awx/lib/main/views.py

# (c) 2013, AnsibleWorks, Michael DeHaan <michael@ansibleworks.com>
#
# This file is part of Ansible Commander
#
# Ansible Commander is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible Commander is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible Commander.  If not, see <http://www.gnu.org/licenses/>.

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
from lib.main.models import *
from django.contrib.auth.models import User
from lib.main.serializers import *
from lib.main.rbac import *
from django.core.exceptions import PermissionDenied
from rest_framework import mixins
from rest_framework import generics
from rest_framework import permissions
from rest_framework.response import Response
from rest_framework import status
import exceptions
import datetime
from base_views import BaseList, BaseDetail, BaseSubList

class OrganizationsList(BaseList):

    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)

    # I can see the organizations if:
    #   I am a superuser
    #   I am an admin of the organization 
    #   I am a member of the organization
   
    def _get_queryset(self):
        ''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
        base = Organization.objects
        if self.request.user.is_superuser:
            return base.all()
        return base.filter(
            admins__in = [ self.request.user ]
        ).distinct() | base.filter(
            users__in = [ self.request.user ]
        ).distinct()

class OrganizationsDetail(BaseDetail):

    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)

class OrganizationsAuditTrailList(BaseSubList):

    model = AuditTrail
    serializer_class = AuditTrailSerializer
    permission_classes = (CustomRbac,)
    parent_model = Organization
    relationship = 'audit_trail'
    postable = False

    def _get_queryset(self):
        ''' to list tags in the organization, I must be a superuser or org admin '''
        organization = Organization.objects.get(pk=self.kwargs['pk'])
        if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
            # FIXME: use: organization.can_user_administrate(self.request.user)
            raise PermissionDenied()
        return AuditTrail.objects.filter(organization_by_audit_trail__in = [ organization ])


class OrganizationsUsersList(BaseSubList):
    
    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)
    parent_model = Organization
    relationship = 'users'
    postable = True

    def _get_queryset(self):
        ''' to list users in the organization, I must be a superuser or org admin '''
        organization = Organization.objects.get(pk=self.kwargs['pk'])
        if not self.request.user.is_superuser and not self.request.user in organization.admins.all():
            raise PermissionDenied()
        return User.objects.filter(organizations__in = [ organization ])

class OrganizationsAdminsList(BaseSubList):
    
    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)
    parent_model = Organization
    relationship = 'admins'
    postable = True

    def _get_queryset(self):
        ''' to list admins in the organization, I must be a superuser or org admin '''
        organization = Organization.objects.get(pk=self.kwargs['pk'])
        if not self.request.user.is_superuser and not self.request.user in organization.admins.all():
            raise PermissionDenied()
        return User.objects.filter(admin_of_organizations__in = [ organization ])

class OrganizationsProjectsList(BaseSubList):
    
    model = Project
    serializer_class = ProjectSerializer
    permission_classes = (CustomRbac,)
    parent_model = Organization  # for sub list
    relationship = 'projects'    # " "
    postable = True
    
    def _get_queryset(self):
        ''' to list projects in the organization, I must be a superuser or org admin '''
        organization = Organization.objects.get(pk=self.kwargs['pk'])
        if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
            raise PermissionDenied()
        return Project.objects.filter(organizations__in = [ organization ])

class OrganizationsTagsList(BaseSubList):
    
    model = Tag
    serializer_class = TagSerializer
    permission_classes = (CustomRbac,)
    parent_model = Organization  # for sub list
    relationship = 'tags'        # " "
    postable = True

    def _get_queryset(self):
        ''' to list tags in the organization, I must be a superuser or org admin '''
        organization = Organization.objects.get(pk=self.kwargs['pk'])
        if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
            # FIXME: use: organization.can_user_administrate(self.request.user)
            raise PermissionDenied()
        return Tag.objects.filter(organization_by_tag__in = [ organization ])

class ProjectsDetail(BaseDetail):

    model = Project
    serializer_class = ProjectSerializer
    permission_classes = (CustomRbac,)

class TagsDetail(BaseDetail):

    model = Tag
    serializer_class = TagSerializer
    permission_classes = (CustomRbac,)

class UsersList(BaseList):

