Merge pull request #1836 from ryanpetrello/hands-off-my-tokens

filter `/api/v2/users/N/tokens/` to only show tokens for _that_ user
2024-11-01 16:51:11 +03:00 · 2018-05-17 15:54:28 -04:00 · 2018-05-17 15:54:28 -04:00 · 2e0125037a
commit 2e0125037a
parent a348893a91 51f66b8c0a
3 changed files with 23 additions and 2 deletions
--- a/awx/api/urls/user.py
+++ b/awx/api/urls/user.py
@ -15,7 +15,7 @@ from awx.api.views import (
    UserActivityStreamList,
    UserAccessList,
    OAuth2ApplicationList,
-    OAuth2TokenList,
+    OAuth2UserTokenList,
    OAuth2PersonalTokenList,
    UserAuthorizedTokenList,
 )
@ -32,7 +32,7 @@ urls = [
    url(r'^(?P<pk>[0-9]+)/activity_stream/$', UserActivityStreamList.as_view(), name='user_activity_stream_list'),
    url(r'^(?P<pk>[0-9]+)/access_list/$', UserAccessList.as_view(), name='user_access_list'),
    url(r'^(?P<pk>[0-9]+)/applications/$', OAuth2ApplicationList.as_view(), name='o_auth2_application_list'),
-    url(r'^(?P<pk>[0-9]+)/tokens/$', OAuth2TokenList.as_view(), name='o_auth2_token_list'),
+    url(r'^(?P<pk>[0-9]+)/tokens/$', OAuth2UserTokenList.as_view(), name='o_auth2_token_list'),
    url(r'^(?P<pk>[0-9]+)/authorized_tokens/$', UserAuthorizedTokenList.as_view(), name='user_authorized_token_list'),
    url(r'^(?P<pk>[0-9]+)/personal_tokens/$', OAuth2PersonalTokenList.as_view(), name='o_auth2_personal_token_list'),
    
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1600,6 +1600,18 @@ class OAuth2TokenList(ListCreateAPIView):
    swagger_topic = 'Authentication'


+class OAuth2UserTokenList(SubListCreateAPIView):
+
+    view_name = _("OAuth2 User Tokens")
+
+    model = OAuth2AccessToken
+    serializer_class = OAuth2TokenSerializer
+    parent_model = User
+    relationship = 'main_oauth2accesstoken'
+    parent_key = 'user'
+    swagger_topic = 'Authentication'
+    
+    
 class OAuth2AuthorizedTokenList(SubListCreateAPIView):

    view_name = _("OAuth2 Authorized Access Tokens")
--- a/awx/main/tests/functional/api/test_oauth.py
+++ b/awx/main/tests/functional/api/test_oauth.py
@ -172,3 +172,12 @@ def test_oauth_application_delete(oauth_application, post, delete, admin):
    assert Application.objects.filter(client_id=oauth_application.client_id).count() == 0
    assert RefreshToken.objects.filter(application=oauth_application).count() == 0
    assert AccessToken.objects.filter(application=oauth_application).count() == 0
+
+
+@pytest.mark.django_db
+def test_oauth_list_user_tokens(oauth_application, post, get, admin, alice):
+    for user in (admin, alice):
+        url = reverse('api:o_auth2_token_list', kwargs={'pk': user.pk})
+        post(url, {'scope': 'read'}, user, expect=201)
+        response = get(url, admin, expect=200)
+        assert response.data['count'] == 1