def post(self, request, format=None): if not isPhoenix(self.request): return HttpResponse(status=400) serializer_class = self.get_serializer_class() params = request.data if not params['parentPartyId'] or not params['childPartyId']: return Response( { 'error': 'does not allow creation without parentPartyId or childPartyId' }, status=status.HTTP_400_BAD_REQUEST) parentPartyId = params['parentPartyId'] childPartyId = params['childPartyId'] if Party.objects.all().get(partyId=parentPartyId): parentParty = Party.objects.all().get(partyId=parentPartyId) else: return Response({'error': 'parentParty does not exist'}, status=status.HTTP_400_BAD_REQUEST) if Party.objects.all().get(partyId=childPartyId): childParty = Party.objects.all().get(partyId=childPartyId) else: return Response({'error': 'childParty does not exist'}, status=status.HTTP_400_BAD_REQUEST) PartyAffiliation.objects.create(childPartyId=childParty, parentPartyId=parentParty) serializer = serializer_class(childParty) return Response(serializer.data, status=status.HTTP_201_CREATED)
def put(self, request, format=None): # TODO: security risk here, get username based on the partyId verified in isPhoenix -SC if not isPhoenix(self.request): return Response(status=status.HTTP_400_BAD_REQUEST) # http://stackoverflow.com/questions/12611345/django-why-is-the-request-post-object-immutable serializer_class = CredentialSerializer params = request.GET if 'partyId' not in params: return Response({'error': 'Put method needs partyId'}) obj = self.get_queryset().first() #http://stackoverflow.com/questions/18930234/django-modifying-the-request-object PW-123 data = request.data.copy() # PW-123 if 'password' in data: data['password'] = hashlib.sha1(data['password']).hexdigest() serializer = serializer_class(obj, data=data, partial=True) if serializer.is_valid(): serializer.save() #update party info if 'partyId' in serializer.data: partyId = serializer.data['partyId'] partyObj = Party.objects.all().get(partyId=partyId) if 'name' in data: name = data['name'] partyData = {'name': name} partySerializer = PartySerializer(partyObj, data=partyData, partial=True) if partySerializer.is_valid(): partySerializer.save() return Response(data, status=status.HTTP_201_CREATED) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def get(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) params = request.GET if not params['partyId']: return Response({'error':'does not allow get without partyId'},status=status.HTTP_400_BAD_REQUEST) out = [] partyId = params['partyId'] #get party if Party.objects.filter(partyId = partyId).exists(): party = Party.objects.get(partyId = partyId) partySerializer = PartySerializer(party) out.append(partySerializer.data) else: out.append({'error':'partyId '+partyId+' not found in Party tbl'}) #get credential if Credential.objects.filter(partyId = partyId).exists(): credential = Credential.objects.get(partyId = partyId) credentialSerializer = CredentialSerializer(credential) out.append(credentialSerializer.data) else: out.append({'error':'partyId '+partyId+' not found in Credential tbl'}) return HttpResponse(json.dumps(out), content_type="application/json")
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super(AffiliationCRUD, self).get_queryset().get(partyId=partyId) return []
def post(self,request): if not isPhoenix(request): return HttpResponse(status=400) quantity = int(request.GET.get('quantity')) period = int(request.GET.get('period')) partnerId = request.GET.get('partnerId') transactionType = request.GET.get('transactionType') partnerObj = Partner.objects.get(partnerId=partnerId) if quantity > 99: return [] now = timezone.now() activationCodes = [] for i in xrange(quantity): # create an activation code based on partnerId and period. activationCodeObj = ActivationCode() activationCodeObj.activationCode=str(uuid.uuid4()) activationCodeObj.partnerId=partnerObj activationCodeObj.period=period activationCodeObj.partyId=None activationCodeObj.purchaseDate=now activationCodeObj.transactionType=transactionType activationCodeObj.save() activationCodes.append(activationCodeObj.activationCode) return HttpResponse(json.dumps(activationCodes), status=200)
