Basic API RBAC filtering operational!

lib/main/tests.py

@@ -77,8 +77,10 @@ class BaseTest(django.test.TestCase):
             response = method(url, data=json.dumps(data))
         else:
             response = method(url)
+        if response.status_code == 500 and expect != 500:
+            assert False, "Failed: %s" % response.content
         if expect is not None:
-            assert response.status_code == expect, "expected status %s, got %s (%s) for url=%s as auth=%s" % (expect, response.status_code, response.status_text, url, auth)
+            assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s" % (expect, response.status_code, url, auth)
         data = json.loads(response.content)
         return data
  
@@ -132,17 +134,11 @@ class OrganizationsTest(BaseTest):
         # superuser credentials == 200, full list
         data = self.get(self.collection(), expect=200, auth=self.get_super_credentials())
         self.check_pagination_and_size(data, 10, previous=None, next=None)
-
+        [self.assertTrue(key in data['results'][0]) for key in ['name', 'description' ]] # url
-        #self.assertValidJSONResponse(resp)
-        #self.assertEqual(len(self.deserialize(resp)['objects']), 10)
-        # check member data
-        #first = self.deserialize(resp)['objects'][0]
-        #self.assertEqual(first['name'], 'org0')
 
         # normal credentials == 200, get only organizations that I am actually added to (there are 2)
-        #resp = self.api_client.get(self.collection(), format='json', authentication=self.get_normal_credentials())
+        data = self.get(self.collection(), expect=200, auth=self.get_normal_credentials())
-        #self.assertValidJSONResponse(resp)
+        self.check_pagination_and_size(data, 2, previous=None, next=None)
-        #self.assertEqual(len(self.deserialize(resp)['objects']), 2)
 
         # no admin rights? get empty list
         #resp = self.api_client.get(self.collection(), format='json', authentication=self.get_other_credentials())

lib/main/views.py

@@ -18,24 +18,22 @@ from rest_framework import permissions
 class CustomRbac(permissions.BasePermission):
 
     def has_permission(self, request, view, obj=None):
-
         if type(request.user) == AnonymousUser:
             return False
 
-        #if getattr(request, 'user') is None:
-        #    return False
-
         if obj is None:
             return True
+        else:
+            raise Exception("FIXME")
 
-        return True # obj.owner == request.user
+    def has_object_permission(self, request, view, obj):
+        raise Exception("newer than expected version of django-rest-framework installed")
 
 
 
 class OrganizationsList(generics.ListCreateAPIView):
 
 
-
     model = Organization
     serializer_class = OrganizationSerializer
     #authentication_classes = (SessionAuthentication, BasicAuthentication)
@@ -45,7 +43,14 @@ class OrganizationsList(generics.ListCreateAPIView):
 
     #def pre_save(self, obj):
     #   obj.owner = self.request.user
-    
+   
+    def get_queryset(self):
+        if self.request.user.is_superuser:
+            return Organization.objects.all()
+        return Organization.objects.filter(admins__in = [ self.request.user.application_user ]).distinct() | \
+               Organization.objects.filter(users__in = [ self.request.user.application_user ]).distinct()
+
+ 
 class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
     model = Organization
     serializer_class = OrganizationSerializer