Commit 2ca28f3c authored by David Haynes's avatar David Haynes 🙆

Allow for (permissioned) API access to RegisteredUser attributes

- RegisterForm here we come
parent cc14e964
Pipeline #3970 passed with stage
in 1 minute and 26 seconds
......@@ -7,7 +7,7 @@ Define how data is translated from the database to json/API representation.
from rest_framework import serializers
# App Imports
from .models import URL
from .models import URL, RegisteredUser
class URLSerializer(serializers.HyperlinkedModelSerializer):
......@@ -16,3 +16,24 @@ class URLSerializer(serializers.HyperlinkedModelSerializer):
lookup_field = "short"
fields = ("destination", "short", "date_expires")
class RegisteredUserSerializerForAdmins(serializers.HyperlinkedModelSerializer):
class Meta:
model = RegisteredUser
lookup_field = "id"
fields = (
"id",
"full_name",
"organization",
"description",
"registered",
"approved",
"blocked",
)
class RegisteredUserSerializerForUsers(serializers.HyperlinkedModelSerializer):
class Meta:
model = RegisteredUser
lookup_field = "id"
fields = ("id", "full_name", "organization", "description", "registered")
......@@ -16,6 +16,9 @@ from . import views
ROUTER = routers.DefaultRouter()
ROUTER.register(r"golinks", views.URLViewSet, base_name="golinks")
ROUTER.register(
r"registereduser", views.RegisteredUserViewSet, base_name="registereduser"
)
# This function attempts to import an admin module in each installed
# application. Such modules are expected to register models with the admin.
......
......@@ -13,8 +13,12 @@ from rest_framework.authtoken.models import Token
from rest_framework.permissions import IsAuthenticated, AllowAny
from rest_framework.authtoken.views import ObtainAuthToken
from .serializers import URLSerializer
from .models import URL
from .serializers import (
URLSerializer,
RegisteredUserSerializerForAdmins,
RegisteredUserSerializerForUsers,
)
from .models import URL, RegisteredUser
class URLPermission(permissions.BasePermission):
......@@ -23,7 +27,7 @@ class URLPermission(permissions.BasePermission):
message = "You do not have the necessary permission to perform that action on that URL object."
def has_permission(self, request, view):
"""Has permission to interact with URL"""
"""Has permission to interact with URL, the model"""
return True
def has_object_permission(self, request, view, obj):
......@@ -31,6 +35,22 @@ class URLPermission(permissions.BasePermission):
return obj.owner == request.user.registereduser
class RegisteredUserPermission(permissions.BasePermission):
"""
Custom permission check such that users can only modify their registered status and admins can control all of their statuses.
"""
message = "You do not have the necessary permission to perform that action on that RegisteredUser object."
def has_permission(self, request, view):
"""Has permission to interact with RegisteredUser, the model"""
return True
def has_object_permission(self, request, view, obj):
"""Has permission to interact with a specific RegisteredUser object"""
return obj.user == request.user
class URLViewSet(viewsets.ModelViewSet):
"""
API endpoint that handles creation/read/update/deletion of URL objects.
......@@ -48,6 +68,23 @@ class URLViewSet(viewsets.ModelViewSet):
serializer.save(owner=self.request.user.registereduser)
class RegisteredUserViewSet(viewsets.ModelViewSet):
"""
API endpoint for modifying RegisteredUser attributes.
"""
authentication_classes = (SessionAuthentication,)
permission_classes = (RegisteredUserPermission, IsAuthenticated)
def get_queryset(self):
return RegisteredUser.objects.filter(user=self.request.user)
def get_serializer_class(self):
if self.request.user.is_staff:
return RegisteredUserSerializerForAdmins
return RegisteredUserSerializerForUsers
class CustomAuthToken(ObtainAuthToken):
"""
Custom endpoint to provide the currently logged in user's API token.
......@@ -70,6 +107,7 @@ class GetSessionInfo(APIView):
if not request.user.is_anonymous:
session_info = {
"user_id": request.user.id,
"username": request.user.username,
"is_authenticated": request.user.is_authenticated,
"is_registered": request.user.registereduser.registered,
......@@ -78,6 +116,7 @@ class GetSessionInfo(APIView):
}
else:
session_info = {
"user_id": request.user.id,
"username": request.user.username,
"is_authenticated": request.user.is_authenticated,
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment