Deletes are operational plus access control hooks for deletes.

2026-01-11 10:00:01 -03:30 · 2013-03-21 11:06:47 -04:00 · 2013-03-21 11:06:47 -04:00 · c189cfcddb
commit c189cfcddb
parent 843164ba04
4 changed files with 46 additions and 11 deletions
--- a/lib/main/rbac.py
+++ b/lib/main/rbac.py
@ -28,7 +28,13 @@ class CustomRbac(permissions.BasePermission):
        if not self._common_user_check(request):
            return False
        if obj is None:
-            # filtering happens in the view
+            if getattr(view, 'list_permissions_check', None):
+                if request.user.is_superuser:
+                    return True
+                if not view.list_permissions_check(request):
+                    raise PermissionDenied()
+            elif not getattr(view, 'item_permissions_check', None):
+                raise Exception("internal error, list_permissions_check or item_permissions_check must be defined")
            return True
        else:
            # haven't tested around these confines yet
@ -39,6 +45,6 @@ class CustomRbac(permissions.BasePermission):
            return True
        if not self._common_user_check(request):
            return False
-        if not view.permissions_check(request, obj):
+        if not view.item_permissions_check(request, obj):
            raise PermissionDenied()
        return True
--- a/lib/main/serializers.py
+++ b/lib/main/serializers.py
@ -2,6 +2,10 @@ from django.contrib.auth.models import User as DjangoUser
 from lib.main.models import User, Organization, Project
 from rest_framework import serializers, pagination

+# FIXME: add all fields here
+# FIXME: make proper fields read only
+# FIXME: add URLs for sub resources like /organizations/2/projects/
+
 class OrganizationSerializer(serializers.ModelSerializer):

    url = serializers.CharField(source='get_absolute_url', read_only=True)
--- a/lib/main/tests.py
+++ b/lib/main/tests.py
@ -185,7 +185,23 @@ class OrganizationsTest(BaseTest):
        pass

    def test_post_item(self):
-        pass
+
+        new_org = dict(name='magic test org', description='8675309')
+        
+        # need to be a valid user
+        self.post(self.collection(), new_org, expect=401, auth=None)
+        self.post(self.collection(), new_org, expect=401, auth=self.get_invalid_credentials())
+        
+        # only super users can create organizations
+        self.post(self.collection(), new_org, expect=403, auth=self.get_normal_credentials())
+        self.post(self.collection(), new_org, expect=403, auth=self.get_other_credentials())
+        data1 = self.post(self.collection(), new_org, expect=201, auth=self.get_super_credentials())
+
+        # duplicate post results in 400
+        data2 = self.post(self.collection(), new_org, expect=400, auth=self.get_super_credentials())
+
+        # look at what we got back from the post, make sure we added an org
+        self.assertTrue(data1['url'].endswith("/11/"))

    def test_post_item_subobjects_projects(self):
        pass
@ -222,6 +238,9 @@ class OrganizationsTest(BaseTest):
        # super user can also put even though they aren't added to the org users or admins list
        self.put(urls[1], new_data1, expect=200, auth=self.get_super_credentials())

+        # make sure posting to this URL is not supported
+        self.post(urls[1], new_data1, expect=405, auth=self.get_super_credentials())
+
    def test_put_item_subobjects_projects(self):
        pass

--- a/lib/main/views.py
+++ b/lib/main/views.py
@ -25,7 +25,13 @@ class OrganizationsList(generics.ListCreateAPIView):
        return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
               Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()

-    def permissions_check(self, request, obj):
+    def list_permissions_check(self, request, obj=None):
+        if request.method == 'GET':
+             # everybody can call get, but it's filtered
+             return True
+        if request.method == 'POST':
+             # superusers have already been cleared, so deny regular users
+             return False
        raise exceptions.NotImplementedError

 
@ -38,13 +44,13 @@ class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
    #def pre_save(self, obj):
    #   obj.owner = self.request.user

-    def permissions_check(self, request, obj):
-         admin = request.user.application_user in obj.admins.all() 
-         user  = request.user.application_user in obj.users.all()
-         if request.method == 'GET':
-              return admin or user
-         if request.method == 'PUT':
-              return admin
+    def item_permissions_check(self, request, obj):
+        admin = request.user.application_user in obj.admins.all() 
+        user  = request.user.application_user in obj.users.all()
+        if request.method == 'GET':
+             return admin or user
+        if request.method == 'PUT':
+             return admin