928d5027a54 # Parent d55e89c25d512c196158a3de989964bc6a58c8ef permission implementation has to be client-side and not in the generic api package + deleted duplicate migration diff -r d55e89c25d51 -r 8fd40139827c .settings/org.eclipse.core.resources.prefs --- a/.settings/org.eclipse.core.resources.prefs Thu Apr 21 16:18:08 2016 +0200 +++ b/.settings/org.eclipse.core.resources.prefs Mon Apr 11 16:28:05 2016 +0200 @@ -7,6 +7,7 @@ encoding//server/python/django/renkanmanager/views.py=utf-8 encoding//server/python/django2/renkanmanager/__init__.py=utf-8 encoding//server/python/django2/renkanmanager/api/views.py=utf-8 +encoding//server/python/django2/renkanmanager/migrations/0001_initial.py=utf-8 encoding//server/python/django2/renkanmanager/migrations/0002_alter_models_and_populate_revisions.py=utf-8 encoding//server/python/django2/renkanmanager/migrations/0003_auto_20160105_0954.py=utf-8 encoding//server/python/django2/renkanmanager/utils.py=utf-8 diff -r d55e89c25d51 -r 8fd40139827c server/python/django2/renkanmanager/api/views.py --- a/server/python/django2/renkanmanager/api/views.py Thu Apr 21 16:18:08 2016 +0200 +++ b/server/python/django2/renkanmanager/api/views.py Mon Apr 11 16:28:05 2016 +0200 @@ -13,39 +13,33 @@ from django.http import Http404 from django.http.response import HttpResponse, HttpResponseBadRequest from django.shortcuts import get_object_or_404, redirect -from django.views.decorators.csrf import csrf_exempt from django.views.generic import View +from django.conf import settings from renkanmanager.models import Renkan, Revision, Workspace -from renkanmanager.permissions import CanEditRenkan, CanDeleteRenkan, CanCreateRenkan, \ - CanEditWorkspace, CanDeleteWorkspace, CanCreateWorkspace, \ - CanDeleteRevision from renkanmanager.serializers import RenkanSerializer, RevisionSerializer, WorkspaceSerializer from rest_framework import permissions, status from rest_framework.response import Response from rest_framework.views import APIView - logger = logging.getLogger(__name__) - + class RenkanList(APIView): """ View for listing renkans or posting new renkan """ - permission_classes = ( - permissions.IsAuthenticatedOrReadOnly, - CanCreateRenkan, - ) - + + queryset = Renkan.objects + def get(self, request, workspace_guid='', format=None): if workspace_guid == '': - renkans = Renkan.objects.all() + renkans = self.queryset.all() else: - renkans = Renkan.objects.filter(workspace_guid=workspace_guid) + renkans = self.queryset.filter(workspace_guid=workspace_guid) serializer = RenkanSerializer(renkans, many=True) - return Response(serializer.data, status=status.HTTP_200_OK, content_type='application/json') - + return Response(serializer.data, status=status.HTTP_200_OK, content_type='application/json') + def post(self, request, workspace_guid='', format=None): - create_data = request.data + create_data = {key:request.data[key] for key in request.data.keys()} source_renkan_guid = request.GET.get("source_renkan_id", request.data.get("source_renkan_id", None)) source_revision_guid = request.GET.get("source_revision_id", request.data.get("source_revision_id", None)) if source_renkan_guid is not None: @@ -68,38 +62,37 @@ except Workspace.DoesNotExist: return Response({'detail': 'Workspace '+workspace_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND) create_data["workspace_id"] = workspace_guid - + serializer = RenkanSerializer(data=create_data) if serializer.is_valid(): - serializer.save(creator=request.user) + serializer.save(creator=request.user) return Response(serializer.data, status=status.HTTP_201_CREATED, content_type='application/json') return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - + class RenkanDetail(APIView): """ View for retrieving, updating or deleting a single renkan """ lookup_field = "renkan_guid" - permission_classes = ( - permissions.IsAuthenticatedOrReadOnly, - CanEditRenkan, - CanDeleteRenkan, - ) - - @csrf_exempt + queryset = Renkan.objects + + def get_object(self, renkan_guid): + return self.queryset.get(renkan_guid=renkan_guid) + def dispatch(self, *args, **kwargs): + logger.debug("TEST 1 21 12 TEST") return super(RenkanDetail, self).dispatch(*args, **kwargs) - - def get_object(self, renkan_guid): - return Renkan.objects.get(renkan_guid=renkan_guid) - + def get(self, request, renkan_guid, format=None): try: renkan = self.get_object(renkan_guid=renkan_guid) except Renkan.DoesNotExist: - return Response({'detail': 'Renkan project '+renkan_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND) + return Response({'detail': 'Renkan project %r does not exist'.format(renkan_guid)}, status=status.HTTP_404_NOT_FOUND) + logger.debug("RENKAN GET %r : CHECKING OBJECT PERMISSION", renkan_guid) + logger.debug("RENKAN GET: permission? %r", request.user.has_perm("view_renkan", renkan)) self.check_object_permissions(request, renkan) + logger.debug("RENKAN GET: PERMISSION GRANTED") serializer = RenkanSerializer(renkan) if {'true': True, 'false': False, "0": False, "1": True}.get(request.GET.get("content_only", "false").lower()): return Response(json.loads(serializer.data["content"]), status=status.HTTP_200_OK, content_type='application/json') @@ -109,8 +102,11 @@ try: renkan = self.get_object(renkan_guid=renkan_guid) except Renkan.DoesNotExist: - return Response({'detail': 'Renkan project '+renkan_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND) + return Response({'detail': 'Renkan project %r does not exist'.format(renkan_guid)}, status=status.HTTP_404_NOT_FOUND) + logger.debug("RENKAN PUT %r : CHECKING OBJECT PERMISSION", renkan_guid) + logger.debug("RENKAN PUT: permission? %r", request.user.has_perm("change_renkan", renkan)) self.check_object_permissions(request, renkan) + logger.debug("RENKAN PUT: PERMISSION GRANTED") if {'true': True, 'false': False, "0": False, "1": True}.get(request.GET.get("content_only", "false").lower()): put_data = {} put_data["content"] = json.dumps(request.data) @@ -132,7 +128,7 @@ renkan_revisions = Revision.objects.filter(parent_renkan_guid = to_delete_renkan.renkan_guid) for child_revision in renkan_revisions: # Deleting reference to revision in renkans copied from this revision - for related_renkan in Renkan.objects.filter(source_revision_guid=child_revision.revision_guid): + for related_renkan in self.queryset.filter(source_revision_guid=child_revision.revision_guid): related_renkan.source_revision_guid = '' related_renkan.save() child_revision.delete() @@ -143,13 +139,11 @@ """ View for listing workspaces or creating new workspace """ - permission_classes = ( - permissions.IsAuthenticatedOrReadOnly, - CanCreateWorkspace, - ) - + + queryset = Workspace.objects + def get(self, request, format=None): - workspaces = Workspace.objects.all() + workspaces = self.queryset.all() serializer = WorkspaceSerializer(workspaces, many=True) return Response(serializer.data) @@ -164,18 +158,16 @@ """ View for retrieving, updating or deleting a single workspace """ - permission_classes = ( - permissions.IsAuthenticatedOrReadOnly, - CanEditWorkspace, - CanDeleteWorkspace, - ) - + + lookup_field = "workspace_guid" + queryset = Workspace.objects + def get_object(self, workspace_guid): - return Workspace.objects.get(workspace_guid=workspace_guid) - + return self.queryset.get(workspace_guid=workspace_guid) + def get(self, request, workspace_guid, format=None): try: - workspace = Workspace.objects.get(workspace_guid=workspace_guid) + workspace = self.get_object(workspace_guid=workspace_guid) except Workspace.DoesNotExist: return Response({'detail': 'Workspace '+workspace_guid+' does not exist.'}, status=status.HTTP_404_NOT_FOUND) self.check_object_permissions(request, workspace) @@ -184,7 +176,7 @@ def put(self, request, workspace_guid, format=None): try: - workspace = Workspace.objects.get(workspace_guid=workspace_guid) + workspace = self.get_object(workspace_guid=workspace_guid) except Workspace.DoesNotExist: return Response({'detail': 'Workspace '+workspace_guid+' does not exist.'}, status=status.HTTP_404_NOT_FOUND) self.check_object_permissions(request, workspace) @@ -209,11 +201,13 @@ """ View for listing revisions from a given renkan """ - permission_classes = (permissions.IsAuthenticatedOrReadOnly,) - - def get_queryset(self, renkan_guid): - return Revision.objects.filter(parent_renkan_guid=renkan_guid) - + + def get_queryset(self, renkan_guid=""): + if renkan_guid: + return Revision.objects.filter(parent_renkan_guid=renkan_guid) + else: + return Revision.objects + def get(self, request, renkan_guid, format=None): revisions = self.get_queryset(renkan_guid) if not revisions: @@ -225,14 +219,15 @@ """ View for retrieving or deleting a single revision from a given renkan """ - permission_classes = ( - permissions.IsAuthenticatedOrReadOnly, - CanDeleteRevision, - ) - - def get_queryset(self, renkan_guid): - return Revision.objects.filter(parent_renkan_guid=renkan_guid) - + + lookup_field = "revision_guid" + + def get_queryset(self, renkan_guid=""): + if renkan_guid: + return Revision.objects.filter(parent_renkan_guid=renkan_guid) + else: + return Revision.objects + def get(self, request, renkan_guid, revision_guid, format=None): revisions = self.get_queryset(renkan_guid) if not revisions: diff -r d55e89c25d51 -r 8fd40139827c server/python/django2/renkanmanager/migrations/0004_auto_20160212_1106.py --- a/server/python/django2/renkanmanager/migrations/0004_auto_20160212_1106.py Thu Apr 21 16:18:08 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,27 +0,0 @@ -# -*- coding: utf-8 -*- -# Generated by Django 1.9.1 on 2016-02-12 11:06 -from __future__ import unicode_literals - -from django.db import migrations - - -class Migration(migrations.Migration): - - dependencies = [ - ('renkanmanager', '0003_auto_20160105_0954'), - ] - - operations = [ - migrations.AlterModelOptions( - name='renkan', - options={'permissions': (('view_renkan', 'Can view renkan'),)}, - ), - migrations.AlterModelOptions( - name='revision', - options={'permissions': (('view_revision', 'Can view revision'),)}, - ), - migrations.AlterModelOptions( - name='workspace', - options={'permissions': (('view_workspace', 'Can view workspace'),)}, - ), - ] diff -r d55e89c25d51 -r 8fd40139827c server/python/django2/renkanmanager/permissions.py --- a/server/python/django2/renkanmanager/permissions.py Thu Apr 21 16:18:08 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,94 +0,0 @@ -from rest_framework import permissions - - -class CanCreateRenkan(permissions.BasePermission): - - def has_permission(self, request, view): - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'POST') and not request.user.has_perm('renkanmanager.add_renkan'): - return False - - return True - - -class CanEditRenkan(permissions.BasePermission): - - def has_object_permission(self, request, view, obj): - if not request.user.has_perm('view_renkan', obj): - return False - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'PUT') and not request.user.has_perm('change_renkan', obj): - return False - - return True - - -class CanDeleteRenkan(permissions.BasePermission): - - def has_object_permission(self, request, view, obj): - if not request.user.has_perm('view_renkan', obj): - return False - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'DELETE') and not request.user.has_perm('delete_renkan', obj): - return False - - return True - - -class CanCreateWorkspace(permissions.BasePermission): - - def has_permission(self, request, view): - if request.method in permissions.SAFE_METHODS: - return True - if (request.method == 'POST') and not request.user.has_perm('add_workspace'): - return False - - return True - - -class CanEditWorkspace(permissions.BasePermission): - - def has_object_permission(self, request, view, obj): - if not request.user.has_perm('view_workspace', obj): - return False - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'PUT') and not request.user.has_perm('change_workspace', obj): - return False - - return True - - -class CanDeleteWorkspace(permissions.BasePermission): - - def has_object_permission(self, request, view, obj): - if not request.user.has_perm('view_workspace', obj): - return False - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'DELETE') and not request.user.has_perm('delete_workspace', obj): - return False - - return True - - -class CanDeleteRevision(permissions.BasePermission): - - def has_object_permission(self, request, view, obj): - if not request.user.has_perm('view_revision', obj): - return False - if request.method in permissions.SAFE_METHODS: - return True - - if (request.method == 'DELETE') and not request.user.has_perm('delete_revision', obj): - return False - - return True \ No newline at end of file diff -r d55e89c25d51 -r 8fd40139827c server/python/django2/renkanmanager/serializers.py --- a/server/python/django2/renkanmanager/serializers.py Thu Apr 21 16:18:08 2016 +0200 +++ b/server/python/django2/renkanmanager/serializers.py Mon Apr 11 16:28:05 2016 +0200 @@ -3,7 +3,6 @@ from django.contrib.auth import get_user_model from django.conf import settings -from guardian.shortcuts import assign_perm from renkanmanager.models import Renkan, Workspace, Revision from rest_framework import serializers @@ -66,11 +65,6 @@ )) initial_revision.save() renkan.save() - assign_perm('view_renkan', creator, renkan) - assign_perm('change_renkan', creator, renkan) - assign_perm('delete_renkan', creator, renkan) - assign_perm('view_revision', creator, initial_revision) - assign_perm('delete_revision', creator, initial_revision) return renkan def update(self, renkan, validated_data): @@ -80,9 +74,8 @@ updator = validated_data.get('updator') current_revision = Revision.objects.get(revision_guid=renkan.current_revision_guid) if validated_data.get("create_new_revision", False): - revision_to_update = Revision.objects.create() + revision_to_update = Revision.objects.create(creator=updator) revision_to_update.parent_renkan_guid = renkan.renkan_guid - revision_to_update.creator = updator renkan.current_revision_guid = revision_to_update.revision_guid else: revision_to_update = current_revision @@ -158,13 +151,9 @@ def create(self, validated_data): creator = validated_data.get('creator') - workspace = Workspace.objects.create() - workspace.title = validated_data.get('title', '') - workspace.creator = creator + title = validated_data.get('title', '') + workspace = Workspace.objects.create(creator=creator, title=title) workspace.save() - assign_perm('view_workspace', creator, workspace) - assign_perm('change_workspace', creator, workspace) - assign_perm('delete_workspace', creator, workspace) return workspace def update(self, workspace, validated_data):