permission implementation has to be client-side and not in the generic api package + deleted duplicate migration
--- a/.settings/org.eclipse.core.resources.prefs Thu Apr 21 16:18:08 2016 +0200
+++ b/.settings/org.eclipse.core.resources.prefs Mon Apr 11 16:28:05 2016 +0200
@@ -7,6 +7,7 @@
encoding//server/python/django/renkanmanager/views.py=utf-8
encoding//server/python/django2/renkanmanager/__init__.py=utf-8
encoding//server/python/django2/renkanmanager/api/views.py=utf-8
+encoding//server/python/django2/renkanmanager/migrations/0001_initial.py=utf-8
encoding//server/python/django2/renkanmanager/migrations/0002_alter_models_and_populate_revisions.py=utf-8
encoding//server/python/django2/renkanmanager/migrations/0003_auto_20160105_0954.py=utf-8
encoding//server/python/django2/renkanmanager/utils.py=utf-8
--- a/server/python/django2/renkanmanager/api/views.py Thu Apr 21 16:18:08 2016 +0200
+++ b/server/python/django2/renkanmanager/api/views.py Mon Apr 11 16:28:05 2016 +0200
@@ -13,39 +13,33 @@
from django.http import Http404
from django.http.response import HttpResponse, HttpResponseBadRequest
from django.shortcuts import get_object_or_404, redirect
-from django.views.decorators.csrf import csrf_exempt
from django.views.generic import View
+from django.conf import settings
from renkanmanager.models import Renkan, Revision, Workspace
-from renkanmanager.permissions import CanEditRenkan, CanDeleteRenkan, CanCreateRenkan, \
- CanEditWorkspace, CanDeleteWorkspace, CanCreateWorkspace, \
- CanDeleteRevision
from renkanmanager.serializers import RenkanSerializer, RevisionSerializer, WorkspaceSerializer
from rest_framework import permissions, status
from rest_framework.response import Response
from rest_framework.views import APIView
-
logger = logging.getLogger(__name__)
-
+
class RenkanList(APIView):
"""
View for listing renkans or posting new renkan
"""
- permission_classes = (
- permissions.IsAuthenticatedOrReadOnly,
- CanCreateRenkan,
- )
-
+
+ queryset = Renkan.objects
+
def get(self, request, workspace_guid='', format=None):
if workspace_guid == '':
- renkans = Renkan.objects.all()
+ renkans = self.queryset.all()
else:
- renkans = Renkan.objects.filter(workspace_guid=workspace_guid)
+ renkans = self.queryset.filter(workspace_guid=workspace_guid)
serializer = RenkanSerializer(renkans, many=True)
- return Response(serializer.data, status=status.HTTP_200_OK, content_type='application/json')
-
+ return Response(serializer.data, status=status.HTTP_200_OK, content_type='application/json')
+
def post(self, request, workspace_guid='', format=None):
- create_data = request.data
+ create_data = {key:request.data[key] for key in request.data.keys()}
source_renkan_guid = request.GET.get("source_renkan_id", request.data.get("source_renkan_id", None))
source_revision_guid = request.GET.get("source_revision_id", request.data.get("source_revision_id", None))
if source_renkan_guid is not None:
@@ -68,38 +62,37 @@
except Workspace.DoesNotExist:
return Response({'detail': 'Workspace '+workspace_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND)
create_data["workspace_id"] = workspace_guid
-
+
serializer = RenkanSerializer(data=create_data)
if serializer.is_valid():
- serializer.save(creator=request.user)
+ serializer.save(creator=request.user)
return Response(serializer.data, status=status.HTTP_201_CREATED, content_type='application/json')
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
+
class RenkanDetail(APIView):
"""
View for retrieving, updating or deleting a single renkan
"""
lookup_field = "renkan_guid"
- permission_classes = (
- permissions.IsAuthenticatedOrReadOnly,
- CanEditRenkan,
- CanDeleteRenkan,
- )
-
- @csrf_exempt
+ queryset = Renkan.objects
+
+ def get_object(self, renkan_guid):
+ return self.queryset.get(renkan_guid=renkan_guid)
+
def dispatch(self, *args, **kwargs):
+ logger.debug("TEST 1 21 12 TEST")
return super(RenkanDetail, self).dispatch(*args, **kwargs)
-
- def get_object(self, renkan_guid):
- return Renkan.objects.get(renkan_guid=renkan_guid)
-
+
def get(self, request, renkan_guid, format=None):
try:
renkan = self.get_object(renkan_guid=renkan_guid)
except Renkan.DoesNotExist:
- return Response({'detail': 'Renkan project '+renkan_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND)
+ return Response({'detail': 'Renkan project %r does not exist'.format(renkan_guid)}, status=status.HTTP_404_NOT_FOUND)
+ logger.debug("RENKAN GET %r : CHECKING OBJECT PERMISSION", renkan_guid)
+ logger.debug("RENKAN GET: permission? %r", request.user.has_perm("view_renkan", renkan))
self.check_object_permissions(request, renkan)
+ logger.debug("RENKAN GET: PERMISSION GRANTED")
serializer = RenkanSerializer(renkan)