    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)

    def post(self, request, *args, **kwargs):
        password = request.DATA.get('password', None)
        result = super(UsersList, self).post(request, *args, **kwargs)
        if password:
            pk = result.data['id']
            user = User.objects.get(pk=pk)
            user.set_password(password)
            user.save()
        return result    

    def _get_queryset(self):
        ''' I can see user records when I'm a superuser, I'm that user, I'm their org admin, or I'm on a team with that user '''
        base = User.objects
        if self.request.user.is_superuser:
            return base.all()
        mine = base.filter(pk = self.request.user.pk).distinct() 
        admin_of = base.filter(organizations__in = self.request.user.admin_of_organizations.all()).distinct() 
        same_team = base.filter(teams__in = self.request.user.teams.all()).distinct()
        return mine | admin_of | same_team

class UsersMeList(BaseList):

    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)

    def post(self, request, *args, **kwargs):
        raise PermissionDenied()

    def _get_queryset(self):
        ''' a quick way to find my user record '''
        return User.objects.filter(pk=self.request.user.pk)

class UsersTeamsList(BaseSubList):

    model = Team
    serializer_class = TeamSerializer
    permission_classes = (CustomRbac,)
    parent_model = User
    relationship = 'teams'
    postable = False

    def _get_queryset(self):
        user = User.objects.get(pk=self.kwargs['pk'])
        if not UserHelper.can_user_administrate(self.request.user, user):
            raise PermissionDenied()
        return Team.objects.filter(users__in = [ user ])

class UsersOrganizationsList(BaseSubList):

    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)
    parent_model = User
    relationship = 'organizations'
    postable = False
    
    def _get_queryset(self):
        user = User.objects.get(pk=self.kwargs['pk'])
        if not UserHelper.can_user_administrate(self.request.user, user):
            raise PermissionDenied()
        return Organization.objects.filter(users__in = [ user ])

class UsersAdminOrganizationsList(BaseSubList):

    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)
    parent_model = User
    relationship = 'admin_of_organizations'
    postable = False

    def _get_queryset(self):
        user = User.objects.get(pk=self.kwargs['pk'])
        if not UserHelper.can_user_administrate(self.request.user, user):
            raise PermissionDenied()
        return Organization.objects.filter(admins__in = [ user ])

class UsersDetail(BaseDetail):

    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)

    def put_filter(self, request, *args, **kwargs):
        ''' make sure non-read-only fields that can only be edited by admins, are only edited by admins ''' 
        obj = User.objects.get(pk=kwargs['pk'])
        if EditHelper.illegal_changes(request, obj, UserHelper):
            raise PermissionDenied()
        if 'password' in request.DATA:
            obj.set_password(request.DATA['password'])
            obj.save()
            request.DATA.pop('password')

class InventoryList(BaseList):

    model = Inventory
    serializer_class = InventorySerializer
    permission_classes = (CustomRbac,)

    def _get_queryset(self):
        ''' I can see inventory when I'm a superuser, an org admin of the inventory, or I have permissions on it '''
        base = Inventory.objects
        if self.request.user.is_superuser:
            return base.all()
        admin_of  = base.filter(organization__admins__in = [ self.request.user ]).distinct()
        has_user_perms = base.filter(
            permissions__user__in = [ self.request.user ],
            permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
        ).distinct()
        has_team_perms = base.filter(
            permissions__team__in = self.request.user.teams.all(),
            permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
        ).distinct()
        return admin_of | has_user_perms | has_team_perms

class InventoryDetail(BaseDetail):

    model = Inventory
    serializer_class = InventorySerializer
    permission_classes = (CustomRbac,)

class HostsList(BaseList):

    model = Host
    serializer_class = HostSerializer
    permission_classes = (CustomRbac,)

