2013-04-02 00:04:27 +04:00
# Copyright (c) 2013 AnsibleWorks, Inc.
2013-03-24 02:43:11 +04:00
#
2013-04-09 09:05:55 +04:00
# This file is part of Ansible Commander.
2013-04-18 05:36:12 +04:00
#
2013-03-24 02:43:11 +04:00
# Ansible Commander is free software: you can redistribute it and/or modify
2013-04-09 09:05:55 +04:00
# it under the terms of the GNU General Public License as published by
2013-04-18 05:36:12 +04:00
# the Free Software Foundation, version 3 of the License.
2013-03-24 02:43:11 +04:00
#
2013-04-09 09:05:55 +04:00
# Ansible Commander is distributed in the hope that it will be useful,
2013-03-24 02:43:11 +04:00
# but WITHOUT ANY WARRANTY; without even the implied warranty of
2013-04-09 09:05:55 +04:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
2013-04-18 05:36:12 +04:00
#
2013-04-09 09:05:55 +04:00
# You should have received a copy of the GNU General Public License
# along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>.
2013-03-24 02:43:11 +04:00
2013-03-20 06:26:35 +04:00
from django . http import HttpResponse
from django . views . decorators . csrf import csrf_exempt
from lib . main . models import *
2013-03-22 19:35:26 +04:00
from django . contrib . auth . models import User
2013-03-20 06:26:35 +04:00
from lib . main . serializers import *
2013-03-21 08:34:59 +04:00
from lib . main . rbac import *
2013-03-21 22:20:59 +04:00
from django . core . exceptions import PermissionDenied
2013-03-20 06:26:35 +04:00
from rest_framework import mixins
from rest_framework import generics
from rest_framework import permissions
2013-03-22 17:50:42 +04:00
from rest_framework . response import Response
from rest_framework import status
2013-04-10 08:41:51 +04:00
from rest_framework . settings import api_settings
from rest_framework . authtoken . views import ObtainAuthToken
2013-04-25 20:55:09 +04:00
from rest_framework . views import APIView
2013-03-21 18:25:49 +04:00
import exceptions
2013-03-21 22:20:59 +04:00
import datetime
2013-04-25 20:55:09 +04:00
import json as python_json
2013-03-27 06:24:03 +04:00
from base_views import *
2013-03-21 22:20:59 +04:00
2013-04-25 20:55:09 +04:00
class ApiRootView ( APIView ) :
def get ( self , request , format = None ) :
data = { }
#data = python_json.dumps(data)
return Response ( data )
class ApiV1RootView ( APIView ) :
def get ( self , request , format = None ) :
data = { }
#data = python_json.dumps(data)
return Response ( data )
2013-04-10 08:41:51 +04:00
class AuthTokenView ( ObtainAuthToken ) :
renderer_classes = api_settings . DEFAULT_RENDERER_CLASSES
# FIXME: Show a better form for HTML view
# FIXME: How to make this view discoverable?
2013-03-21 22:20:59 +04:00
class OrganizationsList ( BaseList ) :
2013-03-20 06:26:35 +04:00
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
2013-04-18 04:35:01 +04:00
filter_fields = ( ' name ' , )
2013-03-21 23:43:35 +04:00
# I can see the organizations if:
# I am a superuser
2013-04-02 22:59:58 +04:00
# I am an admin of the organization
2013-03-21 23:43:35 +04:00
# I am a member of the organization
2013-04-02 22:59:58 +04:00
2013-03-21 22:20:59 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
base = Organization . objects
2013-03-21 07:14:09 +04:00
if self . request . user . is_superuser :
2013-03-23 23:34:16 +04:00
return base . all ( )
return base . filter (
2013-03-22 19:35:26 +04:00
admins__in = [ self . request . user ]
2013-03-23 23:34:16 +04:00
) . distinct ( ) | base . filter (
2013-03-22 19:35:26 +04:00
users__in = [ self . request . user ]
2013-03-21 22:20:59 +04:00
) . distinct ( )
class OrganizationsDetail ( BaseDetail ) :
2013-03-21 18:25:49 +04:00
2013-03-20 06:26:35 +04:00
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:50:25 +04:00
class OrganizationsAuditTrailList ( BaseSubList ) :
2013-03-21 23:43:35 +04:00
model = AuditTrail
serializer_class = AuditTrailSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:50:25 +04:00
parent_model = Organization
relationship = ' audit_trail '
postable = False
def _get_queryset ( self ) :