def post(self, request, format=None): # security vulnerability: consortiumId should come from partyId in cookie that's been validated via isPhoenix -SC if not isPhoenix(request): return HttpResponse(status=400) data = request.data partyName = '' partyTypeName = '' if data['institution']: partyName = data['institution'] partyTypeName = 'Institution' elif data['consortium']: partyName = data['consortium'] partyTypeName = 'Consortium' subject = "%s Usage Request For %s" % (partyTypeName, partyName) message = "Partner: %s\n" \ "%s: %s\n" \ "User: %s\n" \ "Email: %s\n" \ "Start date: %s\n" \ "End date: %s\n" \ "Comments: %s\n" \ % (data['partner'], partyTypeName, partyName, data['name'], data['email'], data['startDate'], data['endDate'], data['comments']) from_email = "*****@*****.**" recipient_list = ["*****@*****.**"] send_mail(subject=subject, message=message, from_email=from_email, recipient_list=recipient_list) return HttpResponse(json.dumps({'message': 'success'}), status=200)
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super(InstitutionCRUD, self).get_queryset().filter( partyId=partyId).filter(partyType="organization") return []
def put(self, request): if not isPhoenix(request): return HttpResponse(status=400) params = request.GET fields = ['activationCodeId', 'deleteMarker'] for field in fields: if field not in params: return Response({"error": field + " field is needed."}, status=status.HTTP_400_BAD_REQUEST) activationCodeId = params['activationCodeId'] deleteMarker = True if params['deleteMarker'] == 'true' else False activationCodeIdList = map(int, activationCodeId.split(',')) activationCodes = ActivationCode.objects.all().filter(activationCodeId__in=activationCodeIdList) try: activationCodes.update(deleteMarker=deleteMarker) except: return Response({'error':'update deleteMarker error'}, status=status.HTTP_400_BAD_REQUEST) serializers = ActivationCodeSerializer(activationCodes, many=True) return Response(serializers.data, status=status.HTTP_200_OK)
def post(self, request, format=None): # security vulnerability: consortiumId should come from partyId in cookie that's been validated via isPhoenix -SC if not isPhoenix(request): return HttpResponse(status=400) data = request.data partyName = '' partyTypeName = '' if data['institution']: partyName = data['institution'] partyTypeName = 'Institution' elif data['consortium']: partyName = data['consortium'] partyTypeName = 'Consortium' subject = "%s Usage Request For %s" % (partyTypeName,partyName) message = "Partner: %s\n" \ "%s: %s\n" \ "User: %s\n" \ "Email: %s\n" \ "Start date: %s\n" \ "End date: %s\n" \ "Comments: %s\n" \ % (data['partner'], partyTypeName, partyName, data['name'], data['email'], data['startDate'], data['endDate'], data['comments']) from_email = "*****@*****.**" recipient_list = ["*****@*****.**"] send_mail(subject=subject, message=message, from_email=from_email, recipient_list=recipient_list) return HttpResponse(json.dumps({'message': 'success'}), status=200)
def put(self, request, format=None): # TODO: security risk here, get username based on the partyId verified in isPhoenix -SC if not isPhoenix(self.request): return Response(status=status.HTTP_400_BAD_REQUEST) # http://stackoverflow.com/questions/12611345/django-why-is-the-request-post-object-immutable serializer_class = self.get_serializer_class() params = request.GET if 'userIdentifier' not in params: return Response({'error': 'Put method needs userIdentifier'}) obj = self.get_queryset().first() #http://stackoverflow.com/questions/18930234/django-modifying-the-request-object PW-123 data = request.data.copy() # PW-123 if 'password' in data: data['password'] = hashlib.sha1(data['password']).hexdigest() serializer = serializer_class(obj, data=data, partial=True) if serializer.is_valid(): serializer.save() #update party info if 'partyId' in serializer.data: partyId = serializer.data['partyId'] partyObj = Party.objects.all().get(partyId = partyId) if 'name' in data: name = data['name'] partyData = {'name':name} partySerializer = PartySerializer(partyObj, data=partyData, partial =True) if partySerializer.is_valid(): partySerializer.save() if 'password' in data: #data['password'] = generateSecretKey(str(obj.partyId.partyId), data['password'])#PW-254 and YM: TAIR-2493 data['loginKey'] = generateSecretKey(str(obj.partyId.partyId), data['password']) return Response(data, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super( ConsortiumCRUD, self).get_queryset().filter(partyId=partyId).filter( partyType="consortium") #PW-161 consortium return []
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super(PartyCRUD, self).get_queryset().filter(partyId=partyId) elif 'partyType' in self.request.GET: partyType = self.request.GET.get('partyType') return super(PartyCRUD, self).get_queryset().filter(partyType=partyType) return []