    def _get_queryset(self):
        ''' 
        I can see hosts when:
           I'm a superuser, 
           or an organization admin of an inventory they are in
           or when I have allowing read permissions via a user or team on an inventory they are in
        '''
        base = Host.objects
        if self.request.user.is_superuser:
            return base.all()
        admin_of  = base.filter(inventory__organization__admins__in = [ self.request.user ]).distinct()
        has_user_perms = base.filter(
            inventory__permissions__user__in = [ self.request.user ],
            inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
        ).distinct()
        has_team_perms = base.filter(
            inventory__permissions__team__in = self.request.user.teams.all(),
            inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
        ).distinct()
        return admin_of | has_user_perms | has_team_perms

class HostsDetail(BaseDetail):

    model = Host
    serializer_class = HostSerializer
    permission_classes = (CustomRbac,)
Add copyright headers. 2013-03-24 02:43:11 +04:00			`# (c) 2013, AnsibleWorks, Michael DeHaan <michael@ansibleworks.com>`
			`#`
			`# This file is part of Ansible Commander`
			`#`
			`# Ansible Commander is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# Ansible Commander is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>.`

Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from django.http import HttpResponse`
			`from django.views.decorators.csrf import csrf_exempt`
			`from lib.main.models import *`
Simplify user model by just using the Django user object. 2013-03-22 19:35:26 +04:00			`from django.contrib.auth.models import User`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from lib.main.serializers import *`
Move RBAC code to seperate file. 2013-03-21 08:34:59 +04:00			`from lib.main.rbac import *`
Deleted objects are not really deleted but now appear to be via REST. 2013-03-21 22:20:59 +04:00			`from django.core.exceptions import PermissionDenied`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from rest_framework import mixins`
			`from rest_framework import generics`
			`from rest_framework import permissions`
Handle post to corrections by overriding post to not save the object. Work in progress. 2013-03-22 17:50:42 +04:00			`from rest_framework.response import Response`
			`from rest_framework import status`
Streamlining RBAC layer code, adding tests for PUT operations. 2013-03-21 18:25:49 +04:00			`import exceptions`
Deleted objects are not really deleted but now appear to be via REST. 2013-03-21 22:20:59 +04:00			`import datetime`
This makes subobject attachment and detachment generic, making the views much easier to code up. 2013-03-23 00:52:44 +04:00			`from base_views import BaseList, BaseDetail, BaseSubList`
Deleted objects are not really deleted but now appear to be via REST. 2013-03-21 22:20:59 +04:00
			`class OrganizationsList(BaseList):`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
			`# I can see the organizations if:`
			`# I am a superuser`
			`# I am an admin of the organization`
			`# I am a member of the organization`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00
Deleted objects are not really deleted but now appear to be via REST. 2013-03-21 22:20:59 +04:00			`def _get_queryset(self):`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''`
			`base = Organization.objects`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00			`if self.request.user.is_superuser:`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`return base.all()`
			`return base.filter(`
Simplify user model by just using the Django user object. 2013-03-22 19:35:26 +04:00			`admins__in = [ self.request.user ]`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`).distinct() \| base.filter(`
Simplify user model by just using the Django user object. 2013-03-22 19:35:26 +04:00			`users__in = [ self.request.user ]`
Deleted objects are not really deleted but now appear to be via REST. 2013-03-21 22:20:59 +04:00			`).distinct()`

			`class OrganizationsDetail(BaseDetail):`
Streamlining RBAC layer code, adding tests for PUT operations. 2013-03-21 18:25:49 +04:00
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`

Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`class OrganizationsAuditTrailList(BaseSubList):`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
			`model = AuditTrail`
			`serializer_class = AuditTrailSerializer`
			`permission_classes = (CustomRbac,)`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`parent_model = Organization`
			`relationship = 'audit_trail'`
			`postable = False`