if {'true': True, 'false': False, "0": False, "1": True}.get(request.GET.get("content_only", "false").lower()):
return Response(json.loads(serializer.data["content"]), status=status.HTTP_200_OK, content_type='application/json')
@@ -109,8 +102,11 @@
try:
renkan = self.get_object(renkan_guid=renkan_guid)
except Renkan.DoesNotExist:
- return Response({'detail': 'Renkan project '+renkan_guid+' does not exist'}, status=status.HTTP_404_NOT_FOUND)
+ return Response({'detail': 'Renkan project %r does not exist'.format(renkan_guid)}, status=status.HTTP_404_NOT_FOUND)
+ logger.debug("RENKAN PUT %r : CHECKING OBJECT PERMISSION", renkan_guid)
+ logger.debug("RENKAN PUT: permission? %r", request.user.has_perm("change_renkan", renkan))
self.check_object_permissions(request, renkan)
+ logger.debug("RENKAN PUT: PERMISSION GRANTED")
if {'true': True, 'false': False, "0": False, "1": True}.get(request.GET.get("content_only", "false").lower()):
put_data = {}
put_data["content"] = json.dumps(request.data)
@@ -132,7 +128,7 @@
renkan_revisions = Revision.objects.filter(parent_renkan_guid = to_delete_renkan.renkan_guid)
for child_revision in renkan_revisions:
# Deleting reference to revision in renkans copied from this revision
- for related_renkan in Renkan.objects.filter(source_revision_guid=child_revision.revision_guid):
+ for related_renkan in self.queryset.filter(source_revision_guid=child_revision.revision_guid):
related_renkan.source_revision_guid = ''
related_renkan.save()
child_revision.delete()
@@ -143,13 +139,11 @@
"""
View for listing workspaces or creating new workspace
"""
- permission_classes = (
- permissions.IsAuthenticatedOrReadOnly,
- CanCreateWorkspace,
- )
-
+
+ queryset = Workspace.objects
+
def get(self, request, format=None):
- workspaces = Workspace.objects.all()
+ workspaces = self.queryset.all()
serializer = WorkspaceSerializer(workspaces, many=True)
return Response(serializer.data)
@@ -164,18 +158,16 @@
"""
View for retrieving, updating or deleting a single workspace
"""
- permission_classes = (
- permissions.IsAuthenticatedOrReadOnly,
- CanEditWorkspace,
- CanDeleteWorkspace,
- )
-
+
+ lookup_field = "workspace_guid"
+ queryset = Workspace.objects
+
def get_object(self, workspace_guid):
- return Workspace.objects.get(workspace_guid=workspace_guid)
-
+ return self.queryset.get(workspace_guid=workspace_guid)
+
def get(self, request, workspace_guid, format=None):
try:
- workspace = Workspace.objects.get(workspace_guid=workspace_guid)
+ workspace = self.get_object(workspace_guid=workspace_guid)
except Workspace.DoesNotExist:
return Response({'detail': 'Workspace '+workspace_guid+' does not exist.'}, status=status.HTTP_404_NOT_FOUND)
self.check_object_permissions(request, workspace)
@@ -184,7 +176,7 @@
def put(self, request, workspace_guid, format=None):
try:
- workspace = Workspace.objects.get(workspace_guid=workspace_guid)
+ workspace = self.get_object(workspace_guid=workspace_guid)
except Workspace.DoesNotExist:
return Response({'detail': 'Workspace '+workspace_guid+' does not exist.'}, status=status.HTTP_404_NOT_FOUND)
self.check_object_permissions(request, workspace)
@@ -209,11 +201,13 @@
"""
View for listing revisions from a given renkan
"""
- permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
-
- def get_queryset(self, renkan_guid):
- return Revision.objects.filter(parent_renkan_guid=renkan_guid)
-
+
+ def get_queryset(self, renkan_guid=""):
+ if renkan_guid:
+ return Revision.objects.filter(parent_renkan_guid=renkan_guid)
+ else:
+ return Revision.objects
+
def get(self, request, renkan_guid, format=None):
revisions = self.get_queryset(renkan_guid)
if not revisions:
@@ -225,14 +219,15 @@
"""
View for retrieving or deleting a single revision from a given renkan
"""
- permission_classes = (
- permissions.IsAuthenticatedOrReadOnly,
- CanDeleteRevision,
- )
-
- def get_queryset(self, renkan_guid):
- return Revision.objects.filter(parent_renkan_guid=renkan_guid)
-
+
+ lookup_field = "revision_guid"
+
+ def get_queryset(self, renkan_guid=""):
+ if renkan_guid:
+ return Revision.objects.filter(parent_renkan_guid=renkan_guid)
+ else:
+ return Revision.objects
+
def get(self, request, renkan_guid, revision_guid, format=None):
revisions = self.get_queryset(renkan_guid)
if not revisions:
--- a/server/python/django2/renkanmanager/migrations/0004_auto_20160212_1106.py Thu Apr 21 16:18:08 2016 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,27 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.9.1 on 2016-02-12 11:06
-from __future__ import unicode_literals
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
- dependencies = [
- ('renkanmanager', '0003_auto_20160105_0954'),
- ]
-
