feat: Add API permissions

This commit is contained in:
aldrin 2021-08-03 12:38:34 +02:00
parent d656370aef
commit 04c2ec8ec2
4 changed files with 29 additions and 23 deletions

View file

@ -50,7 +50,7 @@ export class User {
* Activate the corresponding LDAP account.
*/
async activate(): Promise<void> {
await api_request("POST", "users/activate", 204, {
await api_request("POST", `users/${this.pk}/activate`, 204, {
password: this.password,
});
}

View file

@ -3,9 +3,17 @@ from rest_framework import permissions
class UserPermission(permissions.BasePermission):
def has_permission(self, request, view):
if request.method == "POST":
return True
return False
result = False
if view.action == "activate":
result = True
elif view.action == "create":
result = True
elif view.action == "retrieve_authenticated":
result = request.user.is_authenticated
return result
def has_object_permission(self, request, view, obj):
return False
result = False
if view.action == "activate":
result = request.user == obj
return result

View file

@ -1,13 +1,13 @@
from django.urls import path
from rest_framework import routers
from userausfall.rest_api.views import UserViewSet, ConfidantConfirmationView
from userausfall.rest_api.views import UserViewSet
router = routers.DefaultRouter(trailing_slash=True)
router.register(r'users', UserViewSet, basename="user")
urlpatterns = [
path("confirm/confidant/", ConfidantConfirmationView.as_view())
# path("confirm/confidant/", ConfidantConfirmationView.as_view())
]
urlpatterns += router.urls

View file

@ -2,36 +2,30 @@ from rest_framework import viewsets, status
from rest_framework.decorators import action
from rest_framework.response import Response
from djeveric import ConfirmationView
from userausfall.models import User, MissingUserAttribute, PasswordMismatch
from userausfall.confirmations import ConfidantConfirmation
from userausfall.rest_api.permissions import UserPermission
from userausfall.rest_api.serializers import (
ActivateUserSerializer,
CreateUserSerializer,
TrustBridgeSerializer, RetrieveUserSerializer,
RetrieveUserSerializer,
)
class ConfidantConfirmationView(ConfirmationView):
confirmation_class = ConfidantConfirmation
class UserViewSet(viewsets.ModelViewSet):
# permission_classes = [UserPermission]
permission_classes = [UserPermission]
queryset = User.objects.all()
@action(detail=False)
def me(self, request):
@action(detail=False, url_path="me")
def retrieve_authenticated(self, request):
"""Retrieve user data for logged in user."""
user = request.user
serializer = RetrieveUserSerializer(user)
serializer = self.get_serializer(request.user)
return Response(serializer.data)
@action(detail=False, methods=["post"])
@action(detail=True, methods=["post"])
def activate(self, request, pk=None):
"""Create the corresponding LDAP account."""
user: User = request.user # self.get_object()
serializer = ActivateUserSerializer(data=request.data)
user: User = self.get_object()
serializer = self.get_serializer(data=request.data)
if serializer.is_valid():
try:
# We prevent untrusted user accounts from being activated via API.
@ -46,5 +40,9 @@ class UserViewSet(viewsets.ModelViewSet):
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def get_serializer_class(self):
if self.action == "create":
if self.action == "activate":
return ActivateUserSerializer
elif self.action == "create":
return CreateUserSerializer
elif self.action == "retrieve_authenticated":
return RetrieveUserSerializer