def post(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'POST parties/consortiums/ credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) data = request.data.copy() if 'partyType' not in data: return Response({'error': 'POST method needs partyType'}, status=status.HTTP_400_BAD_REQUEST) if data['partyType'] != "consortium": return Response({'error': 'POST parties/consortiums/. patyType must be consortium'}, status=status.HTTP_400_BAD_REQUEST) if 'email' in data: for partyId in Credential.objects.all().filter(email=data['email']).filter(partnerId='phoenix').values_list('partyId', flat=True): if Party.objects.all().filter(partyId=partyId).filter(partyType='consortium').exists(): return Response({'error':'This email is already used by another consortium.'}, status=status.HTTP_400_BAD_REQUEST) # if password is being passed and value of it is empty then error # not passing password in form data of POST is allowed - credential will be created with empty pwd in such case # boolean in pythin http://stackoverflow.com/questions/12644075/how-to-set-python-variables-to-true-or-false if ('password' in data): if (not data['password'] or data['password'] == ""): ### password passed and it's value is empty return Response({'error': 'POST parties/consortiums/ password must not be empty'}, status=status.HTTP_400_BAD_REQUEST) else: ### password passed and it's not empty pwd = True else: # password is not passed pwd = False partySerializer = PartySerializer(data=data) if partySerializer.is_valid(): partySerializer.save() out = [] partyReturnData = partySerializer.data out.append(partyReturnData) data['partyId'] = partySerializer.data['partyId'] if pwd == True: newPwd = data['password'] data['password'] = hashlib.sha1(newPwd).hexdigest() credentialSerializer = CredentialSerializer(data=data) else: credentialSerializer = CredentialSerializerNoPassword(data=data) if credentialSerializer.is_valid(): credentialSerializer.save() credentialReturnData = credentialSerializer.data out.append(credentialReturnData) return HttpResponse(json.dumps(out), content_type="application/json", status=status.HTTP_201_CREATED) #return Response(credentialSerializer.data, status=status.HTTP_201_CREATED) else: return Response(credentialSerializer.errors, status=status.HTTP_400_BAD_REQUEST) else: return Response(partySerializer.errors, status=status.HTTP_400_BAD_REQUEST)
def post(self, request): if ('activationCode' in request.data): # subscription creation by activation code if not ActivationCode.objects.filter(activationCode=request.data['activationCode']).exists(): return Response({"message":"incorrect activation code"}, status=status.HTTP_400_BAD_REQUEST) activationCodeObj = ActivationCode.objects.get(activationCode=request.data['activationCode']) if not activationCodeObj.partyId == None: return Response({"message":"activation code is already used"}, status=status.HTTP_400_BAD_REQUEST) try: partyId = request.data['partyId'] partnerId = activationCodeObj.partnerId.partnerId period = activationCodeObj.period # retrive and update existing subscription, or creat a new one if partner/party does # not already have one. (subscription, transactionType, transactionStartDate, transactionEndDate) = SubscriptionControl.createOrUpdateSubscription(partyId, partnerId, period) except Exception: return Response('failed to create or update subscription') try: # get transactionType from activationCode transactionType = activationCodeObj.transactionType subscription.save() transaction = SubscriptionTransaction.createFromSubscription(subscription, transactionType, transactionStartDate, transactionEndDate) except Exception: return Response('failed to create transaction') try: # set activationCodeObj to be used. partyObj = Party.objects.get(partyId=partyId) except Exception: return Response('failed to get partyObj') try: activationCodeObj.partyId = partyObj except Exception: return Response('failed to assign partyObj') try: activationCodeObj.save() except Exception: return Response('failed to save activationCodeObj') serializer = self.serializer_class(subscription) returnData = serializer.data returnData['subscriptionTransactionId']=transaction.subscriptionTransactionId return Response(returnData, status=status.HTTP_201_CREATED) else: # basic subscription creation if not isPhoenix(self.request): return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) serializer = self.serializer_class(data=request.data) if serializer.is_valid(): subscription = serializer.save() transaction = SubscriptionTransaction.createFromSubscription(subscription, 'create') returnData = serializer.data returnData['subscriptionTransactionId']=transaction.subscriptionTransactionId return Response(returnData, status=status.HTTP_201_CREATED) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def put(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'PUT parties/consortiums/ credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) #http://stackoverflow.com/questions/18930234/django-modifying-the-request-object