''' to list tags in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
2013-04-19 20:10:30 +04:00
# FIXME: use: organization.can_user_administrate(...) ?
2013-03-24 00:50:25 +04:00
raise PermissionDenied ( )
2013-03-24 01:07:24 +04:00
return AuditTrail . objects . filter ( organization_by_audit_trail__in = [ organization ] )
2013-03-24 00:50:25 +04:00
2013-03-21 23:43:35 +04:00
2013-03-24 00:03:17 +04:00
class OrganizationsUsersList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-03-21 23:43:35 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:03:17 +04:00
parent_model = Organization
relationship = ' users '
2013-03-24 00:50:25 +04:00
postable = True
2013-03-27 02:26:40 +04:00
inject_primary_key_on_post_as = ' organization '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' username ' , )
2013-03-24 00:03:17 +04:00
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list users in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-03-23 23:43:59 +04:00
if not self . request . user . is_superuser and not self . request . user in organization . admins . all ( ) :
2013-03-23 23:34:16 +04:00
raise PermissionDenied ( )
return User . objects . filter ( organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-24 00:03:17 +04:00
class OrganizationsAdminsList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-03-21 23:43:35 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:03:17 +04:00
parent_model = Organization
relationship = ' admins '
2013-03-24 00:50:25 +04:00
postable = True
2013-03-27 02:26:40 +04:00
inject_primary_key_on_post_as = ' organization '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' username ' , )
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list admins in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-03-23 23:43:59 +04:00
if not self . request . user . is_superuser and not self . request . user in organization . admins . all ( ) :
2013-03-23 23:34:16 +04:00
raise PermissionDenied ( )
2013-03-23 23:43:59 +04:00
return User . objects . filter ( admin_of_organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-23 00:52:44 +04:00
class OrganizationsProjectsList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-03-22 01:38:53 +04:00
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
2013-03-23 02:16:40 +04:00
parent_model = Organization # for sub list
relationship = ' projects ' # " "
2013-03-24 00:50:25 +04:00
postable = True
2013-03-27 02:26:40 +04:00
inject_primary_key_on_post_as = ' organization '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-02 22:59:58 +04:00
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list projects in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
raise PermissionDenied ( )
return Project . objects . filter ( organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-24 00:34:52 +04:00
class OrganizationsTagsList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-03-24 00:03:17 +04:00
model = Tag
serializer_class = TagSerializer
permission_classes = ( CustomRbac , )
parent_model = Organization # for sub list
relationship = ' tags ' # " "
2013-03-24 00:50:25 +04:00
postable = True
2013-03-27 02:26:40 +04:00
inject_primary_key_on_post_as = ' organization '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-24 00:03:17 +04:00
def _get_queryset ( self ) :
