Ejemplo n.º 1
0
    def dispatch(self, request_type, request, **kwargs):
        """
        Handles the common operations (allowed HTTP method, authentication,
        throttling, method lookup) surrounding most CRUD interactions.
        """
        allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None)

        if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
            request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']

        request_method = self.method_check(request, allowed=allowed_methods)
        method = getattr(self, "%s_%s" % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=http.HttpNotImplemented())

        self.is_authenticated(request)
        self.throttle_check(request)

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponseBase):
            return http.HttpNoContent()

        return response
Ejemplo n.º 2
0
    def dispatch_public(self, request_type, request, **kwargs):
        """
            Same as `tastypie.resources.Resource.dispatch` except that
            we don't check if the user is authenticated
        """
        allowed_methods = getattr(self._meta,
                                  "%s_allowed_methods" % request_type, None)

        if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
            request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']

        request_method = self.method_check(request, allowed=allowed_methods)
        method = getattr(self, "%s_%s" % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=http.HttpNotImplemented())

        self.throttle_check(request)

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponse):
            return http.HttpNoContent()

        return response
Ejemplo n.º 3
0
 def is_authorized(self, request, **kwargs):
   # allow all GET request limited by 'apply_limits'
   if request.method == 'GET':
     return True
   
   request = convert_post_to_put(request)
   if not "pk" in kwargs:
     # post list
     data = json.loads(request.raw_post_data)
     
     if not "team" in data:
       return HttpBadRequest("team attribute required")
     
     # get pk from /api/v1/team/2/ team url string
     pk = data["team"].split("/")[4]
     team = Team.objects.get(pk=pk)
     if request.user in team.admins:
       # i am team admin?
       return True
   else:
     # put detail
     team_attr = TeamAttr.objects.get(pk=kwargs["pk"])
     if request.user in team_attr.team.admins:
       # allow team admins
       return True
     
     if request.user == team_attr.user and "is_admin" not in request.raw_post_data:
       # permit current user to change its own attributes
       return True
   
   log.error("user %s is not authorized" % request.user)
   return False
Ejemplo n.º 4
0
    def nested_dispatch(self, request_type, request, **kwargs):
        """
        Handles the common operations (allowed HTTP method, authentication,
        throttling, method lookup) surrounding most CRUD interactions.
        """
        allowed_methods = getattr(self._meta,
                                  "%s_allowed_methods" % request_type, None)
        request_method = self.method_check(request, allowed=allowed_methods)

        method = getattr(self, "nested_%s_%s" % (request_method, request_type),
                         None)

        if method is None:
            raise ImmediateHttpResponse(response=HttpNotImplemented())

        self.is_authenticated(request)
        self.is_authorized(request)
        self.throttle_check(request)

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponse):
            return HttpAccepted()

        return response
Ejemplo n.º 5
0
 def is_authorized(self, request, **kwargs):
   # allow all GET request limited by 'apply_limits'
   if request.method == 'GET':
     return True
   
   request = convert_post_to_put(request)
   data = dict()
   if request.raw_post_data:
     data = json.loads(request.raw_post_data)
   
   OTHER_PROJECT_ADMIN = False
   if "project" in data:
     # get pk from /api/v1/project/2/ project url string
     pk = data["project"].split("/")[4]
     project = Project.objects.get(pk=pk)
     if request.user in project.team.admins:
       # team admin for other project?
       OTHER_PROJECT_ADMIN = True
   
   if not "pk" in kwargs:
     # post list
     if not "project" in data:
       return HttpBadRequest("project attribute required")
     return OTHER_PROJECT_ADMIN
   else:
     # put detail
     sprint = SprintMeeting.objects.get(pk=kwargs["pk"])
     if request.user in sprint.project.team.admins:
       # allow team admins
       if "project" in data:
         return OTHER_PROJECT_ADMIN
       return True
   
   log.error("user %s is not authorized" % request.user)
   return False
Ejemplo n.º 6
0
    def dispatch_public(self, request_type, request, **kwargs):
         """
         Same as `tastypie.resources.Resource.dispatch` except that
         we don't check if the user is authenticated
         """
         allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None)

         if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
             request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
    
         request_method = self.method_check(request, allowed=allowed_methods)
         method = getattr(self, "%s_%s" % (request_method, request_type), None)

         if method is None:
             raise ImmediateHttpResponse(response=http.HttpNotImplemented())

         self.throttle_check(request)