data = request.data.copy() params = request.GET if not params: return Response({'error':'PUT parties/consortiums/ does not allow update without query parameters'},status=status.HTTP_400_BAD_REQUEST) if 'partyId' not in request.data: return Response({'error':'PUT parties/consortiums/ partyId required'},status=status.HTTP_400_BAD_REQUEST) consortiumId = request.data['partyId'] #get party party = Party.objects.get(partyId = consortiumId) partySerializer = PartySerializer(party, data=data) if 'email' in data: for partyId in Credential.objects.all().filter(email=data['email']).filter(partnerId='phoenix').values_list('partyId', flat=True): if Party.objects.all().filter(partyId=partyId).filter(partyType='consortium').exists(): return Response({'error':'This email is already used by another consortium.'}, status=status.HTTP_400_BAD_REQUEST) if 'password' in request.data: if (not data['password'] or data['password'] == ""): return Response({'error': 'PUT parties/consortiums/ password must not be empty'}, status=status.HTTP_400_BAD_REQUEST) else: newPwd = data['password'] data['password'] = hashlib.sha1(newPwd).hexdigest() try: credential = Credential.objects.get(partyId=party) credentialSerializer = CredentialSerializer(credential, data=data) except Credential.DoesNotExist: data['partnerId'] = 'phoenix' credentialSerializer = CredentialSerializer(data=data) else: credentialSerializer = CredentialSerializerNoPassword(credential, data=data, partial=True) #?? out = [] if partySerializer.is_valid(): partySerializer.save() partyReturnData = partySerializer.data out.append(partyReturnData) if credentialSerializer.is_valid(): credentialSerializer.save() credentialReturnData = credentialSerializer.data out.append(credentialReturnData) return HttpResponse(json.dumps(out), content_type="application/json") else: return Response(credentialSerializer.errors, status=status.HTTP_400_BAD_REQUEST) else: return Response(partySerializer.errors, status=status.HTTP_400_BAD_REQUEST)
def get(self, request, consortiumId, format=None): # security vulnerability: consortiumId should come from partyId in cookie that's been validated via isPhoenix -SC if not isPhoenix(request): return HttpResponse(status=400) institutions = Party.objects.get(partyId=consortiumId).party_set.all() serializer = PartySerializer(institutions, many=True) ret = [dict(s) for s in serializer.data] #for s in serializer.data: # ret_tmp = dict(s) # ret_tmp['id'] = ret_tmp['partyId'] # ret_tmp['state'] = None # ret.append(ret_tmp) return HttpResponse(json.dumps(ret), status=200)
def delete(self, request, format=None): if not isPhoenix(self.request): return HttpResponse(status=400) serializer_class = self.get_serializer_class() params = request.data if not params['parentPartyId'] or not params['childPartyId']: return Response({'error':'does not allow deletion without query parameters'}) parentPartyId = params['parentPartyId'] childPartyId = params['childPartyId'] parentParty = Party.objects.all().get(partyId=parentPartyId) childParty=Party.objects.all().get(partyId=childPartyId) PartyAffiliation.objects.filter(childPartyId=childParty, parentPartyId=parentParty).delete() serializer = serializer_class(childParty) return Response(serializer.data)
def post(self, request, format=None): # security vulnerability: consortiumId should come from partyId in cookie that's been validated via isPhoenix -SC if not isPhoenix(request): return HttpResponse(status=400) data = request.data subject = "Institution Usage Request For %s" % (data['institution']) message = "Partner: %s\n" \ "Institution: %s\n" \ "Start date: %s\n" \ "End date: %s\n" \ "Comments: %s\n" \ % (data['partner'], data['institution'], data['startDate'], data['endDate'], data['comments']) from_email = "*****@*****.**" recipient_list = ["*****@*****.**"] send_mail(subject=subject, message=message, from_email=from_email, recipient_list=recipient_list) return HttpResponse(json.dumps({'message': 'success'}), status=200)
