Added baseline for object GET tests, with one failing test to correct.

2026-02-16 10:40:01 -03:30 · 2013-03-21 00:27:04 -04:00
parent b5fcf6b469
commit c7328703fa
2 changed files with 30 additions and 72 deletions
--- a/lib/main/views.py
+++ b/lib/main/views.py
@@ -18,24 +18,24 @@ from rest_framework import permissions

 class CustomRbac(permissions.BasePermission):

-    def has_permission(self, request, view, obj=None):
-
+    def _common_user_check(self, request):
        # no anonymous users
        if type(request.user) == AnonymousUser:
            return False
-
        # superusers are always good
        if request.user.is_superuser:
            return True
-
-        # other users must have associated acom user records
-        # and be active
+        # other users must have associated acom user records & be active
        acom_user = User.objects.filter(auth_user = request.user)
        if len(acom_user) != 1:
            return False
        if not acom_user[0].active:
            return False
+        return True

+    def has_permission(self, request, view, obj=None):
+        if not self._common_user_check(request):
+            return False
        if obj is None:
            return True
        else:
@@ -43,10 +43,10 @@ class CustomRbac(permissions.BasePermission):
            raise Exception("FIXME")

    def has_object_permission(self, request, view, obj):
-        # make sure we're running with a tested version since this is a security-related function
-        raise Exception("newer than expected version of django-rest-framework installed")
-
-
+        if not self._common_user_check(request):
+            return False
+        # FIXME: TODO: verify the user is actually allowed to see this resource
+        return True 

 class OrganizationsList(generics.ListCreateAPIView):