Skip to content

GitLab

Commit 84f7d732 authored by David Haynes's avatar David Haynes 🙆
Browse files

API endpoint to create links 

- only presented information that you need
- permissions model guarentees ownership
parent 4e24576c
Pipeline #2637 passed with stage
in 51 seconds
Hide whitespace changes
Inline Side-by-side
docker-startup.sh
View file @ 84f7d732
......@@ -8,12 +8,9 @@ export GO_SECRET_KEY
export GO_CREATE_SUPERUSER
GO_SECRET_KEY=$(dd if=/dev/urandom count=100 | tr -dc "A-Za-z0-9" | fold -w 60 | head -n1 2>/dev/null)
GO_CREATE_SUPERUSER="from django.contrib.auth import get_user_model; User = get_user_model(); me = User.objects.get(username='admin'); me.first_name = 'mr'; me.last_name = 'admin'; me.save(); "
python go/manage.py makemigrations
python go/manage.py makemigrations go
python go/manage.py migrate
python go/manage.py createsuperuser --noinput --username="$SUPERUSER" --email="$SUPERUSER$GO_EMAIL_DOMAIN"
echo "$GO_CREATE_SUPERUSER" | python go/manage.py shell
python go/manage.py runserver 0.0.0.0:8000
\ No newline at end of file
go/go/cas_callbacks.py
View file @ 84f7d732
......@@ -5,6 +5,8 @@ Parse the CAS/PF responses and create users in the database.
"""
# Other Imports
import requests
import os
# Django Imports
from django.conf import settings
from django.contrib.auth.models import User
......@@ -94,6 +96,9 @@ def create_user(tree: list):
# Password is a required User object field, though doesn't matter for our
# purposes because all user auth is handled through CAS, not Django's login.
user.set_password('cas_used_instead')
if os.environ['GO_ENV'] != 'production':
user.is_staff = True
user.is_superuser = True
user.save()
if user_created:
......
go/go/serializers.py
View file @ 84f7d732
......@@ -3,27 +3,13 @@ go/serializers.py
Define how data is translated from the database to json/API representation.
"""
# Django Imports
from django.contrib.auth.models import User, Group
# App Imports
from .models import URL, RegisteredUser
# Third Party Imports
from rest_framework import serializers
class UserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = User
fields = ('url', 'username', 'email', 'first_name',
'last_name', 'is_staff')
class RegisteredUserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = RegisteredUser
fields = '__all__'
class URLSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = URL
fields = '__all__'
fields = ('destination', 'short', 'date_expires')
go/go/views.py
View file @ 84f7d732
......@@ -28,34 +28,28 @@ from .models import URL, RegisteredUser
from django.contrib.auth.models import User, Group
from rest_framework import viewsets
from rest_framework import permissions
from .serializers import UserSerializer, URLSerializer, RegisteredUserSerializer
from .serializers import URLSerializer
class CrudPermission(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
class URLPermission(permissions.BasePermission):
message = "You do not have the necessary approvals to perform that action."
def has_permission(self, request, view):
return request.user.registereduser.approved or request.user.is_staff
def has_object_permission(self, request, view, obj):
return obj.owner == request.user.registereduser or request.user.is_staff
class RegisteredUserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows RegisteredUsers to be viewed or edited.
"""
queryset = RegisteredUser.objects.all()
serializer_class = RegisteredUserSerializer
class UserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows users to be viewed or edited.
"""
queryset = User.objects.all().order_by('-date_joined')
serializer_class = UserSerializer
class URLViewSet(viewsets.ModelViewSet):
"""
API endpoint that handles creation/read/update/deletion of URL objects.
"""
serializer_class = URLSerializer
queryset = URL.objects.all()
permission_classes = (URLPermission,)
def get_queryset(self):
if not self.request.user.is_staff:
return URL.objects.filter(owner=self.request.user.registereduser)
else:
return URL.objects.all()
def perform_create(self, serializer):
serializer.save(owner=self.request.user.registereduser)
go/settings/urls.py
View file @ 84f7d732
......@@ -18,9 +18,7 @@ from cas import views as cas_views
from rest_framework import routers
router = routers.DefaultRouter()
router.register(r'my', views.URLViewSet)
router.register(r'users', views.UserViewSet)
router.register(r'registereduser', views.RegisteredUserViewSet)
router.register(r'golinks', views.URLViewSet, base_name="golinks")
# This function attempts to import an admin module in each installed
# application. Such modules are expected to register models with the admin.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment