API endpoint to create links

- only presented information that you need
- permissions model guarentees ownership

docker-startup.sh

@@ -8,12 +8,9 @@ export GO_SECRET_KEY
 export GO_CREATE_SUPERUSER
 
 GO_SECRET_KEY=$(dd if=/dev/urandom count=100 | tr -dc "A-Za-z0-9" | fold -w 60 | head -n1 2>/dev/null)
-GO_CREATE_SUPERUSER="from django.contrib.auth import get_user_model; User = get_user_model(); me = User.objects.get(username='admin'); me.first_name = 'mr'; me.last_name = 'admin'; me.save(); "
 
 python go/manage.py makemigrations
 python go/manage.py makemigrations go
 python go/manage.py migrate
-python go/manage.py createsuperuser --noinput --username="$SUPERUSER" --email="$SUPERUSER$GO_EMAIL_DOMAIN"
-echo "$GO_CREATE_SUPERUSER" | python go/manage.py shell
 python go/manage.py runserver 0.0.0.0:8000
  
\ No newline at end of file

go/go/cas_callbacks.py

@@ -5,6 +5,8 @@ Parse the CAS/PF responses and create users in the database.
 """
 # Other Imports
 import requests
+import os
+
 # Django Imports
 from django.conf import settings
 from django.contrib.auth.models import User
@@ -94,6 +96,9 @@ def create_user(tree: list):
         # Password is a required User object field, though doesn't matter for our
         # purposes because all user auth is handled through CAS, not Django's login.
         user.set_password('cas_used_instead')
+        if os.environ['GO_ENV'] != 'production':
+            user.is_staff = True
+            user.is_superuser = True
         user.save()
 
         if user_created:

go/go/serializers.py

@@ -3,27 +3,13 @@ go/serializers.py
 
 Define how data is translated from the database to json/API representation.
 """
-# Django Imports
-from django.contrib.auth.models import User, Group
-
 # App Imports
 from .models import URL, RegisteredUser
 
 # Third Party Imports
 from rest_framework import serializers
 
-class UserSerializer(serializers.HyperlinkedModelSerializer):
-    class Meta:
-        model = User
-        fields = ('url', 'username', 'email', 'first_name',
-                  'last_name', 'is_staff')
-
-class RegisteredUserSerializer(serializers.HyperlinkedModelSerializer):
-    class Meta:
-        model = RegisteredUser
-        fields = '__all__'
-
 class URLSerializer(serializers.HyperlinkedModelSerializer):
     class Meta:
         model = URL
-        fields = '__all__'
+        fields = ('destination', 'short', 'date_expires')

go/go/views.py

@@ -28,34 +28,28 @@ from .models import URL, RegisteredUser
 from django.contrib.auth.models import User, Group
 from rest_framework import viewsets
 from rest_framework import permissions
-from .serializers import UserSerializer, URLSerializer, RegisteredUserSerializer
+from .serializers import URLSerializer
 
-class CrudPermission(permissions.BasePermission):
-    def has_object_permission(self, request, view, obj):
-        # Read permissions are allowed to any request,
-        # so we'll always allow GET, HEAD or OPTIONS requests.
-        if request.method in permissions.SAFE_METHODS:
-            return True
+class URLPermission(permissions.BasePermission):
+    message = "You do not have the necessary approvals to perform that action."
+    def has_permission(self, request, view):
+        return request.user.registereduser.approved or request.user.is_staff
 
+    def has_object_permission(self, request, view, obj):
         return obj.owner == request.user.registereduser or request.user.is_staff
 
-class RegisteredUserViewSet(viewsets.ModelViewSet):
-    """
-    API endpoint that allows RegisteredUsers to be viewed or edited.
-    """
-    queryset = RegisteredUser.objects.all()
-    serializer_class = RegisteredUserSerializer
-
-class UserViewSet(viewsets.ModelViewSet):
-    """
-    API endpoint that allows users to be viewed or edited.
-    """
-    queryset = User.objects.all().order_by('-date_joined')
-    serializer_class = UserSerializer
-
 class URLViewSet(viewsets.ModelViewSet):
     """
     API endpoint that handles creation/read/update/deletion of URL objects.
     """
     serializer_class = URLSerializer
-    queryset = URL.objects.all()
+    permission_classes = (URLPermission,)
+
+    def get_queryset(self):
+        if not self.request.user.is_staff:
+            return URL.objects.filter(owner=self.request.user.registereduser)
+        else:
+            return URL.objects.all()
+
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user.registereduser)

go/settings/urls.py

@@ -18,9 +18,7 @@ from cas import views as cas_views
 from rest_framework import routers
 
 router = routers.DefaultRouter()
-router.register(r'my', views.URLViewSet)
-router.register(r'users', views.UserViewSet)
-router.register(r'registereduser', views.RegisteredUserViewSet)
+router.register(r'golinks', views.URLViewSet, base_name="golinks")
 
 # This function attempts to import an admin module in each installed
 # application. Such modules are expected to register models with the admin.