def dispatch(self, request_type, request, **kwargs):
"""
Handles the common operations (allowed HTTP method, authentication,
throttling, method lookup) surrounding most CRUD interactions.
"""
allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None)
if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.is_authenticated(request)
self.throttle_check(request)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponseBase):
return http.HttpNoContent()
return response
def dispatch_public(self, request_type, request, **kwargs):
"""
Same as `tastypie.resources.Resource.dispatch` except that
we don't check if the user is authenticated
"""
allowed_methods = getattr(self._meta,
"%s_allowed_methods" % request_type, None)
if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.throttle_check(request)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response
def is_authorized(self, request, **kwargs):
# allow all GET request limited by 'apply_limits'
if request.method == 'GET':
return True
request = convert_post_to_put(request)
if not "pk" in kwargs:
# post list
data = json.loads(request.raw_post_data)
if not "team" in data:
return HttpBadRequest("team attribute required")
# get pk from /api/v1/team/2/ team url string
pk = data["team"].split("/")[4]
team = Team.objects.get(pk=pk)
if request.user in team.admins:
# i am team admin?
return True
else:
# put detail
team_attr = TeamAttr.objects.get(pk=kwargs["pk"])
if request.user in team_attr.team.admins:
# allow team admins
return True
if request.user == team_attr.user and "is_admin" not in request.raw_post_data:
# permit current user to change its own attributes
return True
log.error("user %s is not authorized" % request.user)
return False
def nested_dispatch(self, request_type, request, **kwargs):
"""
Handles the common operations (allowed HTTP method, authentication,
throttling, method lookup) surrounding most CRUD interactions.
"""
allowed_methods = getattr(self._meta,
"%s_allowed_methods" % request_type, None)
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "nested_%s_%s" % (request_method, request_type),
None)
if method is None:
raise ImmediateHttpResponse(response=HttpNotImplemented())
self.is_authenticated(request)
self.is_authorized(request)
self.throttle_check(request)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return HttpAccepted()
return response
def is_authorized(self, request, **kwargs):
# allow all GET request limited by 'apply_limits'
if request.method == 'GET':
return True
request = convert_post_to_put(request)
data = dict()
if request.raw_post_data:
data = json.loads(request.raw_post_data)
OTHER_PROJECT_ADMIN = False
if "project" in data:
# get pk from /api/v1/project/2/ project url string
pk = data["project"].split("/")[4]
project = Project.objects.get(pk=pk)
if request.user in project.team.admins:
# team admin for other project?
OTHER_PROJECT_ADMIN = True
if not "pk" in kwargs:
# post list
if not "project" in data:
return HttpBadRequest("project attribute required")
return OTHER_PROJECT_ADMIN
else:
# put detail
sprint = SprintMeeting.objects.get(pk=kwargs["pk"])
if request.user in sprint.project.team.admins:
# allow team admins
if "project" in data:
return OTHER_PROJECT_ADMIN
return True
log.error("user %s is not authorized" % request.user)
return False
def dispatch_public(self, request_type, request, **kwargs):
"""
Same as `tastypie.resources.Resource.dispatch` except that
we don't check if the user is authenticated
"""
allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None)
if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.throttle_check(request)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response
def dispatch(self, request_type, request, **kwargs):
"""
From original Tastypie structure:
- lookup the API method
- authenticate
Other modifications:
- use of the "downloadID" cookie
"""
request_method = request.method.lower()
method = getattr(self, "%s_%s"
% (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=HttpNotImplemented())
# self.is_authenticated(request)
convert_post_to_put(request)
logger.info('calling method: %s.%s_%s',
self._meta.resource_name, request_method, request_type)
response = method(request, **kwargs)
# # If what comes back isn't a ``HttpResponse``, assume that the
# # request was accepted and that some action occurred. This also
# # prevents Django from freaking out.
if not isinstance(response, HttpResponseBase):
return HttpNoContent()
# Custom ICCB parameter: set cookie to tell the browser javascript
# UI that the download request is finished
downloadID = request.GET.get('downloadID', None)
if downloadID:
logger.info('set cookie "downloadID" %r', downloadID )
response.set_cookie('downloadID', downloadID)
else:
logger.debug('no downloadID: %s' % request.GET )
return response
def dispatch(self, request_type, request, **kwargs):
"""
Same as the usual dispatch, but knows if its being called from a nested
resource.
"""
allowed_methods = getattr(self._meta,
"%s_allowed_methods" % request_type, None)
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.is_authenticated(request)
self.throttle_check(request)
nested_name = kwargs.get('nested_name', None)
parent_resource = kwargs.get('parent_resource', None)
parent_object = kwargs.get('parent_object', None)
if nested_name is None:
self.is_authorized(request)
else:
self.is_authorized_nested(request, nested_name,
parent_resource,
parent_object)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response
def dispatch(self, request_type, request, **kwargs):
"""
Handles the common operations (allowed HTTP method, authentication,
throttling, method lookup) surrounding most CRUD interactions.
"""
allowed_methods = getattr(self._meta,
"%s_allowed_methods" % request_type, None)
if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.is_authenticated(request)
self.throttle_check(request)
# Set the pk of the request to that of the logged in user
if request_type == 'detail':
kwargs['pk'] = request.user.id
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response
def dispatch(self, request_type, request, **kwargs):
"""
Same as the usual dispatch, but knows if its being called from a nested
resource.
"""
allowed_methods = getattr(self._meta,
"%s_allowed_methods" % request_type, None)
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.is_authenticated(request)
self.throttle_check(request)
parent_resource = kwargs.get('parent_resource', None)
if parent_resource is None:
self.is_authorized(request)
else:
self.is_authorized_nested(request, kwargs['nested_name'],
parent_resource, kwargs['parent_object'])
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response