2013-03-24 02:43:11 +04:00
# (c) 2013, AnsibleWorks, Michael DeHaan <michael@ansibleworks.com>
#
# This file is part of Ansible Commander
#
# Ansible Commander is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible Commander is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>.
2013-03-20 06:26:35 +04:00
from django . http import HttpResponse
from django . views . decorators . csrf import csrf_exempt
from lib . main . models import *
2013-03-22 19:35:26 +04:00
from django . contrib . auth . models import User
2013-03-20 06:26:35 +04:00
from lib . main . serializers import *
2013-03-21 08:34:59 +04:00
from lib . main . rbac import *
2013-03-21 22:20:59 +04:00
from django . core . exceptions import PermissionDenied
2013-03-20 06:26:35 +04:00
from rest_framework import mixins
from rest_framework import generics
from rest_framework import permissions
2013-03-22 17:50:42 +04:00
from rest_framework . response import Response
from rest_framework import status
2013-03-21 18:25:49 +04:00
import exceptions
2013-03-21 22:20:59 +04:00
import datetime
2013-03-23 00:52:44 +04:00
from base_views import BaseList , BaseDetail , BaseSubList
2013-03-21 22:20:59 +04:00
class OrganizationsList ( BaseList ) :
2013-03-20 06:26:35 +04:00
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
2013-03-21 23:43:35 +04:00
# I can see the organizations if:
# I am a superuser
# I am an admin of the organization
# I am a member of the organization
2013-03-21 07:14:09 +04:00
2013-03-21 22:20:59 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
base = Organization . objects
2013-03-21 07:14:09 +04:00
if self . request . user . is_superuser :
2013-03-23 23:34:16 +04:00
return base . all ( )
return base . filter (
2013-03-22 19:35:26 +04:00
admins__in = [ self . request . user ]
2013-03-23 23:34:16 +04:00
) . distinct ( ) | base . filter (
2013-03-22 19:35:26 +04:00
users__in = [ self . request . user ]
2013-03-21 22:20:59 +04:00
) . distinct ( )
class OrganizationsDetail ( BaseDetail ) :
2013-03-21 18:25:49 +04:00
2013-03-20 06:26:35 +04:00
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:50:25 +04:00
class OrganizationsAuditTrailList ( BaseSubList ) :
2013-03-21 23:43:35 +04:00
model = AuditTrail
serializer_class = AuditTrailSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:50:25 +04:00
parent_model = Organization
relationship = ' audit_trail '
postable = False
def _get_queryset ( self ) :
''' to list tags in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
# FIXME: use: organization.can_user_administrate(self.request.user)
raise PermissionDenied ( )
2013-03-24 01:07:24 +04:00
return AuditTrail . objects . filter ( organization_by_audit_trail__in = [ organization ] )
2013-03-24 00:50:25 +04:00
2013-03-21 23:43:35 +04:00
2013-03-24 00:03:17 +04:00
class OrganizationsUsersList ( BaseSubList ) :
2013-03-21 23:43:35 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:03:17 +04:00
parent_model = Organization
relationship = ' users '
2013-03-24 00:50:25 +04:00
postable = True
2013-03-24 00:03:17 +04:00
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list users in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-03-23 23:43:59 +04:00
if not self . request . user . is_superuser and not self . request . user in organization . admins . all ( ) :
2013-03-23 23:34:16 +04:00
raise PermissionDenied ( )
return User . objects . filter ( organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-24 00:03:17 +04:00
class OrganizationsAdminsList ( BaseSubList ) :
2013-03-21 23:43:35 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:03:17 +04:00
parent_model = Organization
relationship = ' admins '
2013-03-24 00:50:25 +04:00
postable = True
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list admins in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
2013-03-23 23:43:59 +04:00
if not self . request . user . is_superuser and not self . request . user in organization . admins . all ( ) :
2013-03-23 23:34:16 +04:00
raise PermissionDenied ( )
2013-03-23 23:43:59 +04:00
return User . objects . filter ( admin_of_organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-23 00:52:44 +04:00
class OrganizationsProjectsList ( BaseSubList ) :
2013-03-21 23:43:35 +04:00
2013-03-22 01:38:53 +04:00
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
2013-03-23 02:16:40 +04:00
parent_model = Organization # for sub list
relationship = ' projects ' # " "
2013-03-24 00:50:25 +04:00
postable = True
2013-03-22 01:38:53 +04:00
2013-03-21 23:43:35 +04:00
def _get_queryset ( self ) :
2013-03-23 23:34:16 +04:00
''' to list projects in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
raise PermissionDenied ( )
return Project . objects . filter ( organizations__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-24 00:34:52 +04:00
class OrganizationsTagsList ( BaseSubList ) :
2013-03-24 00:03:17 +04:00
model = Tag
serializer_class = TagSerializer
permission_classes = ( CustomRbac , )
parent_model = Organization # for sub list
relationship = ' tags ' # " "