			`def _get_queryset(self):`
			`''' to list tags in the organization, I must be a superuser or org admin '''`
			`organization = Organization.objects.get(pk=self.kwargs['pk'])`
			`if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):`
			`# FIXME: use: organization.can_user_administrate(self.request.user)`
			`raise PermissionDenied()`
Add part of list to show audit trail by organization, still need to hook create to auto-establish the audit trail records. 2013-03-24 01:07:24 +04:00			`return AuditTrail.objects.filter(organization_by_audit_trail__in = [ organization ])`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00			`class OrganizationsUsersList(BaseSubList):`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
			`model = User`
			`serializer_class = UserSerializer`
			`permission_classes = (CustomRbac,)`
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00			`parent_model = Organization`
			`relationship = 'users'`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`postable = True`
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00			`def _get_queryset(self):`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`''' to list users in the organization, I must be a superuser or org admin '''`
			`organization = Organization.objects.get(pk=self.kwargs['pk'])`
Listing the admins of an organization. 2013-03-23 23:43:59 +04:00			`if not self.request.user.is_superuser and not self.request.user in organization.admins.all():`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`raise PermissionDenied()`
			`return User.objects.filter(organizations__in = [ organization ])`
Add support for related resources, and all present related resources on the organization object. Implementation of sub services still on deck. 2013-03-21 23:11:47 +04:00
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00			`class OrganizationsAdminsList(BaseSubList):`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
			`model = User`
			`serializer_class = UserSerializer`
			`permission_classes = (CustomRbac,)`
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00			`parent_model = Organization`
			`relationship = 'admins'`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`postable = True`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
			`def _get_queryset(self):`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`''' to list admins in the organization, I must be a superuser or org admin '''`
			`organization = Organization.objects.get(pk=self.kwargs['pk'])`
Listing the admins of an organization. 2013-03-23 23:43:59 +04:00			`if not self.request.user.is_superuser and not self.request.user in organization.admins.all():`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`raise PermissionDenied()`
Listing the admins of an organization. 2013-03-23 23:43:59 +04:00			`return User.objects.filter(admin_of_organizations__in = [ organization ])`
Add support for related resources, and all present related resources on the organization object. Implementation of sub services still on deck. 2013-03-21 23:11:47 +04:00
This makes subobject attachment and detachment generic, making the views much easier to code up. 2013-03-23 00:52:44 +04:00			`class OrganizationsProjectsList(BaseSubList):`
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00
Implementation and testing of the organizations projects subresource. 2013-03-22 01:38:53 +04:00			`model = Project`
			`serializer_class = ProjectSerializer`
			`permission_classes = (CustomRbac,)`
misc cleanup 2013-03-23 02:16:40 +04:00			`parent_model = Organization # for sub list`
			`relationship = 'projects' # " "`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`postable = True`
Implementation and testing of the organizations projects subresource. 2013-03-22 01:38:53 +04:00
Various stub view logic (tests pending) for subresources under the organization. 2013-03-21 23:43:35 +04:00			`def _get_queryset(self):`
Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models. 2013-03-23 23:34:16 +04:00			`''' to list projects in the organization, I must be a superuser or org admin '''`
			`organization = Organization.objects.get(pk=self.kwargs['pk'])`
			`if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):`
			`raise PermissionDenied()`
			`return Project.objects.filter(organizations__in = [ organization ])`
Add support for related resources, and all present related resources on the organization object. Implementation of sub services still on deck. 2013-03-21 23:11:47 +04:00
Ability to add tags to an organization. 2013-03-24 00:34:52 +04:00			`class OrganizationsTagsList(BaseSubList):`
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00
			`model = Tag`
			`serializer_class = TagSerializer`
			`permission_classes = (CustomRbac,)`
			`parent_model = Organization # for sub list`
			`relationship = 'tags' # " "`
Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists. 2013-03-24 00:50:25 +04:00			`postable = True`
Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00
			`def _get_queryset(self):`
			`''' to list tags in the organization, I must be a superuser or org admin '''`
			`organization = Organization.objects.get(pk=self.kwargs['pk'])`
			`if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):`
			`# FIXME: use: organization.can_user_administrate(self.request.user)`
			`raise PermissionDenied()`
			`return Tag.objects.filter(organization_by_tag__in = [ organization ])`
Add support for related resources, and all present related resources on the organization object. Implementation of sub services still on deck. 2013-03-21 23:11:47 +04:00
Implementation and testing of the organizations projects subresource. 2013-03-22 01:38:53 +04:00			`class ProjectsDetail(BaseDetail):`