def put(self, request): if not isPhoenix(request): return HttpResponse(status=400) # partnerId = request.GET.get('partnerId') # subscription = Subscription.objects.all().filter(partnerId=partnerId)[0] if 'subscriptionId' in request.GET: subscriptionId = request.GET.get('subscriptionId') subscription = Subscription.objects.all().get(subscriptionId=subscriptionId) else: return Response({'error':'subscriptionId required'}) serializer = SubscriptionSerializer(subscription, data=request.data) if serializer.is_valid(): subscription = serializer.save() returnData = serializer.data return Response(returnData) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def post(self, request): if not isPhoenix(request): return HttpResponse(status=400) subject = "%s Subscription Request For %s" % (request.POST.get('partnerName'), request.POST.get('institution')) message = "\n" \ "\n" \ "Please contact me about a subscription request. My information is below.\n" \ "Product: %s\n" \ "Email: %s \n" \ "Institution Name: %s \n" \ "Comments: %s \n" \ "\n" \ % (request.POST.get('partnerName'), request.POST.get('email'), request.POST.get('institution'), request.POST.get('comments')) from_email = "*****@*****.**" recipient_list = ["*****@*****.**"] send_mail(subject=subject, message=message, from_email=from_email, recipient_list=recipient_list) return HttpResponse(json.dumps({'message':'success'}), content_type="application/json")
def put(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) params = request.GET data = request.data.copy() if not params: return Response({'error':'does not allow update without query parameters'},status=status.HTTP_400_BAD_REQUEST) if 'partyId' not in request.data: return Response({'error':'partyId (aka institutionId) required'},status=status.HTTP_400_BAD_REQUEST) institutionId = request.data['partyId'] #get party party = Party.objects.get(partyId = institutionId) partySerializer = PartySerializer(party, data=data) #get credential credential = Credential.objects.get(partyId = institutionId) if 'password' in request.data: if (not data['password'] or data['password'] == ""): return Response({'error': 'PUT parties/institutions/ password must not be empty'}, status=status.HTTP_400_BAD_REQUEST) else: newPwd = data['password'] data['password'] = hashlib.sha1(newPwd).hexdigest() credentialSerializer = CredentialSerializer(credential, data=data) else: credentialSerializer = CredentialSerializerNoPassword(credential, data=data, partial=True) #?? out = [] if partySerializer.is_valid(): partySerializer.save() partyReturnData = partySerializer.data out.append(partyReturnData) if credentialSerializer.is_valid(): credentialSerializer.save() credentialReturnData = credentialSerializer.data out.append(credentialReturnData) return HttpResponse(json.dumps(out), content_type="application/json") else: return Response(credentialSerializer.errors, status=status.HTTP_400_BAD_REQUEST) else: return Response(partySerializer.errors, status=status.HTTP_400_BAD_REQUEST)
def post(self, request): if not isPhoenix(request): return HttpResponse(status=400) data = request.data subject = "%s Subscription Request For %s" % (data['partnerName'], data['partyName']) message = "\n" \ "\n" \ "Please contact me about a subscription request. My information is below.\n" \ "Product: %s\n" \ "Email: %s \n" \ "%s: %s \n" \ "Comments: %s \n" \ "\n" \ % (data['partnerName'], data['email'], data['partyType'], data['partyName'], data['comments']) from_email = "*****@*****.**" recipient_list = ["*****@*****.**"] send_mail(subject=subject, message=message, from_email=from_email, recipient_list=recipient_list) return HttpResponse(json.dumps({'message':'success'}), content_type="application/json")
def post(self, request, format=None): if not isPhoenix(self.request): return HttpResponse(status=400) serializer_class = self.get_serializer_class() params = request.data if not params['parentPartyId'] or not params['childPartyId']: return Response({'error':'does not allow creation without parentPartyId or childPartyId'},status=status.HTTP_400_BAD_REQUEST) parentPartyId = params['parentPartyId'] childPartyId = params['childPartyId'] if Party.objects.all().get(partyId = parentPartyId): parentParty = Party.objects.all().get(partyId=parentPartyId) else: return Response({'error':'parentParty does not exist'},status=status.HTTP_400_BAD_REQUEST) if Party.objects.all().get(partyId = childPartyId): childParty=Party.objects.all().get(partyId=childPartyId) else: return Response({'error':'childParty does not exist'},status=status.HTTP_400_BAD_REQUEST) PartyAffiliation.objects.create(childPartyId=childParty,parentPartyId=parentParty) serializer = serializer_class(childParty) return Response(serializer.data, status=status.HTTP_201_CREATED)
def delete(self, request, format=None): if not isPhoenix(self.request): return HttpResponse(status=400) serializer_class = self.get_serializer_class() params = request.GET if not params['parentPartyId'] or not params['childPartyId']: return Response({'error':'does not allow deletion without query parameters'}) parentPartyId = params['parentPartyId'] childPartyId = params['childPartyId'] if Party.objects.all().get(partyId=parentPartyId): parentParty = Party.objects.all().get(partyId=parentPartyId) else: return Response({'error':'cannot find parent party'}, status=status.HTTP_400_BAD_REQUEST) if Party.objects.all().get(partyId=childPartyId): childParty=Party.objects.all().get(partyId=childPartyId) else: return Response({'error':'cannot find child party'}, status=status.HTTP_400_BAD_REQUEST) PartyAffiliation.objects.filter(childPartyId=childParty, parentPartyId=parentParty).delete() serializer = serializer_class(childParty) return Response(serializer.data)