''' to list tags in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
2013-04-19 20:10:30 +04:00
# FIXME: use: organization.can_user_administrate(...) ?
2013-03-24 00:03:17 +04:00
raise PermissionDenied ( )
return Tag . objects . filter ( organization_by_tag__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-04-02 01:44:06 +04:00
class OrganizationsTeamsList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-04-02 01:44:06 +04:00
model = Team
serializer_class = TeamSerializer
permission_classes = ( CustomRbac , )
parent_model = Organization
relationship = ' teams '
postable = True
inject_primary_key_on_post_as = ' organization '
severable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-02 01:44:06 +04:00
def _get_queryset ( self ) :
''' to list users in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not self . request . user . is_superuser and not self . request . user in organization . admins . all ( ) :
raise PermissionDenied ( )
return Team . objects . filter ( organization = organization )
2013-04-01 06:18:39 +04:00
class TeamsList ( BaseList ) :
model = Team
serializer_class = TeamSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-01 06:18:39 +04:00
# I can see a team if:
# I am a superuser
# I am an admin of the organization that the team is
# I am on that team
2013-04-02 22:59:58 +04:00
2013-04-01 06:18:39 +04:00
def _get_queryset ( self ) :
''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
base = Team . objects
if self . request . user . is_superuser :
return base . all ( )
return base . filter (
admins__in = [ self . request . user ]
) . distinct ( ) | base . filter (
users__in = [ self . request . user ]
) . distinct ( )
class TeamsDetail ( BaseDetail ) :
model = Team
serializer_class = TeamSerializer
permission_classes = ( CustomRbac , )
2013-04-02 02:19:37 +04:00
class TeamsUsersList ( BaseSubList ) :
2013-04-02 22:59:58 +04:00
2013-04-02 02:19:37 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
parent_model = Team
relationship = ' users '
postable = True
inject_primary_key_on_post_as = ' team '
severable = True
2013-04-18 05:36:12 +04:00
filter_fields = ( ' username ' , )
2013-04-02 02:19:37 +04:00
def _get_queryset ( self ) :
# FIXME: audit all BaseSubLists to check for permissions on the original object too
' team members can see the whole team, as can org admins or superusers '
team = Team . objects . get ( pk = self . kwargs [ ' pk ' ] )
base = team . users . all ( )
if self . request . user . is_superuser or self . request . user in team . organization . admins . all ( ) :
return base
if self . request . user in team . users . all ( ) :
return base
raise PermissionDenied ( )
2013-04-23 19:26:50 +04:00
class TeamsProjectsList ( BaseSubList ) :
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
parent_model = Team
relationship = ' projects '
postable = True
inject_primary_key_on_post_as = ' team '
severable = True
# FIXME: filter_fields is no longer used, think we can remove these references everywhere given new custom filtering -- MPD
filter_fields = ( ' name ' , )
def _get_queryset ( self ) :
team = Team . objects . get ( pk = self . kwargs [ ' pk ' ] )
base = team . projects . all ( )
if self . request . user . is_superuser or self . request . user in team . organization . admins . all ( ) :
return base
if self . request . user in team . users . all ( ) :
return base
raise PermissionDenied ( )
2013-04-04 20:38:41 +04:00
class TeamsCredentialsList ( BaseSubList ) :
model = Credential
serializer_class = CredentialSerializer
permission_classes = ( CustomRbac , )
parent_model = Team
relationship = ' credentials '
postable = True
inject_primary_key_on_post_as = ' team '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-04 20:38:41 +04:00
def _get_queryset ( self ) :
team = Team . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not Team . can_user_administrate ( self . request . user , team , None ) :
2013-04-04 23:50:56 +04:00
if not ( self . request . user . is_superuser or self . request . user in team . users . all ( ) ) :
raise PermissionDenied ( )
2013-04-04 20:38:41 +04:00
project_credentials = Credential . objects . filter (
2013-04-04 23:50:56 +04:00
team = team
2013-04-04 20:38:41 +04:00
)
2013-04-04 23:50:56 +04:00
return project_credentials . distinct ( )
2013-04-04 20:38:41 +04:00
2013-04-01 04:02:56 +04:00
class ProjectsList ( BaseList ) :
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-01 04:02:56 +04:00
