feat: Add API permissions

src/api.ts

@@ -50,7 +50,7 @@ export class User {
    * Activate the corresponding LDAP account.
    */
   async activate(): Promise<void> {
-    await api_request("POST", "users/activate", 204, {
+    await api_request("POST", `users/${this.pk}/activate`, 204, {
       password: this.password,
     });
   }

userausfall/rest_api/permissions.py

@@ -3,9 +3,17 @@ from rest_framework import permissions
 
 class UserPermission(permissions.BasePermission):
     def has_permission(self, request, view):
-        if request.method == "POST":
-            return True
-        return False
+        result = False
+        if view.action == "activate":
+            result = True
+        elif view.action == "create":
+            result = True
+        elif view.action == "retrieve_authenticated":
+            result = request.user.is_authenticated
+        return result
 
     def has_object_permission(self, request, view, obj):
-        return False
+        result = False
+        if view.action == "activate":
+            result = request.user == obj
+        return result

userausfall/rest_api/urls.py

@@ -1,13 +1,13 @@
 from django.urls import path
 from rest_framework import routers
 
-from userausfall.rest_api.views import UserViewSet, ConfidantConfirmationView
+from userausfall.rest_api.views import UserViewSet
 
 router = routers.DefaultRouter(trailing_slash=True)
 router.register(r'users', UserViewSet, basename="user")
 
 urlpatterns = [
-    path("confirm/confidant/", ConfidantConfirmationView.as_view())
+    # path("confirm/confidant/", ConfidantConfirmationView.as_view())
 ]
 
 urlpatterns += router.urls

userausfall/rest_api/views.py

@@ -2,36 +2,30 @@ from rest_framework import viewsets, status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
-from djeveric import ConfirmationView
 from userausfall.models import User, MissingUserAttribute, PasswordMismatch
-from userausfall.confirmations import ConfidantConfirmation
+from userausfall.rest_api.permissions import UserPermission
 from userausfall.rest_api.serializers import (
     ActivateUserSerializer,
     CreateUserSerializer,
-    TrustBridgeSerializer, RetrieveUserSerializer,
+    RetrieveUserSerializer,
 )
 
 
-class ConfidantConfirmationView(ConfirmationView):
-    confirmation_class = ConfidantConfirmation
-
-
 class UserViewSet(viewsets.ModelViewSet):
-    # permission_classes = [UserPermission]
+    permission_classes = [UserPermission]
     queryset = User.objects.all()
 
-    @action(detail=False)
-    def me(self, request):
+    @action(detail=False, url_path="me")
+    def retrieve_authenticated(self, request):
         """Retrieve user data for logged in user."""
-        user = request.user
-        serializer = RetrieveUserSerializer(user)
+        serializer = self.get_serializer(request.user)
         return Response(serializer.data)
 
-    @action(detail=False, methods=["post"])
+    @action(detail=True, methods=["post"])
     def activate(self, request, pk=None):
         """Create the corresponding LDAP account."""
-        user: User = request.user  # self.get_object()
-        serializer = ActivateUserSerializer(data=request.data)
+        user: User = self.get_object()
+        serializer = self.get_serializer(data=request.data)
         if serializer.is_valid():
             try:
                 # We prevent untrusted user accounts from being activated via API.
@@ -46,5 +40,9 @@ class UserViewSet(viewsets.ModelViewSet):
             return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
     def get_serializer_class(self):
-        if self.action == "create":
+        if self.action == "activate":
+            return ActivateUserSerializer
+        elif self.action == "create":
             return CreateUserSerializer
+        elif self.action == "retrieve_authenticated":
+            return RetrieveUserSerializer