diff --git a/src/api.ts b/src/api.ts index 59434b0..07ca5ca 100644 --- a/src/api.ts +++ b/src/api.ts @@ -50,7 +50,7 @@ export class User { * Activate the corresponding LDAP account. */ async activate(): Promise { - await api_request("POST", "users/activate", 204, { + await api_request("POST", `users/${this.pk}/activate`, 204, { password: this.password, }); } diff --git a/userausfall/rest_api/permissions.py b/userausfall/rest_api/permissions.py index 72aa7dd..0291279 100644 --- a/userausfall/rest_api/permissions.py +++ b/userausfall/rest_api/permissions.py @@ -3,9 +3,17 @@ from rest_framework import permissions class UserPermission(permissions.BasePermission): def has_permission(self, request, view): - if request.method == "POST": - return True - return False + result = False + if view.action == "activate": + result = True + elif view.action == "create": + result = True + elif view.action == "retrieve_authenticated": + result = request.user.is_authenticated + return result def has_object_permission(self, request, view, obj): - return False + result = False + if view.action == "activate": + result = request.user == obj + return result diff --git a/userausfall/rest_api/urls.py b/userausfall/rest_api/urls.py index 8094c21..76ba0ab 100644 --- a/userausfall/rest_api/urls.py +++ b/userausfall/rest_api/urls.py @@ -1,13 +1,13 @@ from django.urls import path from rest_framework import routers -from userausfall.rest_api.views import UserViewSet, ConfidantConfirmationView +from userausfall.rest_api.views import UserViewSet router = routers.DefaultRouter(trailing_slash=True) router.register(r'users', UserViewSet, basename="user") urlpatterns = [ - path("confirm/confidant/", ConfidantConfirmationView.as_view()) + # path("confirm/confidant/", ConfidantConfirmationView.as_view()) ] urlpatterns += router.urls diff --git a/userausfall/rest_api/views.py b/userausfall/rest_api/views.py index 3768510..577cbe8 100644 --- a/userausfall/rest_api/views.py +++ b/userausfall/rest_api/views.py @@ -2,36 +2,30 @@ from rest_framework import viewsets, status from rest_framework.decorators import action from rest_framework.response import Response -from djeveric import ConfirmationView from userausfall.models import User, MissingUserAttribute, PasswordMismatch -from userausfall.confirmations import ConfidantConfirmation +from userausfall.rest_api.permissions import UserPermission from userausfall.rest_api.serializers import ( ActivateUserSerializer, CreateUserSerializer, - TrustBridgeSerializer, RetrieveUserSerializer, + RetrieveUserSerializer, ) -class ConfidantConfirmationView(ConfirmationView): - confirmation_class = ConfidantConfirmation - - class UserViewSet(viewsets.ModelViewSet): - # permission_classes = [UserPermission] + permission_classes = [UserPermission] queryset = User.objects.all() - @action(detail=False) - def me(self, request): + @action(detail=False, url_path="me") + def retrieve_authenticated(self, request): """Retrieve user data for logged in user.""" - user = request.user - serializer = RetrieveUserSerializer(user) + serializer = self.get_serializer(request.user) return Response(serializer.data) - @action(detail=False, methods=["post"]) + @action(detail=True, methods=["post"]) def activate(self, request, pk=None): """Create the corresponding LDAP account.""" - user: User = request.user # self.get_object() - serializer = ActivateUserSerializer(data=request.data) + user: User = self.get_object() + serializer = self.get_serializer(data=request.data) if serializer.is_valid(): try: # We prevent untrusted user accounts from being activated via API. @@ -46,5 +40,9 @@ class UserViewSet(viewsets.ModelViewSet): return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) def get_serializer_class(self): - if self.action == "create": + if self.action == "activate": + return ActivateUserSerializer + elif self.action == "create": return CreateUserSerializer + elif self.action == "retrieve_authenticated": + return RetrieveUserSerializer