def delete(self, request, format=None): if not isPhoenix(request): return HttpResponse( { 'error': 'credentialId and secretKey query parameters missing or invalid' }, status=status.HTTP_400_BAD_REQUEST) params = request.GET # data = request.data #body in delete request is not supported by some browsers if not params: return Response( {'error': 'does not allow update without query parameters'}, status=status.HTTP_400_BAD_REQUEST) if 'partyId' not in params: return Response({'error': 'partyId (aka institutionId) required'}, status=status.HTTP_400_BAD_REQUEST) # institutionId = request.data['partyId'] #body in delete request is not supported by some browsers institutionId = params['partyId'] #get party if Party.objects.filter(partyId=institutionId).exists(): party = Party.objects.get(partyId=institutionId) party.delete() #credential is being deleted automatically return Response( {'success': 'delete partyId ' + institutionId + ' completed'}, status=status.HTTP_200_OK) else: return Response( { 'error': 'delete partyId ' + institutionId + ' failed. partyId not found' }, status=status.HTTP_400_BAD_REQUEST)
def delete(self, request, format=None): if (not self.phoenixOnly) or isPhoenix(self.request): params = request.GET # does not allow user to update everything, too dangerous if not params: return Response({ 'error': 'does not allow delete without query parameters' }) obj = self.get_queryset() serializer_class = self.get_serializer_class() ret = [] for entry in obj: # do nothing if the record has already been expired if not entry.expiredAt: entry.expiredAt = datetime.datetime.now() entry.save() serializer = serializer_class(entry) ret.append(serializer.data) return Response(ret) return Response({'error': 'Pheonix credential required'}, status=status.HTTP_400_BAD_REQUEST)
def get(self, request, format=None): if not isPhoenix(request): return HttpResponse( { 'error': 'credentialId and secretKey query parameters missing or invalid' }, status=status.HTTP_400_BAD_REQUEST) params = request.GET if not params['partyId']: return Response({'error': 'does not allow get without partyId'}, status=status.HTTP_400_BAD_REQUEST) out = [] partyId = params['partyId'] #get party if Party.objects.filter(partyId=partyId).exists(): party = Party.objects.get(partyId=partyId) partySerializer = PartySerializer(party) out.append(partySerializer.data) else: out.append( {'error': 'partyId ' + partyId + ' not found in Party tbl'}) #get credential if Credential.objects.filter(partyId=partyId).exists(): credential = Credential.objects.get(partyId=partyId) credentialSerializer = CredentialSerializer(credential) out.append(credentialSerializer.data) else: out.append({ 'error': 'partyId ' + partyId + ' not found in Credential tbl' }) return HttpResponse(json.dumps(out), content_type="application/json")
def delete(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) params = request.GET data = request.data if not params: return Response({'error':'does not allow update without query parameters'},status=status.HTTP_400_BAD_REQUEST) if 'partyId' not in request.data: return Response({'error':'partyId (aka institutionId) required'},status=status.HTTP_400_BAD_REQUEST) institutionId = request.data['partyId'] #get party if Party.objects.filter(partyId = institutionId).exists(): party = Party.objects.get(partyId = institutionId) party.delete() #credential is being deleted automatically return Response({'success':'delete partyId '+institutionId+' completed'},status=status.HTTP_200_OK) else: return Response({'error':'delete partyId '+institutionId+' failed. partyId not found'},status=status.HTTP_400_BAD_REQUEST)
def delete(self, request, format=None): if not isPhoenix(self.request): return HttpResponse(status=400) serializer_class = self.get_serializer_class() params = request.GET if not params['parentPartyId'] or not params['childPartyId']: return Response( {'error': 'does not allow deletion without query parameters'}) parentPartyId = params['parentPartyId'] childPartyId = params['childPartyId'] if Party.objects.all().get(partyId=parentPartyId): parentParty = Party.objects.all().get(partyId=parentPartyId) else: return Response({'error': 'cannot find parent party'}, status=status.HTTP_400_BAD_REQUEST) if Party.objects.all().get(partyId=childPartyId): childParty = Party.objects.all().get(partyId=childPartyId) else: return Response({'error': 'cannot find child party'}, status=status.HTTP_400_BAD_REQUEST) PartyAffiliation.objects.filter(childPartyId=childParty, parentPartyId=parentParty).delete() serializer = serializer_class(childParty) return Response(serializer.data)