# I can see a project if
# I am a superuser
# I am an admin of the organization that contains the project
# I am a member of a team that also contains the project
2013-04-02 22:59:58 +04:00
2013-04-01 04:02:56 +04:00
def _get_queryset ( self ) :
''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
base = Project . objects
if self . request . user . is_superuser :
return base . all ( )
my_teams = Team . objects . filter ( users__in = [ self . request . user ] )
my_orgs = Organization . objects . filter ( admins__in = [ self . request . user ] )
return base . filter (
teams__in = my_teams
) . distinct ( ) | base . filter (
organizations__in = my_orgs
) . distinct ( )
2013-03-22 01:38:53 +04:00
class ProjectsDetail ( BaseDetail ) :
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
2013-04-01 06:04:52 +04:00
class ProjectsOrganizationsList ( BaseSubList ) :
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
parent_model = Project
relationship = ' organizations '
postable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-01 06:04:52 +04:00
def _get_queryset ( self ) :
project = Project . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not self . request . user . is_superuser :
raise PermissionDenied ( )
return Organization . objects . filter ( projects__in = [ project ] )
2013-03-24 00:03:17 +04:00
class TagsDetail ( BaseDetail ) :
model = Tag
serializer_class = TagSerializer
permission_classes = ( CustomRbac , )
2013-03-22 01:38:53 +04:00
2013-03-24 20:36:42 +04:00
class UsersList ( BaseList ) :
2013-03-21 23:11:47 +04:00
2013-03-24 20:36:42 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' username ' , )
2013-03-24 20:36:42 +04:00
2013-03-24 21:31:46 +04:00
def post ( self , request , * args , * * kwargs ) :
password = request . DATA . get ( ' password ' , None )
result = super ( UsersList , self ) . post ( request , * args , * * kwargs )
if password :
pk = result . data [ ' id ' ]
user = User . objects . get ( pk = pk )
user . set_password ( password )
user . save ( )
2013-04-02 22:59:58 +04:00
return result
2013-03-24 21:31:46 +04:00
2013-03-24 20:36:42 +04:00
def _get_queryset ( self ) :
''' I can see user records when I ' m a superuser, I ' m that user, I ' m their org admin, or I ' m on a team with that user '''
base = User . objects
if self . request . user . is_superuser :
return base . all ( )
2013-04-02 22:59:58 +04:00
mine = base . filter ( pk = self . request . user . pk ) . distinct ( )
admin_of = base . filter ( organizations__in = self . request . user . admin_of_organizations . all ( ) ) . distinct ( )
2013-03-24 21:31:46 +04:00
same_team = base . filter ( teams__in = self . request . user . teams . all ( ) ) . distinct ( )
return mine | admin_of | same_team
2013-03-24 20:36:42 +04:00
2013-03-24 22:23:37 +04:00
class UsersMeList ( BaseList ) :
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' username ' , )
2013-03-24 22:23:37 +04:00
def post ( self , request , * args , * * kwargs ) :
raise PermissionDenied ( )
def _get_queryset ( self ) :
''' a quick way to find my user record '''
return User . objects . filter ( pk = self . request . user . pk )
2013-03-24 23:00:01 +04:00
class UsersTeamsList ( BaseSubList ) :
model = Team
serializer_class = TeamSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' teams '
postable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-24 23:00:01 +04:00
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not UserHelper . can_user_administrate ( self . request . user , user , None ) :
2013-03-24 23:00:01 +04:00
raise PermissionDenied ( )
return Team . objects . filter ( users__in = [ user ] )
2013-04-02 03:43:14 +04:00
class UsersProjectsList ( BaseSubList ) :
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' teams '
postable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-02 03:43:14 +04:00
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not UserHelper . can_user_administrate ( self . request . user , user , None ) :
2013-04-02 03:43:14 +04:00
raise PermissionDenied ( )
teams = user . teams . all ( )
return Project . objects . filter ( teams__in = teams )
2013-04-02 04:38:03 +04:00
class UsersCredentialsList ( BaseSubList ) :
model = Credential
serializer_class = CredentialSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' credentials '
postable = True
inject_primary_key_on_post_as = ' user '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-02 04:38:03 +04:00
