awx/lib/main/views.py

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
from lib.main.models import *
from lib.main.serializers import *
from lib.main.rbac import *
from django.contrib.auth.models import AnonymousUser
from rest_framework import mixins
from rest_framework import generics
from rest_framework import permissions
import exceptions

class OrganizationsList(generics.ListCreateAPIView):

    model = Organization
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)

    #def pre_save(self, obj):
    #   obj.owner = self.request.user
   
    def get_queryset(self):

        if self.request.user.is_superuser:
            return Organization.objects.filter(active=True)
        return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
               Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()

    def list_permissions_check(self, request, obj=None):
        if request.method == 'GET':
             # everybody can call get, but it's filtered
             return True
        if request.method == 'POST':
             # superusers have already been cleared, so deny regular users
             return False
        raise exceptions.NotImplementedError

 
class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
    model = Organization
    serializer_class = OrganizationSerializer

    permission_classes = (CustomRbac,)

    #def pre_save(self, obj):
    #   obj.owner = self.request.user

    def item_permissions_check(self, request, obj):
        admin = request.user.application_user in obj.admins.all() 
        user  = request.user.application_user in obj.users.all()
        if request.method == 'GET':
             return admin or user
        if request.method == 'PUT':
             return admin
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from django.http import HttpResponse`
			`from django.views.decorators.csrf import csrf_exempt`
			`from lib.main.models import *`
			`from lib.main.serializers import *`
Move RBAC code to seperate file. 2013-03-21 08:34:59 +04:00			`from lib.main.rbac import *`
Add functions for checking size of paginated results 2013-03-21 06:47:51 +04:00			`from django.contrib.auth.models import AnonymousUser`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`from rest_framework import mixins`
			`from rest_framework import generics`
			`from rest_framework import permissions`
Streamlining RBAC layer code, adding tests for PUT operations. 2013-03-21 18:25:49 +04:00			`import exceptions`
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00
			`class OrganizationsList(generics.ListCreateAPIView):`

			`model = Organization`
			`serializer_class = OrganizationSerializer`
			`permission_classes = (CustomRbac,)`

			`#def pre_save(self, obj):`
			`# obj.owner = self.request.user`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00
			`def get_queryset(self):`
Move RBAC code to seperate file. 2013-03-21 08:34:59 +04:00
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00			`if self.request.user.is_superuser:`
Only list active organizations 2013-03-21 08:31:07 +04:00			`return Organization.objects.filter(active=True)`
			`return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() \| \`
			`Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()`
Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00
Deletes are operational plus access control hooks for deletes. 2013-03-21 19:06:47 +04:00			`def list_permissions_check(self, request, obj=None):`
			`if request.method == 'GET':`
			`# everybody can call get, but it's filtered`
			`return True`
			`if request.method == 'POST':`
			`# superusers have already been cleared, so deny regular users`
			`return False`
Streamlining RBAC layer code, adding tests for PUT operations. 2013-03-21 18:25:49 +04:00			`raise exceptions.NotImplementedError`

Basic API RBAC filtering operational! 2013-03-21 07:14:09 +04:00
Switch over to django-rest-framework from tastypie. Less black magic, seems to just work :) 2013-03-20 06:26:35 +04:00			`class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):`
			`model = Organization`
			`serializer_class = OrganizationSerializer`

			`permission_classes = (CustomRbac,)`

			`#def pre_save(self, obj):`
			`# obj.owner = self.request.user`

Deletes are operational plus access control hooks for deletes. 2013-03-21 19:06:47 +04:00			`def item_permissions_check(self, request, obj):`
			`admin = request.user.application_user in obj.admins.all()`
			`user = request.user.application_user in obj.users.all()`
			`if request.method == 'GET':`
			`return admin or user`
			`if request.method == 'PUT':`
			`return admin`
PUT is operational. 2013-03-21 18:44:01 +04:00