def delete(self, request, format=None): if not isPhoenix(request): return HttpResponse({'error':'DELETE parties/consortiums/ credentialId and secretKey query parameters missing or invalid'},status=status.HTTP_400_BAD_REQUEST) params = request.GET # data = request.data #body in delete request is not supported by some browsers if not params: return Response({'error':'does not allow delete without query parameters'},status=status.HTTP_400_BAD_REQUEST) if 'partyId' not in params: return Response({'error':'partyId required'},status=status.HTTP_400_BAD_REQUEST) # consortiumId = request.data['partyId'] #body in delete request is not supported by some browsers consortiumId = params['partyId'] #get party if Party.objects.filter(partyId = consortiumId).exists(): party = Party.objects.get(partyId = consortiumId) party.delete() #credential is being deleted automatically return Response({'success':'delete partyId '+consortiumId+' completed'},status=status.HTTP_200_OK) else: return Response({'error':'delete partyId '+consortiumId+' failed. partyId not found'},status=status.HTTP_400_BAD_REQUEST)
def get_queryset(self): if isPhoenix(self.request): partyId = self.request.GET.get('partyId') return super(SubscriptionCRUD, self).get_queryset().filter(partyId=partyId) return []
def put(self, request, format=None): if not isPhoenix(request): return HttpResponse( { 'error': 'credentialId and secretKey query parameters missing or invalid' }, status=status.HTTP_400_BAD_REQUEST) data = request.data.copy() out = [] if 'partyId' not in data: return Response({'error': 'partyId (aka institutionId) required'}, status=status.HTTP_400_BAD_REQUEST) institutionId = data['partyId'] #get party party = Party.objects.get(partyId=institutionId) partySerializer = PartySerializer(party, data=data, partial=True) if any(param in CredentialSerializer.Meta.fields for param in data if param != 'partyId'): partner = Partner.objects.get(partnerId='phoenix') try: credential = Credential.objects.get(partyId=party, partnerId=partner) except: if not all(param in data for param in ('username', 'password')): return Response( {'error': 'username and password required.'}, status=status.HTTP_400_BAD_REQUEST) credential = Credential(partyId=party, partnerId=partner) if 'email' in data: for partyId in Credential.objects.all().filter( email=data['email']).filter( partnerId='phoenix').values_list('partyId', flat=True): if Party.objects.all().filter(partyId=partyId).filter( partyType='organization').exists(): return Response( { 'error': 'This email is already used by another institution.' }, status=status.HTTP_400_BAD_REQUEST) if 'password' in data: if (not data['password'] or data['password'] == ""): return Response({'error': 'password must not be empty'}, status=status.HTTP_400_BAD_REQUEST) else: newPwd = data['password'] data['password'] = hashlib.sha1(newPwd).hexdigest() credentialSerializer = CredentialSerializer(credential, data=data, partial=True) else: credentialSerializer = CredentialSerializerNoPassword( credential, data=data, partial=True) #?? if partySerializer.is_valid(): if any(param in PartySerializer.Meta.fields for param in data if param != 'partyId'): partySerializer.save() partyReturnData = partySerializer.data out.append(partyReturnData) else: return Response(partySerializer.errors, status=status.HTTP_400_BAD_REQUEST) if any(param in CredentialSerializer.Meta.fields for param in data if param != 'partyId'): if credentialSerializer.is_valid(): credentialSerializer.save() credentialReturnData = credentialSerializer.data out.append(credentialReturnData) else: return Response(credentialSerializer.errors, status=status.HTTP_400_BAD_REQUEST) return HttpResponse(json.dumps(out), content_type="application/json")