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not UserHelper . can_user_administrate ( self . request . user , user , None ) :
2013-04-02 04:38:03 +04:00
raise PermissionDenied ( )
project_credentials = Credential . objects . filter (
2013-04-04 22:41:31 +04:00
team__users__in = [ user ]
2013-04-02 04:38:03 +04:00
)
return user . credentials . distinct ( ) | project_credentials . distinct ( )
2013-03-24 23:00:01 +04:00
class UsersOrganizationsList ( BaseSubList ) :
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' organizations '
postable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-02 22:59:58 +04:00
2013-03-24 23:00:01 +04:00
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not UserHelper . can_user_administrate ( self . request . user , user , None ) :
2013-03-24 23:00:01 +04:00
raise PermissionDenied ( )
return Organization . objects . filter ( users__in = [ user ] )
class UsersAdminOrganizationsList ( BaseSubList ) :
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' admin_of_organizations '
postable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-24 23:00:01 +04:00
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-19 20:10:30 +04:00
if not UserHelper . can_user_administrate ( self . request . user , user , None ) :
2013-03-24 23:00:01 +04:00
raise PermissionDenied ( )
return Organization . objects . filter ( admins__in = [ user ] )
2013-03-24 20:36:42 +04:00
class UsersDetail ( BaseDetail ) :
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
def put_filter ( self , request , * args , * * kwargs ) :
2013-04-02 22:59:58 +04:00
''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
2013-03-24 20:36:42 +04:00
obj = User . objects . get ( pk = kwargs [ ' pk ' ] )
if EditHelper . illegal_changes ( request , obj , UserHelper ) :
raise PermissionDenied ( )
if ' password ' in request . DATA :
obj . set_password ( request . DATA [ ' password ' ] )
obj . save ( )
request . DATA . pop ( ' password ' )
2013-03-26 00:41:21 +04:00
2013-04-02 22:59:58 +04:00
class CredentialsDetail ( BaseDetail ) :
model = Credential
serializer_class = CredentialSerializer
permission_classes = ( CustomRbac , )
2013-03-26 00:41:21 +04:00
class InventoryList ( BaseList ) :
model = Inventory
serializer_class = InventorySerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-26 00:41:21 +04:00
2013-03-27 02:18:05 +04:00
def _filter_queryset ( self , base ) :
2013-03-26 00:41:21 +04:00
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( organization__admins__in = [ self . request . user ] ) . distinct ( )
2013-03-26 01:36:51 +04:00
has_user_perms = base . filter (
2013-03-26 00:41:21 +04:00
permissions__user__in = [ self . request . user ] ,
permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
2013-03-26 01:36:51 +04:00
has_team_perms = base . filter (
permissions__team__in = self . request . user . teams . all ( ) ,
permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
2013-03-26 00:41:21 +04:00
2013-03-27 02:18:05 +04:00
def _get_queryset ( self ) :
''' I can see inventory when I ' m a superuser, an org admin of the inventory, or I have permissions on it '''
base = Inventory . objects
return self . _filter_queryset ( base )
2013-03-26 00:41:21 +04:00
class InventoryDetail ( BaseDetail ) :
model = Inventory
serializer_class = InventorySerializer
permission_classes = ( CustomRbac , )
2013-03-26 22:44:12 +04:00
class HostsList ( BaseList ) :
model = Host
serializer_class = HostSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-26 22:44:12 +04:00
def _get_queryset ( self ) :
2013-04-02 22:59:58 +04:00
'''
2013-03-26 22:44:12 +04:00
I can see hosts when :
2013-04-02 22:59:58 +04:00
I ' m a superuser,
2013-03-26 22:44:12 +04:00
or an organization admin of an inventory they are in
or when I have allowing read permissions via a user or team on an inventory they are in
'''
base = Host . objects
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( inventory__organization__admins__in = [ self . request . user ] ) . distinct ( )
has_user_perms = base . filter (
inventory__permissions__user__in = [ self . request . user ] ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
has_team_perms = base . filter (
inventory__permissions__team__in = self . request . user . teams . all ( ) ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
class HostsDetail ( BaseDetail ) :
model = Host