         # All clear. Process the request.
         request = convert_post_to_put(request)
         response = method(request, **kwargs)

         # Add the throttled request.
         self.log_throttled_access(request)

         # If what comes back isn't a ``HttpResponse``, assume that the
         # request was accepted and that some action occurred. This also
         # prevents Django from freaking out.
         if not isinstance(response, HttpResponse):
             return http.HttpNoContent()

         return response
Ejemplo n.º 7
0
    def dispatch(self, request_type, request, **kwargs):
        """
        From original Tastypie structure:
        - lookup the API method
        - authenticate
        Other modifications:
        - use of the "downloadID" cookie
        """
        
        request_method = request.method.lower()
        method = getattr(self, "%s_%s" 
            % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=HttpNotImplemented())

#         self.is_authenticated(request)
        convert_post_to_put(request)
        logger.info('calling method: %s.%s_%s', 
            self._meta.resource_name, request_method, request_type)
        response = method(request, **kwargs)

        # # If what comes back isn't a ``HttpResponse``, assume that the
        # # request was accepted and that some action occurred. This also
        # # prevents Django from freaking out.
        if not isinstance(response, HttpResponseBase):
            return HttpNoContent()
        
        # Custom ICCB parameter: set cookie to tell the browser javascript
        # UI that the download request is finished
        downloadID = request.GET.get('downloadID', None)
        if downloadID:
            logger.info('set cookie "downloadID" %r', downloadID )
            response.set_cookie('downloadID', downloadID)
        else:
            logger.debug('no downloadID: %s' % request.GET )

        return response
    def dispatch(self, request_type, request, **kwargs):
        """
        Same as the usual dispatch, but knows if its being called from a nested
        resource.
        """
        allowed_methods = getattr(self._meta,
                                  "%s_allowed_methods" % request_type, None)
        request_method = self.method_check(request, allowed=allowed_methods)

        method = getattr(self, "%s_%s" % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=http.HttpNotImplemented())

        self.is_authenticated(request)
        self.throttle_check(request)

        nested_name = kwargs.get('nested_name', None)
        parent_resource = kwargs.get('parent_resource', None)
        parent_object = kwargs.get('parent_object', None)
        if nested_name is None:
            self.is_authorized(request)
        else:
            self.is_authorized_nested(request, nested_name,
                                      parent_resource,
                                      parent_object)

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponse):
            return http.HttpNoContent()

        return response
Ejemplo n.º 9
0
    def dispatch(self, request_type, request, **kwargs):
        """
        Handles the common operations (allowed HTTP method, authentication,
        throttling, method lookup) surrounding most CRUD interactions.
        """
        allowed_methods = getattr(self._meta,
                                  "%s_allowed_methods" % request_type, None)

        if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
            request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']

        request_method = self.method_check(request, allowed=allowed_methods)
        method = getattr(self, "%s_%s" % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=http.HttpNotImplemented())

        self.is_authenticated(request)
        self.throttle_check(request)

        # Set the pk of the request to that of the logged in user
        if request_type == 'detail':
            kwargs['pk'] = request.user.id

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponse):
            return http.HttpNoContent()

        return response
    def dispatch(self, request_type, request, **kwargs):
        """
        Same as the usual dispatch, but knows if its being called from a nested
        resource.
        """
        allowed_methods = getattr(self._meta,
                                  "%s_allowed_methods" % request_type, None)
        request_method = self.method_check(request, allowed=allowed_methods)

        method = getattr(self, "%s_%s" % (request_method, request_type), None)

        if method is None:
            raise ImmediateHttpResponse(response=http.HttpNotImplemented())

        self.is_authenticated(request)
        self.throttle_check(request)

        parent_resource = kwargs.get('parent_resource', None)
        if parent_resource is None:
            self.is_authorized(request)
        else:
            self.is_authorized_nested(request, kwargs['nested_name'],
                                      parent_resource, kwargs['parent_object'])

        # All clear. Process the request.
        request = convert_post_to_put(request)
        response = method(request, **kwargs)

        # Add the throttled request.
        self.log_throttled_access(request)

        # If what comes back isn't a ``HttpResponse``, assume that the
        # request was accepted and that some action occurred. This also
        # prevents Django from freaking out.
        if not isinstance(response, HttpResponse):
            return http.HttpNoContent()

        return response