def post(self, request, format=None): if not isPhoenix(request): return HttpResponse( { 'error': 'POST parties/institutions/ credentialId and secretKey query parameters missing or invalid' }, status=status.HTTP_400_BAD_REQUEST) data = request.data.copy() if 'partyType' not in data: return Response({'error': 'POST method needs partyType'}, status=status.HTTP_400_BAD_REQUEST) if data['partyType'] != "organization": return Response( {'error': 'POST method. patyType must be organization'}, status=status.HTTP_400_BAD_REQUEST) if 'email' in data: for partyId in Credential.objects.all().filter( email=data['email']).filter( partnerId='phoenix').values_list('partyId', flat=True): if Party.objects.all().filter(partyId=partyId).filter( partyType='organization').exists(): return Response( { 'error': 'This email is already used by another institution.' }, status=status.HTTP_400_BAD_REQUEST) # if password is being passed and value of it is empty then error # not passing password in form data of POST is allowed - credential will be created with empty pwd in such case # boolean in pythin http://stackoverflow.com/questions/12644075/how-to-set-python-variables-to-true-or-false if ('password' in data): if (not data['password'] or data['password'] == ""): ### password passed and it's value is empty return Response( { 'error': 'POST parties/institutions/ password must not be empty' }, status=status.HTTP_400_BAD_REQUEST) else: ### password passed and it's not empty pwd = True else: # password is not passed pwd = False partySerializer = PartySerializer(data=data) if partySerializer.is_valid(): partySerializer.save() out = [] partyReturnData = partySerializer.data out.append(partyReturnData) data['partyId'] = partySerializer.data['partyId'] if pwd == True: newPwd = data['password'] data['password'] = hashlib.sha1(newPwd).hexdigest() credentialSerializer = CredentialSerializer(data=data) else: credentialSerializer = CredentialSerializerNoPassword( data=data) if credentialSerializer.is_valid(): credentialSerializer.save() credentialReturnData = credentialSerializer.data out.append(credentialReturnData) return HttpResponse(json.dumps(out), content_type="application/json", status=status.HTTP_201_CREATED) #return Response(credentialSerializer.data, status=status.HTTP_201_CREATED) else: return Response(credentialSerializer.errors, status=status.HTTP_400_BAD_REQUEST) else: return Response(partySerializer.errors, status=status.HTTP_400_BAD_REQUEST)
def put(self, request, format=None): # TODO: security risk here, get username based on the partyId verified in isPhoenix -SC if not isPhoenix(self.request): return Response(status=status.HTTP_400_BAD_REQUEST) # http://stackoverflow.com/questions/12611345/django-why-is-the-request-post-object-immutable serializer_class = self.get_serializer_class() params = request.GET queryResult = self.get_queryset() if type(queryResult) == str: return Response({'error': queryResult}, status=status.HTTP_400_BAD_REQUEST) obj = self.get_queryset().first() if not obj: return Response({'error': 'cannot find any record.'}, status=status.HTTP_404_NOT_FOUND) #http://stackoverflow.com/questions/18930234/django-modifying-the-request-object PW-123 data = request.data.copy() # PW-123 partnerId = self.request.GET['partnerId'] # CIPRES-13: Decrypt user password if 'password' in data: if partnerId == 'cipres': cipher = AESCipher() try: decryptedPassword = cipher.decrypt(data['password']) except Exception as e: return Response( {'error': 'Cannot parse password: '******'password'] = hashlib.sha1( decryptedPassword.encode(cipher.charset)).hexdigest() else: data['password'] = hashlib.sha1( data['password'].encode("utf-8")).hexdigest() # CIPRES-13 end # CIPRES-26: Allow update of country code if partnerId == 'cipres' and 'countryCode' in data: try: country = Country.objects.get(abbreviation=data['countryCode']) partyObj = obj.partyId partySerializer = PartySerializer( partyObj, data={'country': country.countryId}, partial=True) if partySerializer.is_valid(): partySerializer.save() except Exception as e: return Response({'error': 'Cannot find country: ' + str(e)}, status=status.HTTP_400_BAD_REQUEST) # CIPRES-26 end serializer = serializer_class(obj, data=data, partial=True) if serializer.is_valid(): serializer.save() #update party info if 'partyId' in serializer.data: partyId = serializer.data['partyId'] partyObj = Party.objects.all().get(partyId=partyId) if 'name' in data: name = data['name'] partyData = {'name': name} partySerializer = PartySerializer(partyObj, data=partyData, partial=True) if partySerializer.is_valid(): partySerializer.save() if 'password' in data: #data['password'] = generateSecretKey(str(obj.partyId.partyId), data['password'])#PW-254 and YM: TAIR-2493 data['loginKey'] = generateSecretKey(str(obj.partyId.partyId), data['password']) return Response(data, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super(ConsortiumCRUD, self).get_queryset().filter(partyId=partyId).filter(partyType="consortium") #PW-161 consortium return []
def get_queryset(self): if isPhoenix(self.request): if 'partyId' in self.request.GET: partyId = self.request.GET.get('partyId') return super(InstitutionCRUD, self).get_queryset().filter(partyId=partyId).filter(partyType="organization") return []