2013-03-24 00:50:25 +04:00
postable = True
2013-03-24 00:03:17 +04:00
def _get_queryset ( self ) :
''' to list tags in the organization, I must be a superuser or org admin '''
organization = Organization . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not ( self . request . user . is_superuser or self . request . user in organization . admins . all ( ) ) :
# FIXME: use: organization.can_user_administrate(self.request.user)
raise PermissionDenied ( )
return Tag . objects . filter ( organization_by_tag__in = [ organization ] )
2013-03-21 23:11:47 +04:00
2013-03-22 01:38:53 +04:00
class ProjectsDetail ( BaseDetail ) :
model = Project
serializer_class = ProjectSerializer
permission_classes = ( CustomRbac , )
2013-03-24 00:03:17 +04:00
class TagsDetail ( BaseDetail ) :
model = Tag
serializer_class = TagSerializer
permission_classes = ( CustomRbac , )
2013-03-22 01:38:53 +04:00
2013-03-24 20:36:42 +04:00
class UsersList ( BaseList ) :
2013-03-21 23:11:47 +04:00
2013-03-24 20:36:42 +04:00
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
2013-03-24 21:31:46 +04:00
def post ( self , request , * args , * * kwargs ) :
password = request . DATA . get ( ' password ' , None )
result = super ( UsersList , self ) . post ( request , * args , * * kwargs )
if password :
pk = result . data [ ' id ' ]
user = User . objects . get ( pk = pk )
user . set_password ( password )
user . save ( )
return result
2013-03-24 20:36:42 +04:00
def _get_queryset ( self ) :
''' I can see user records when I ' m a superuser, I ' m that user, I ' m their org admin, or I ' m on a team with that user '''
base = User . objects
if self . request . user . is_superuser :
return base . all ( )
2013-03-24 21:31:46 +04:00
mine = base . filter ( pk = self . request . user . pk ) . distinct ( )
admin_of = base . filter ( organizations__in = self . request . user . admin_of_organizations . all ( ) ) . distinct ( )
same_team = base . filter ( teams__in = self . request . user . teams . all ( ) ) . distinct ( )
return mine | admin_of | same_team
2013-03-24 20:36:42 +04:00
2013-03-24 22:23:37 +04:00
class UsersMeList ( BaseList ) :
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
def post ( self , request , * args , * * kwargs ) :
raise PermissionDenied ( )
def _get_queryset ( self ) :
''' a quick way to find my user record '''
return User . objects . filter ( pk = self . request . user . pk )
2013-03-24 23:00:01 +04:00
class UsersTeamsList ( BaseSubList ) :
model = Team
serializer_class = TeamSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' teams '
postable = False
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not UserHelper . can_user_administrate ( self . request . user , user ) :
raise PermissionDenied ( )
return Team . objects . filter ( users__in = [ user ] )
class UsersOrganizationsList ( BaseSubList ) :
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' organizations '
postable = False
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not UserHelper . can_user_administrate ( self . request . user , user ) :
raise PermissionDenied ( )
return Organization . objects . filter ( users__in = [ user ] )
class UsersAdminOrganizationsList ( BaseSubList ) :
model = Organization
serializer_class = OrganizationSerializer
permission_classes = ( CustomRbac , )
parent_model = User
relationship = ' admin_of_organizations '
postable = False
def _get_queryset ( self ) :
user = User . objects . get ( pk = self . kwargs [ ' pk ' ] )
if not UserHelper . can_user_administrate ( self . request . user , user ) :
raise PermissionDenied ( )
return Organization . objects . filter ( admins__in = [ user ] )
2013-03-24 20:36:42 +04:00
class UsersDetail ( BaseDetail ) :
model = User
serializer_class = UserSerializer
permission_classes = ( CustomRbac , )
def put_filter ( self , request , * args , * * kwargs ) :
''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
obj = User . objects . get ( pk = kwargs [ ' pk ' ] )
if EditHelper . illegal_changes ( request , obj , UserHelper ) :
raise PermissionDenied ( )
if ' password ' in request . DATA :
obj . set_password ( request . DATA [ ' password ' ] )
obj . save ( )
request . DATA . pop ( ' password ' )
2013-03-26 00:41:21 +04:00
class InventoryList ( BaseList ) :
model = Inventory
serializer_class = InventorySerializer
permission_classes = ( CustomRbac , )
def _get_queryset ( self ) :
''' I can see inventory when I ' m a superuser, an org admin of the inventory, or I have permissions on it '''
base = Inventory . objects
if self . request . user . is_superuser :
return base . all ( )
admin_of = base . filter ( organization__admins__in = [ self . request . user ] ) . distinct ( )
has_perms = base . filter (
permissions__user__in = [ self . request . user ] ,
permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ ,
) . distinct ( )
return admin_of | has_perms
class InventoryDetail ( BaseDetail ) :
model = Inventory
serializer_class = InventorySerializer
permission_classes = ( CustomRbac , )
2013-03-24 20:36:42 +04:00
