class Meta(AppResource.Meta):
authentication = (SharedSecretAuthentication(), OAuthAuthentication())
authorization = OwnerAuthorization()
detail_allowed_methods = []
list_allowed_methods = ['get']
resource_name = 'installed/mine'
slug_lookup = None
class Meta(MarketplaceModelResource.Meta):
authentication = (SharedSecretAuthentication(), OAuthAuthentication())
authorization = OwnerAuthorization()
detail_allowed_methods = ['get', 'patch', 'put']
fields = ['display_name']
list_allowed_methods = []
queryset = UserProfile.objects.filter()
resource_name = 'settings'
def obj_get(self, request=None, **kwargs):
if kwargs.get('pk') == 'mine':
kwargs['pk'] = request.amo_user.pk
# TODO: put in acl checks for admins to get other users information.
obj = super(AccountResource, self).obj_get(request=request, **kwargs)
if not OwnerAuthorization().is_authorized(request, object=obj):
raise ImmediateHttpResponse(response=http.HttpForbidden())
return obj
class Meta:
queryset = Preview.objects.all()
list_allowed_methods = ['post']
allowed_methods = ['get', 'delete']
always_return_data = True
fields = ['id', 'filetype']
authentication = MarketplaceAuthentication()
authorization = OwnerAuthorization()
resource_name = 'preview'
filtering = {'addon': ALL_WITH_RELATIONS}
class Meta:
queryset = FileUpload.objects.all()
fields = ['valid', 'validation']
list_allowed_methods = ['post']
allowed_methods = ['get']
always_return_data = True
authentication = MarketplaceAuthentication()
# This will return that anyone can do anything because objects
# don't always get passed the authorization handler.
authorization = OwnerAuthorization()
resource_name = 'validation'
serializer = Serializer(formats=['json'])
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not (AppOwnerAuthorization().is_authorized(request,
object=obj.addon)
or OwnerAuthorization().is_authorized(request, object=obj) or
PermissionAuthorization('Users', 'Edit').is_authorized(request)
or PermissionAuthorization('Addons',
'Edit').is_authorized(request)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
log.info('Rating %s deleted from addon %s' % (obj.pk, obj.addon.pk))
return super(RatingResource, self).obj_delete(request, **kwargs)
def obj_get(self, request=None, **kwargs):
# Until the perms branch lands, this is the only way to lock
# permissions down on gets, since the object doesn't actually
# get passed through to OwnerAuthorization.
try:
obj = FileUpload.objects.get(pk=kwargs['pk'])
except FileUpload.DoesNotExist:
raise ImmediateHttpResponse(response=http.HttpNotFound())
if not OwnerAuthorization().is_authorized(request, object=obj):
raise ImmediateHttpResponse(response=http.HttpForbidden())
log.info('Validation retreived: %s' % obj.pk)
return obj
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization().is_authorized(request, object=form.obj)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Webapp.from_upload(form.obj, plats)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
tasks.fetch_icon.delay(bundle.obj)
log.info('App created: %s' % bundle.obj.pk)
return bundle
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization().is_authorized(request, object=form.obj)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Addon.from_upload(form.obj,
plats,
is_packaged=form.is_packaged)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
self._icons_and_images(bundle.obj)
record_action('app-submitted', request, {'app-id': bundle.obj.pk})
log.info('App created: %s' % bundle.obj.pk)
return bundle