serializer_class = HostSerializer
permission_classes = ( CustomRbac , )
2013-03-27 02:18:05 +04:00
class InventoryHostsList ( BaseSubList ) :
model = Host
serializer_class = HostSerializer
permission_classes = ( CustomRbac , )
# to allow the sub-aspect listing
parent_model = Inventory
relationship = ' hosts '
# to allow posting to this resource to create resources
postable = True
# FIXME: go back and add these to other SubLists
inject_primary_key_on_post_as = ' inventory '
2013-03-28 02:54:30 +04:00
severable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-27 02:18:05 +04:00
def _get_queryset ( self ) :
2013-03-28 02:54:30 +04:00
inventory = Inventory . objects . get ( pk = self . kwargs [ ' pk ' ] )
base = inventory . hosts
# FIXME: verify that you can can_read permission on the inventory is required
return base . all ( )
2013-03-27 02:18:05 +04:00
2013-03-27 00:57:08 +04:00
class GroupsList ( BaseList ) :
model = Group
serializer_class = GroupSerializer
permission_classes = ( CustomRbac , )
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-27 00:57:08 +04:00
def _get_queryset ( self ) :
'''
I can see groups when :
I ' m a superuser,
or an organization admin of an inventory they are in
or when I have allowing read permissions via a user or team on an inventory they are in
'''
base = Groups . objects
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( inventory__organization__admins__in = [ self . request . user ] ) . distinct ( )
2013-03-28 02:17:21 +04:00
has_user_perms = base . filter (
inventory__permissions__user__in = [ self . request . user ] ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
has_team_perms = base . filter (
inventory__permissions__team__in = self . request . user . teams . all ( ) ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
class GroupsChildrenList ( BaseSubList ) :
model = Group
serializer_class = GroupSerializer
permission_classes = ( CustomRbac , )
parent_model = Group
relationship = ' children '
postable = True
inject_primary_key_on_post_as = ' parent '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-28 02:17:21 +04:00
def _get_queryset ( self ) :
# FIXME: this is the mostly the same as GroupsList, share code similar to how done with Host and Group objects.
2013-04-02 22:59:58 +04:00
2013-03-28 02:17:21 +04:00
parent = Group . objects . get ( pk = self . kwargs [ ' pk ' ] )
# FIXME: verify read permissions on this object are still required at a higher level
base = parent . children
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( inventory__organization__admins__in = [ self . request . user ] ) . distinct ( )
2013-03-27 00:57:08 +04:00
has_user_perms = base . filter (
inventory__permissions__user__in = [ self . request . user ] ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
has_team_perms = base . filter (
inventory__permissions__team__in = self . request . user . teams . all ( ) ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
2013-04-17 01:41:20 +04:00
class GroupsHostsList ( BaseSubList ) :
''' the list of hosts directly below a group '''
model = Host
serializer_class = HostSerializer
permission_classes = ( CustomRbac , )
parent_model = Group
relationship = ' hosts '
postable = True
inject_primary_key_on_post_as = ' group '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-17 01:41:20 +04:00
def _get_queryset ( self ) :
parent = Group . objects . get ( pk = self . kwargs [ ' pk ' ] )
# FIXME: verify read permissions on this object are still required at a higher level
base = parent . hosts
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( inventory__organization__admins__in = [ self . request . user ] ) . distinct ( )
has_user_perms = base . filter (
inventory__permissions__user__in = [ self . request . user ] ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
has_team_perms = base . filter (
inventory__permissions__team__in = self . request . user . teams . all ( ) ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
class GroupsAllHostsList ( BaseSubList ) :
''' the list of all hosts below a group, even including subgroups '''
model = Host
serializer_class = HostSerializer
permission_classes = ( CustomRbac , )
parent_model = Group
relationship = ' hosts '
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-04-17 01:41:20 +04:00
def _child_hosts ( self , parent ) :
# TODO: should probably be a method on the model
2013-04-18 05:36:12 +04:00