			`model = Project`
			`serializer_class = ProjectSerializer`
			`permission_classes = (CustomRbac,)`

Listing tags attached to an organization, and basic model/view things around tag details 2013-03-24 00:03:17 +04:00			`class TagsDetail(BaseDetail):`

			`model = Tag`
			`serializer_class = TagSerializer`
			`permission_classes = (CustomRbac,)`
Implementation and testing of the organizations projects subresource. 2013-03-22 01:38:53 +04:00
Create a mechanism for filtering put details, and now users can change their own passwords but not rename themselves, etc. 2013-03-24 20:36:42 +04:00			`class UsersList(BaseList):`
Add support for related resources, and all present related resources on the organization object. Implementation of sub services still on deck. 2013-03-21 23:11:47 +04:00
Create a mechanism for filtering put details, and now users can change their own passwords but not rename themselves, etc. 2013-03-24 20:36:42 +04:00			`model = User`
			`serializer_class = UserSerializer`
			`permission_classes = (CustomRbac,)`

A post hook that allows user creation with passwords being set appropriately, and associated tests. 2013-03-24 21:31:46 +04:00			`def post(self, request, args, *kwargs):`
			`password = request.DATA.get('password', None)`
			`result = super(UsersList, self).post(request, args, *kwargs)`
			`if password:`
			`pk = result.data['id']`
			`user = User.objects.get(pk=pk)`
			`user.set_password(password)`
			`user.save()`
			`return result`

Create a mechanism for filtering put details, and now users can change their own passwords but not rename themselves, etc. 2013-03-24 20:36:42 +04:00			`def _get_queryset(self):`
			`''' I can see user records when I'm a superuser, I'm that user, I'm their org admin, or I'm on a team with that user '''`
			`base = User.objects`
			`if self.request.user.is_superuser:`
			`return base.all()`
A post hook that allows user creation with passwords being set appropriately, and associated tests. 2013-03-24 21:31:46 +04:00			`mine = base.filter(pk = self.request.user.pk).distinct()`
			`admin_of = base.filter(organizations__in = self.request.user.admin_of_organizations.all()).distinct()`
			`same_team = base.filter(teams__in = self.request.user.teams.all()).distinct()`
			`return mine \| admin_of \| same_team`
Create a mechanism for filtering put details, and now users can change their own passwords but not rename themselves, etc. 2013-03-24 20:36:42 +04:00
Add a /api/v1/me URL, which is a quick way to find your user record. 2013-03-24 22:23:37 +04:00			`class UsersMeList(BaseList):`

			`model = User`
			`serializer_class = UserSerializer`
			`permission_classes = (CustomRbac,)`

			`def post(self, request, args, *kwargs):`
			`raise PermissionDenied()`

			`def _get_queryset(self):`
			`''' a quick way to find my user record '''`
			`return User.objects.filter(pk=self.request.user.pk)`

Add related resources from a user object, as a rapid way to list what organizations or projects they belong to. 2013-03-24 23:00:01 +04:00			`class UsersTeamsList(BaseSubList):`

			`model = Team`
			`serializer_class = TeamSerializer`
			`permission_classes = (CustomRbac,)`
			`parent_model = User`
			`relationship = 'teams'`
			`postable = False`

			`def _get_queryset(self):`
			`user = User.objects.get(pk=self.kwargs['pk'])`
			`if not UserHelper.can_user_administrate(self.request.user, user):`
			`raise PermissionDenied()`
			`return Team.objects.filter(users__in = [ user ])`

			`class UsersOrganizationsList(BaseSubList):`

			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`
			`parent_model = User`
			`relationship = 'organizations'`
			`postable = False`

