From 27c515f281f6db510277fad6dd44aa1abb1247e4 Mon Sep 17 00:00:00 2001 From: Michael DeHaan Date: Wed, 20 Mar 2013 23:14:09 -0400 Subject: [PATCH] Basic API RBAC filtering operational! --- lib/main/tests.py | 16 ++++++---------- lib/main/views.py | 19 ++++++++++++------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/lib/main/tests.py b/lib/main/tests.py index 789ff306bf..5feaed38b6 100644 --- a/lib/main/tests.py +++ b/lib/main/tests.py @@ -77,8 +77,10 @@ class BaseTest(django.test.TestCase): response = method(url, data=json.dumps(data)) else: response = method(url) + if response.status_code == 500 and expect != 500: + assert False, "Failed: %s" % response.content if expect is not None: - assert response.status_code == expect, "expected status %s, got %s (%s) for url=%s as auth=%s" % (expect, response.status_code, response.status_text, url, auth) + assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s" % (expect, response.status_code, url, auth) data = json.loads(response.content) return data @@ -132,17 +134,11 @@ class OrganizationsTest(BaseTest): # superuser credentials == 200, full list data = self.get(self.collection(), expect=200, auth=self.get_super_credentials()) self.check_pagination_and_size(data, 10, previous=None, next=None) - - #self.assertValidJSONResponse(resp) - #self.assertEqual(len(self.deserialize(resp)['objects']), 10) - # check member data - #first = self.deserialize(resp)['objects'][0] - #self.assertEqual(first['name'], 'org0') + [self.assertTrue(key in data['results'][0]) for key in ['name', 'description' ]] # url # normal credentials == 200, get only organizations that I am actually added to (there are 2) - #resp = self.api_client.get(self.collection(), format='json', authentication=self.get_normal_credentials()) - #self.assertValidJSONResponse(resp) - #self.assertEqual(len(self.deserialize(resp)['objects']), 2) + data = self.get(self.collection(), expect=200, auth=self.get_normal_credentials()) + self.check_pagination_and_size(data, 2, previous=None, next=None) # no admin rights? get empty list #resp = self.api_client.get(self.collection(), format='json', authentication=self.get_other_credentials()) diff --git a/lib/main/views.py b/lib/main/views.py index feb414d875..42a2b4cb93 100644 --- a/lib/main/views.py +++ b/lib/main/views.py @@ -18,24 +18,22 @@ from rest_framework import permissions class CustomRbac(permissions.BasePermission): def has_permission(self, request, view, obj=None): - if type(request.user) == AnonymousUser: return False - #if getattr(request, 'user') is None: - # return False - if obj is None: return True + else: + raise Exception("FIXME") - return True # obj.owner == request.user + def has_object_permission(self, request, view, obj): + raise Exception("newer than expected version of django-rest-framework installed") class OrganizationsList(generics.ListCreateAPIView): - model = Organization serializer_class = OrganizationSerializer #authentication_classes = (SessionAuthentication, BasicAuthentication) @@ -45,7 +43,14 @@ class OrganizationsList(generics.ListCreateAPIView): #def pre_save(self, obj): # obj.owner = self.request.user - + + def get_queryset(self): + if self.request.user.is_superuser: + return Organization.objects.all() + return Organization.objects.filter(admins__in = [ self.request.user.application_user ]).distinct() | \ + Organization.objects.filter(users__in = [ self.request.user.application_user ]).distinct() + + class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView): model = Organization serializer_class = OrganizationSerializer