- operations = [
- migrations.AlterModelOptions(
- name='renkan',
- options={'permissions': (('view_renkan', 'Can view renkan'),)},
- ),
- migrations.AlterModelOptions(
- name='revision',
- options={'permissions': (('view_revision', 'Can view revision'),)},
- ),
- migrations.AlterModelOptions(
- name='workspace',
- options={'permissions': (('view_workspace', 'Can view workspace'),)},
- ),
- ]
--- a/server/python/django2/renkanmanager/permissions.py Thu Apr 21 16:18:08 2016 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,94 +0,0 @@
-from rest_framework import permissions
-
-
-class CanCreateRenkan(permissions.BasePermission):
-
- def has_permission(self, request, view):
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'POST') and not request.user.has_perm('renkanmanager.add_renkan'):
- return False
-
- return True
-
-
-class CanEditRenkan(permissions.BasePermission):
-
- def has_object_permission(self, request, view, obj):
- if not request.user.has_perm('view_renkan', obj):
- return False
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'PUT') and not request.user.has_perm('change_renkan', obj):
- return False
-
- return True
-
-
-class CanDeleteRenkan(permissions.BasePermission):
-
- def has_object_permission(self, request, view, obj):
- if not request.user.has_perm('view_renkan', obj):
- return False
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'DELETE') and not request.user.has_perm('delete_renkan', obj):
- return False
-
- return True
-
-
-class CanCreateWorkspace(permissions.BasePermission):
-
- def has_permission(self, request, view):
- if request.method in permissions.SAFE_METHODS:
- return True
- if (request.method == 'POST') and not request.user.has_perm('add_workspace'):
- return False
-
- return True
-
-
-class CanEditWorkspace(permissions.BasePermission):
-
- def has_object_permission(self, request, view, obj):
- if not request.user.has_perm('view_workspace', obj):
- return False
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'PUT') and not request.user.has_perm('change_workspace', obj):
- return False
-
- return True
-
-
-class CanDeleteWorkspace(permissions.BasePermission):
-
- def has_object_permission(self, request, view, obj):
- if not request.user.has_perm('view_workspace', obj):
- return False
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'DELETE') and not request.user.has_perm('delete_workspace', obj):
- return False
-
- return True
-
-
-class CanDeleteRevision(permissions.BasePermission):
-
- def has_object_permission(self, request, view, obj):
- if not request.user.has_perm('view_revision', obj):
- return False
- if request.method in permissions.SAFE_METHODS:
- return True
-
- if (request.method == 'DELETE') and not request.user.has_perm('delete_revision', obj):
- return False
-
- return True
\ No newline at end of file
--- a/server/python/django2/renkanmanager/serializers.py Thu Apr 21 16:18:08 2016 +0200
+++ b/server/python/django2/renkanmanager/serializers.py Mon Apr 11 16:28:05 2016 +0200
@@ -3,7 +3,6 @@
from django.contrib.auth import get_user_model
from django.conf import settings
-from guardian.shortcuts import assign_perm
from renkanmanager.models import Renkan, Workspace, Revision
from rest_framework import serializers
@@ -66,11 +65,6 @@
))
initial_revision.save()
renkan.save()
- assign_perm('view_renkan', creator, renkan)
- assign_perm('change_renkan', creator, renkan)
- assign_perm('delete_renkan', creator, renkan)
- assign_perm('view_revision', creator, initial_revision)
- assign_perm('delete_revision', creator, initial_revision)
return renkan
def update(self, renkan, validated_data):
@@ -80,9 +74,8 @@
updator = validated_data.get('updator')
current_revision = Revision.objects.get(revision_guid=renkan.current_revision_guid)
if validated_data.get("create_new_revision", False):
- revision_to_update = Revision.objects.create()
+ revision_to_update = Revision.objects.create(creator=updator)
revision_to_update.parent_renkan_guid = renkan.renkan_guid
- revision_to_update.creator = updator
renkan.current_revision_guid = revision_to_update.revision_guid
else:
revision_to_update = current_revision
@@ -158,13 +151,9 @@
def create(self, validated_data):
creator = validated_data.get('creator')
- workspace = Workspace.objects.create()
- workspace.title = validated_data.get('title', '')
- workspace.creator = creator
+ title = validated_data.get('title', '')
+ workspace = Workspace.objects.create(creator=creator, title=title)
workspace.save()
- assign_perm('view_workspace', creator, workspace)
- assign_perm('change_workspace', creator, workspace)
- assign_perm('delete_workspace', creator, workspace)
return workspace
def update(self, workspace, validated_data):