			`def _get_queryset(self):`
			`user = User.objects.get(pk=self.kwargs['pk'])`
			`if not UserHelper.can_user_administrate(self.request.user, user):`
			`raise PermissionDenied()`
			`return Organization.objects.filter(users__in = [ user ])`

			`class UsersAdminOrganizationsList(BaseSubList):`

			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`
			`parent_model = User`
			`relationship = 'admin_of_organizations'`
			`postable = False`

			`def _get_queryset(self):`
			`user = User.objects.get(pk=self.kwargs['pk'])`
			`if not UserHelper.can_user_administrate(self.request.user, user):`
			`raise PermissionDenied()`
			`return Organization.objects.filter(admins__in = [ user ])`

Create a mechanism for filtering put details, and now users can change their own passwords but not rename themselves, etc. 2013-03-24 20:36:42 +04:00			`class UsersDetail(BaseDetail):`

			`model = User`
			`serializer_class = UserSerializer`
			`permission_classes = (CustomRbac,)`

			`def put_filter(self, request, args, *kwargs):`
			`''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''`
			`obj = User.objects.get(pk=kwargs['pk'])`
			`if EditHelper.illegal_changes(request, obj, UserHelper):`
			`raise PermissionDenied()`
			`if 'password' in request.DATA:`
			`obj.set_password(request.DATA['password'])`
			`obj.save()`
			`request.DATA.pop('password')`
Working on surfacing inventory objects. 2013-03-26 00:41:21 +04:00
			`class InventoryList(BaseList):`

			`model = Inventory`
			`serializer_class = InventorySerializer`
			`permission_classes = (CustomRbac,)`

			`def _get_queryset(self):`
			`''' I can see inventory when I'm a superuser, an org admin of the inventory, or I have permissions on it '''`
			`base = Inventory.objects`
			`if self.request.user.is_superuser:`
			`return base.all()`
			`admin_of = base.filter(organization__admins__in = [ self.request.user ]).distinct()`
Explain the RBAC model around inventory usage and adapt a view to match. 2013-03-26 01:36:51 +04:00			`has_user_perms = base.filter(`
Working on surfacing inventory objects. 2013-03-26 00:41:21 +04:00			`permissions__user__in = [ self.request.user ],`
			`permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,`
			`).distinct()`
Explain the RBAC model around inventory usage and adapt a view to match. 2013-03-26 01:36:51 +04:00			`has_team_perms = base.filter(`
			`permissions__team__in = self.request.user.teams.all(),`
			`permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,`
			`).distinct()`
			`return admin_of \| has_user_perms \| has_team_perms`
Working on surfacing inventory objects. 2013-03-26 00:41:21 +04:00
			`class InventoryDetail(BaseDetail):`

			`model = Inventory`
			`serializer_class = InventorySerializer`
			`permission_classes = (CustomRbac,)`

Working on Hosts and Groups 2013-03-26 22:44:12 +04:00			`class HostsList(BaseList):`

			`model = Host`
			`serializer_class = HostSerializer`
			`permission_classes = (CustomRbac,)`

			`def _get_queryset(self):`
			`'''`
			`I can see hosts when:`
			`I'm a superuser,`
			`or an organization admin of an inventory they are in`
			`or when I have allowing read permissions via a user or team on an inventory they are in`
			`'''`
			`base = Host.objects`
			`if self.request.user.is_superuser:`
			`return base.all()`
			`admin_of = base.filter(inventory__organization__admins__in = [ self.request.user ]).distinct()`
			`has_user_perms = base.filter(`
			`inventory__permissions__user__in = [ self.request.user ],`
			`inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,`
			`).distinct()`
			`has_team_perms = base.filter(`
			`inventory__permissions__team__in = self.request.user.teams.all(),`
			`inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,`
			`).distinct()`
			`return admin_of \| has_user_perms \| has_team_perms`

			`class HostsDetail(BaseDetail):`

			`model = Host`
			`serializer_class = HostSerializer`
			`permission_classes = (CustomRbac,)`