result = parent . hosts . distinct ( )
2013-04-17 01:41:20 +04:00
if parent . children . count ( ) == 0 :
return result
else :
for child in parent . children . all ( ) :
if child == parent :
# shouldn't happen, but be prepared in case DB is weird
continue
result = result | self . _child_hosts ( child )
return result
def _get_queryset ( self ) :
2013-04-18 05:36:12 +04:00
2013-04-17 01:41:20 +04:00
parent = Group . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-04-18 05:36:12 +04:00
2013-04-17 01:41:20 +04:00
# FIXME: verify read permissions on this object are still required at a higher level
base = self . _child_hosts ( parent )
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( inventory__organization__admins__in = [ self . request . user ] ) . distinct ( )
has_user_perms = base . filter (
inventory__permissions__user__in = [ self . request . user ] ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
has_team_perms = base . filter (
inventory__permissions__team__in = self . request . user . teams . all ( ) ,
inventory__permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_user_perms | has_team_perms
2013-03-27 00:57:08 +04:00
class GroupsDetail ( BaseDetail ) :
model = Group
serializer_class = GroupSerializer
permission_classes = ( CustomRbac , )
2013-03-27 03:21:18 +04:00
class InventoryGroupsList ( BaseSubList ) :
model = Group
serializer_class = GroupSerializer
permission_classes = ( CustomRbac , )
# to allow the sub-aspect listing
parent_model = Inventory
relationship = ' groups '
# to allow posting to this resource to create resources
postable = True
# FIXME: go back and add these to other SubLists
inject_primary_key_on_post_as = ' inventory '
2013-03-28 02:54:30 +04:00
severable = False
2013-04-18 05:36:12 +04:00
filter_fields = ( ' name ' , )
2013-03-27 03:21:18 +04:00
def _get_queryset ( self ) :
2013-03-28 02:54:30 +04:00
# FIXME: share code with inventory filter queryset methods (make that a classmethod)
inventory = Inventory . objects . get ( pk = self . kwargs [ ' pk ' ] )
base = inventory . groups
# FIXME: verify that you can can_read permission on the inventory is required
return base
2013-03-27 03:21:18 +04:00
2013-03-27 06:24:03 +04:00
class GroupsVariableDetail ( VariableBaseDetail ) :
model = VariableData
serializer_class = VariableDataSerializer
permission_classes = ( CustomRbac , )
parent_model = Group
reverse_relationship = ' variable_data '
relationship = ' group '
class HostsVariableDetail ( VariableBaseDetail ) :
model = VariableData
serializer_class = VariableDataSerializer
permission_classes = ( CustomRbac , )
parent_model = Host
reverse_relationship = ' variable_data '
relationship = ' host '
class VariableDetail ( BaseDetail ) :
model = VariableData
serializer_class = VariableDataSerializer
permission_classes = ( CustomRbac , )
def put ( self , request , * args , * * kwargs ) :
raise PermissionDenied ( )
2013-04-18 23:22:45 +04:00
class JobTemplatesList ( BaseList ) :
2013-04-19 04:52:54 +04:00
model = JobTemplate
serializer_class = JobTemplateSerializer
permission_classes = ( CustomRbac , )
filter_fields = ( ' name ' , )
def _get_queryset ( self ) :
'''
I can see job templates when I am a superuser , or I am an admin of the project ' s orgs, or if I ' m in a team on the project .
This does not mean I would be able to launch a job from the template or edit the JobTemplate .
'''
base = JobTemplate . objects
if self . request . user . is_superuser :
return base . all ( )
return base . filter (
project__organizations__admins__in = [ self . request . user ]
) . distinct ( ) | base . filter (
project__teams__users__in = [ self . request . user ]
) . distinct ( )
2013-03-27 06:24:03 +04:00
2013-04-18 23:22:45 +04:00
class JobTemplateDetail ( BaseDetail ) :
2013-04-19 04:52:54 +04:00
model = JobTemplate
serializer_class = JobTemplateSerializer
permission_classes = ( CustomRbac , )
2013-04-18 23:22:45 +04:00
class JobTemplateStart ( BaseDetail ) :
pass
class JobsList ( BaseList ) :
pass
class JobsDetail ( BaseDetail ) :
pass
class JobsHostsList ( BaseSubList ) :
pass
class JobsSuccessfulHostsList ( BaseSubList ) :
pass
class JobsChangedHostsList ( BaseSubList ) :
pass
class JobsFailedHostsList ( BaseSubList ) :
pass
class JobsUnreachableHostsList ( BaseSubList ) :
pass
class JobsEventsList ( BaseList ) :
pass
class JobsEventsDetail ( BaseDetail ) :
pass
class HostJobEventsList ( BaseSubList ) :
pass
2013-03-26 22:44:12 +04:00