nofusscomputing/centurion_erp
1
0
Fork 0
Code Issues Wiki Activity

fix(api): permissions for organization

Browse Source 
!16
This commit is contained in:
Jon Lockwood
2024-05-31 23:37:36 +09:30
parent 3fef74e700
commit e9cd111af6
5 changed files with 109 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
app/api/serializers/access.py
View File

@ -8,7 +8,7 @@ from django.contrib.auth.models import Permission
class TeamSerializerBase(serializers.ModelSerializer):
view_name="_api_team"
view_name="API:_api_team"
url = serializers.SerializerMethodField('get_url')
@ -41,7 +41,16 @@ class TeamSerializer(TeamSerializerBase):
team = Team.objects.get(pk=obj.id)
return request.build_absolute_uri(reverse('_api_team_permission', args=[team.organization_id,team.id]))
return request.build_absolute_uri(reverse('API:_api_team_permission', args=[team.organization_id,team.id]))
url = serializers.SerializerMethodField('team_url')
def team_url(self, obj):
request = self.context.get('request')
return request.build_absolute_uri(reverse('API:_api_team', args=[obj.organization_id,obj.id]))
class Meta:
@ -60,10 +69,27 @@ class TeamSerializer(TeamSerializerBase):
class OrganizationListSerializer(serializers.ModelSerializer):
url = serializers.HyperlinkedIdentityField(
view_name="API:_api_organization", format="html"
)
class Meta:
model = Organization
fields = (
"id",
"name",
'url',
)
class OrganizationSerializer(serializers.ModelSerializer):
url = serializers.HyperlinkedIdentityField(
view_name="_api_organization", format="html"
view_name="API:_api_organization", format="html"
)
teams = serializers.SerializerMethodField('get_url')
@ -74,9 +100,9 @@ class OrganizationSerializer(serializers.ModelSerializer):
team = Team.objects.get(pk=obj.id)
return request.build_absolute_uri(reverse('_api_organization_teams', args=[team.organization_id]))
return request.build_absolute_uri(reverse('API:_api_organization_teams', args=[team.organization_id]))
view_name="_api_organization"
view_name="API:_api_organization"
class Meta:

1
app/api/urls.py
View File

@ -7,6 +7,7 @@ from .views.itam import software as itam_software, config as itam_config
from .views.itam.device import detail as itam_device
from .views.itam.device import inventory
app_name = "API"
urlpatterns = [
path("", index.IndexView.as_view(), name='_api_home'),
path("organization/", access.OrganizationList.as_view(), name='_api_orgs'),

78
app/api/views/access.py
View File

@ -1,18 +1,78 @@
from django.contrib.auth.models import Permission
from rest_framework import generics, routers, serializers
from rest_framework import generics, routers, serializers, views
from rest_framework.permissions import DjangoObjectPermissions
from rest_framework.response import Response
from access.mixin import OrganizationMixin
from access.models import Organization, Team
from api.serializers.access import OrganizationSerializer, TeamSerializer
from api.serializers.access import OrganizationSerializer, OrganizationListSerializer, TeamSerializer
class OrganizationPermissionAPI(DjangoObjectPermissions, OrganizationMixin):
"""checking organization membership"""
def has_permission(self, request, view):
self.request = request
return True
def has_object_permission(self, request, view, obj):
self.request = request
self.obj = obj
self.view = view
method = self.request.method.lower()
if method == 'get':
action = 'view'
elif method == 'post':
action = 'add'
elif method == 'patch':
action = 'change'
elif method == 'put':
action = 'change'
elif method == 'delete':
action = 'delete'
else:
action = 'view'
permission = self.obj._meta.app_label + '.' + action + '_' + self.obj._meta.model_name
self.permission_required = [ permission ]
if not self.has_organization_permission() and not request.user.is_superuser:
return False
return True
class OrganizationList(generics.ListCreateAPIView):
permission_required = 'access.view_organization'
permission_classes = [OrganizationPermissionAPI]
queryset = Organization.objects.all()
serializer_class = OrganizationSerializer
lookup_field = 'pk'
serializer_class = OrganizationListSerializer
def get_view_name(self):
@ -21,8 +81,10 @@ class OrganizationList(generics.ListCreateAPIView):
class OrganizationDetail(generics.RetrieveUpdateDestroyAPIView):
permission_required = 'access.view_organization'
queryset = Organization.objects.all()
permission_classes = [OrganizationPermissionAPI]
queryset = Organization.objects.filter()
lookup_field = 'pk'
serializer_class = OrganizationSerializer
@ -38,7 +100,9 @@ class TeamList(generics.ListCreateAPIView):
def get_queryset(self):
return Team.objects.filter(organization=self.kwargs['organization_id'])
self.queryset = Team.objects.filter(organization=self.kwargs['organization_id'])
return self.queryset
def get_view_name(self):

6
app/api/views/index.py
View File

@ -28,8 +28,8 @@ class IndexView(routers.APIRootView):
return Response(
{
# "teams": reverse("_api_teams", request=request),
"devices": reverse("_api_devices", request=request),
"organizations": reverse("_api_orgs", request=request),
"software": reverse("_api_softwares", request=request),
"devices": reverse("API:_api_devices", request=request),
"organizations": reverse("API:_api_orgs", request=request),
"software": reverse("API:_api_softwares", request=request),
}
)

6
app/app/settings.py
View File

@ -197,9 +197,9 @@ if API_ENABLED:
'rest_framework.filters.SearchFilter',
),
'SEARCH_PARAM': 'filter[search]',
'TEST_REQUEST_RENDERER_CLASSES': (
'rest_framework_json_api.renderers.JSONRenderer',
),
# 'TEST_REQUEST_RENDERER_CLASSES': (
# 'rest_framework_json_api.renderers.JSONRenderer',
# ),
# 'TEST_REQUEST_DEFAULT_FORMAT': 'vnd.api+json'
'TEST_REQUEST_DEFAULT_FORMAT': 'json'
}