awx/lib/main/views.py

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
#from rest_framework.renderers import JSONRenderer
#from rest_framework.parsers import JSONParser

from lib.main.models import *
from lib.main.serializers import *
from django.contrib.auth.models import AnonymousUser

from rest_framework import mixins
from rest_framework import generics
from rest_framework import permissions
#from rest_framework.authentication import authentication

# TODO: verify pagination
# TODO: how to add relative resources
# TODO: 

class CustomRbac(permissions.BasePermission):

    def _common_user_check(self, request):
        # no anonymous users
        if type(request.user) == AnonymousUser:
            return False
        # superusers are always good
        if request.user.is_superuser:
            return True
        # other users must have associated acom user records & be active
        acom_user = User.objects.filter(auth_user = request.user)
        if len(acom_user) != 1:
            return False
        if not acom_user[0].active:
            return False
        return True

    def has_permission(self, request, view, obj=None):
        if not self._common_user_check(request):
            return False
        if obj is None:
            return True
        else:
            # haven't tested around these confines yet
            raise Exception("FIXME")

    def has_object_permission(self, request, view, obj):
        if not self._common_user_check(request):
            return False
        # FIXME: TODO: verify the user is actually allowed to see this resource
        return True 

class OrganizationsList(generics.ListCreateAPIView):


    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)

    #def pre_save(self, obj):
    #   obj.owner = self.request.user
   
    def get_queryset(self):
        if self.request.user.is_superuser:
            return Organization.objects.filter(active=True)
        return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
               Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()

 
class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
    model = Organization
    serializer_class = OrganizationSerializer

    permission_classes = (CustomRbac,)

    #def pre_save(self, obj):
    #   obj.owner = self.request.user

#class OrganizationsList(mixins.ListModelMixin, mixins.CreateModelMixin, generics.MultipleObjectAPIView):
#
#    model = Organization
#    serializer_class = OrganizationSerializer
#
#    def get(self, request, *args, **kwargs):
#        return self.list(request, *args, **kwargs)
#
#    def post(self, request, *args, **kwargs):
#        return self.create(request, *args, **kwargs)

#class JSONResponse(HttpResponse):
#    """
#    An HttpResponse that renders it's content into JSON.
#    """
#    def __init__(self, data, **kwargs):
#        content = JSONRenderer().render(data)
#        kwargs['content_type'] = 'application/json'
#        super(JSONResponse, self).__init__(content, **kwargs)

#@csrf_exempt
#def organizations_list(request):
#    """
#    List all code snippets, or create a new snippet.
#    """
#    if request.method == 'GET':
#        # TODO: FILTER
#        organizations = Organization.objects.all()
#        serializer = OrganizationSerializer(organizations, many=True)
#        return JSONResponse(serializer.data)
#
#    elif request.method == 'POST':
#        data = JSONParser().parse(request)
#        # TODO: DATA AUDIT
#        serializer = OrganizationSerializer(data=data)
#        if serializer.is_valid():
#            serializer.save()
#            return JSONResponse(serializer.data, status=201)
#        else:
#            return JSONResponse(serializer.errors, status=400)

#@csrf_exempt
#def snippet_detail(request, pk):
#    """
#    Retrieve, update or delete a code snippet.
#    """
#    try:
#        snippet = Snippet.objects.get(pk=pk)
#    except Snippet.DoesNotExist:
#        return HttpResponse(status=404)
#
#    if request.method == 'GET':
#        serializer = SnippetSerializer(snippet)
#        return JSONResponse(serializer.data)
#
#    elif request.method == 'PUT':
#        data = JSONParser().parse(request)
#        serializer = SnippetSerializer(snippet, data=data)
#        if serializer.is_valid():
#            serializer.save()
#            return JSONResponse(serializer.data)
#        else:
#            return JSONResponse(serializer.errors, status=400)
#
#    elif request.method == 'DELETE':
#        snippet.delete()
#        return HttpResponse(status=204)
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from django.http import HttpResponse`
			`from django.views.decorators.csrf import csrf_exempt`
			`#from rest_framework.renderers import JSONRenderer`
			`#from rest_framework.parsers import JSONParser`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from lib.main.models import *`
			`from lib.main.serializers import *`
Add functions for checking size of paginated results 2013-03-21 06:47:51 +04:00			`from django.contrib.auth.models import AnonymousUser`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
			`from rest_framework import mixins`
			`from rest_framework import generics`
			`from rest_framework import permissions`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00			`#from rest_framework.authentication import authentication`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
			`# TODO: verify pagination`
			`# TODO: how to add relative resources`
			`# TODO:`

			`class CustomRbac(permissions.BasePermission):`

Added baseline for object GET tests, with one failing test to correct. 2013-03-21 08:27:04 +04:00			`def _common_user_check(self, request):`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00			`# no anonymous users`
Add functions for checking size of paginated results 2013-03-21 06:47:51 +04:00			`if type(request.user) == AnonymousUser:`
			`return False`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00			`# superusers are always good`
			`if request.user.is_superuser:`
			`return True`
Added baseline for object GET tests, with one failing test to correct. 2013-03-21 08:27:04 +04:00			`# other users must have associated acom user records & be active`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00			`acom_user = User.objects.filter(auth_user = request.user)`
			`if len(acom_user) != 1:`
			`return False`
			`if not acom_user[0].active:`
			`return False`
Added baseline for object GET tests, with one failing test to correct. 2013-03-21 08:27:04 +04:00			`return True`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00
Added baseline for object GET tests, with one failing test to correct. 2013-03-21 08:27:04 +04:00			`def has_permission(self, request, view, obj=None):`
			`if not self._common_user_check(request):`
			`return False`
Add functions for checking size of paginated results 2013-03-21 06:47:51 +04:00			`if obj is None:`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`return True`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00			`else:`
Get resource URLs installed in REST API returns. 2013-03-21 08:12:03 +04:00			`# haven't tested around these confines yet`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00			`raise Exception("FIXME")`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00			`def has_object_permission(self, request, view, obj):`
Added baseline for object GET tests, with one failing test to correct. 2013-03-21 08:27:04 +04:00			`if not self._common_user_check(request):`
			`return False`
			`# FIXME: TODO: verify the user is actually allowed to see this resource`
			`return True`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
			`class OrganizationsList(generics.ListCreateAPIView):`


			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`

			`#def pre_save(self, obj):`
			`# obj.owner = self.request.user`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00
			`def get_queryset(self):`
			`if self.request.user.is_superuser:`
Only list active organizations 2013-03-21 08:31:07 +04:00			`return Organization.objects.filter(active=True)`
			`return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() \| \`
			`Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00

Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):`
			`model = Organization`
			`serializer_class = OrganizationSerializer`

			`permission_classes = (CustomRbac,)`

			`#def pre_save(self, obj):`
			`# obj.owner = self.request.user`

			`#class OrganizationsList(mixins.ListModelMixin, mixins.CreateModelMixin, generics.MultipleObjectAPIView):`
			`#`
			`# model = Organization`
			`# serializer_class = OrganizationSerializer`
			`#`
			`# def get(self, request, args, *kwargs):`
			`# return self.list(request, args, *kwargs)`
			`#`
			`# def post(self, request, args, *kwargs):`
			`# return self.create(request, args, *kwargs)`

			`#class JSONResponse(HttpResponse):`
			`# """`
			`# An HttpResponse that renders it's content into JSON.`
			`# """`
			`# def __init__(self, data, **kwargs):`
			`# content = JSONRenderer().render(data)`
			`# kwargs['content_type'] = 'application/json'`
			`# super(JSONResponse, self).__init__(content, **kwargs)`

			`#@csrf_exempt`
			`#def organizations_list(request):`
			`# """`
			`# List all code snippets, or create a new snippet.`
			`# """`
			`# if request.method == 'GET':`
			`# # TODO: FILTER`
			`# organizations = Organization.objects.all()`
			`# serializer = OrganizationSerializer(organizations, many=True)`
			`# return JSONResponse(serializer.data)`
			`#`
			`# elif request.method == 'POST':`
			`# data = JSONParser().parse(request)`
			`# # TODO: DATA AUDIT`
			`# serializer = OrganizationSerializer(data=data)`
			`# if serializer.is_valid():`
			`# serializer.save()`
			`# return JSONResponse(serializer.data, status=201)`
			`# else:`
			`# return JSONResponse(serializer.errors, status=400)`

			`#@csrf_exempt`
			`#def snippet_detail(request, pk):`
			`# """`
			`# Retrieve, update or delete a code snippet.`
			`# """`
			`# try:`
			`# snippet = Snippet.objects.get(pk=pk)`
			`# except Snippet.DoesNotExist:`
			`# return HttpResponse(status=404)`
			`#`
			`# if request.method == 'GET':`
			`# serializer = SnippetSerializer(snippet)`
			`# return JSONResponse(serializer.data)`
			`#`
			`# elif request.method == 'PUT':`
			`# data = JSONParser().parse(request)`
			`# serializer = SnippetSerializer(snippet, data=data)`
			`# if serializer.is_valid():`
			`# serializer.save()`
			`# return JSONResponse(serializer.data)`
			`# else:`
			`# return JSONResponse(serializer.errors, status=400)`
			`#`
			`# elif request.method == 'DELETE':`
			`# snippet.delete()`
			`# return HttpResponse(status=204)`