From 8cae93c55fa154c6f4d037bf3067a501b07618fa Mon Sep 17 00:00:00 2001 From: Michael DeHaan Date: Thu, 21 Mar 2013 00:34:59 -0400 Subject: [PATCH] Move RBAC code to seperate file. --- lib/main/rbac.py | 39 ++++++++++++++++ lib/main/views.py | 110 +--------------------------------------------- 2 files changed, 41 insertions(+), 108 deletions(-) create mode 100644 lib/main/rbac.py diff --git a/lib/main/rbac.py b/lib/main/rbac.py new file mode 100644 index 0000000000..3326cee10e --- /dev/null +++ b/lib/main/rbac.py @@ -0,0 +1,39 @@ +from lib.main.models import * +from lib.main.serializers import * +from rest_framework import permissions +from django.contrib.auth.models import AnonymousUser + +# FIXME: this will probably need to be subclassed by object type + +class CustomRbac(permissions.BasePermission): + + def _common_user_check(self, request): + # no anonymous users + if type(request.user) == AnonymousUser: + return False + # superusers are always good + if request.user.is_superuser: + return True + # other users must have associated acom user records & be active + acom_user = User.objects.filter(auth_user = request.user) + if len(acom_user) != 1: + return False + if not acom_user[0].active: + return False + return True + + def has_permission(self, request, view, obj=None): + if not self._common_user_check(request): + return False + if obj is None: + return True + else: + # haven't tested around these confines yet + raise Exception("FIXME") + + def has_object_permission(self, request, view, obj): + if not self._common_user_check(request): + return False + # FIXME: TODO: verify the user is actually allowed to see this resource + return True + diff --git a/lib/main/views.py b/lib/main/views.py index 4d69b92e68..e403176a33 100644 --- a/lib/main/views.py +++ b/lib/main/views.py @@ -1,56 +1,16 @@ from django.http import HttpResponse from django.views.decorators.csrf import csrf_exempt -#from rest_framework.renderers import JSONRenderer -#from rest_framework.parsers import JSONParser - from lib.main.models import * from lib.main.serializers import * +from lib.main.rbac import * from django.contrib.auth.models import AnonymousUser - from rest_framework import mixins from rest_framework import generics from rest_framework import permissions -#from rest_framework.authentication import authentication -# TODO: verify pagination -# TODO: how to add relative resources -# TODO: - -class CustomRbac(permissions.BasePermission): - - def _common_user_check(self, request): - # no anonymous users - if type(request.user) == AnonymousUser: - return False - # superusers are always good - if request.user.is_superuser: - return True - # other users must have associated acom user records & be active - acom_user = User.objects.filter(auth_user = request.user) - if len(acom_user) != 1: - return False - if not acom_user[0].active: - return False - return True - - def has_permission(self, request, view, obj=None): - if not self._common_user_check(request): - return False - if obj is None: - return True - else: - # haven't tested around these confines yet - raise Exception("FIXME") - - def has_object_permission(self, request, view, obj): - if not self._common_user_check(request): - return False - # FIXME: TODO: verify the user is actually allowed to see this resource - return True class OrganizationsList(generics.ListCreateAPIView): - model = Organization serializer_class = OrganizationSerializer permission_classes = (CustomRbac,) @@ -59,6 +19,7 @@ class OrganizationsList(generics.ListCreateAPIView): # obj.owner = self.request.user def get_queryset(self): + if self.request.user.is_superuser: return Organization.objects.filter(active=True) return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \ @@ -74,72 +35,5 @@ class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView): #def pre_save(self, obj): # obj.owner = self.request.user -#class OrganizationsList(mixins.ListModelMixin, mixins.CreateModelMixin, generics.MultipleObjectAPIView): -# -# model = Organization -# serializer_class = OrganizationSerializer -# -# def get(self, request, *args, **kwargs): -# return self.list(request, *args, **kwargs) -# -# def post(self, request, *args, **kwargs): -# return self.create(request, *args, **kwargs) - -#class JSONResponse(HttpResponse): -# """ -# An HttpResponse that renders it's content into JSON. -# """ -# def __init__(self, data, **kwargs): -# content = JSONRenderer().render(data) -# kwargs['content_type'] = 'application/json' -# super(JSONResponse, self).__init__(content, **kwargs) - -#@csrf_exempt -#def organizations_list(request): -# """ -# List all code snippets, or create a new snippet. -# """ -# if request.method == 'GET': -# # TODO: FILTER -# organizations = Organization.objects.all() -# serializer = OrganizationSerializer(organizations, many=True) -# return JSONResponse(serializer.data) -# -# elif request.method == 'POST': -# data = JSONParser().parse(request) -# # TODO: DATA AUDIT -# serializer = OrganizationSerializer(data=data) -# if serializer.is_valid(): -# serializer.save() -# return JSONResponse(serializer.data, status=201) -# else: -# return JSONResponse(serializer.errors, status=400) - -#@csrf_exempt -#def snippet_detail(request, pk): -# """ -# Retrieve, update or delete a code snippet. -# """ -# try: -# snippet = Snippet.objects.get(pk=pk) -# except Snippet.DoesNotExist: -# return HttpResponse(status=404) -# -# if request.method == 'GET': -# serializer = SnippetSerializer(snippet) -# return JSONResponse(serializer.data) -# -# elif request.method == 'PUT': -# data = JSONParser().parse(request) -# serializer = SnippetSerializer(snippet, data=data) -# if serializer.is_valid(): -# serializer.save() -# return JSONResponse(serializer.data) -# else: -# return JSONResponse(serializer.errors, status=400) -# -# elif request.method == 'DELETE': -# snippet.delete() -# return HttpResponse(status=204)