class AuthHelper:
AUTHENTICATION_ERROR = CustomAPIException('auth',
'Authentication failure.',
status.HTTP_403_FORBIDDEN)
AUTHORIZATION_ERROR = CustomAPIException('auth',
'Authorization failure.',
status.HTTP_401_UNAUTHORIZED)
@classmethod
def authenticate(cls, username, token):
try:
user = User.objects.get(username=username)
except (User.DoesNotExist, ValueError):
raise cls.AUTHENTICATION_ERROR
try:
tokens_match = bcrypt.checkpw(
bytes(user.username, 'utf-8') + user.password,
bytes(token, 'utf-8')
)
if not tokens_match:
raise cls.AUTHENTICATION_ERROR
except ValueError:
raise cls.AUTHENTICATION_ERROR
return user
@classmethod
def authorize(cls, user, team_id):
if not user.is_admin:
raise cls.AUTHORIZATION_ERROR
if user.team_id != team_id:
raise cls.AUTHORIZATION_ERROR
def validate(self, attrs):
user = attrs.get('user')
valid_token = bytes(user.username, 'utf-8') + user.password
match = bcrypt.checkpw(valid_token,
bytes(attrs.get('auth_token'), 'utf-8'))
if not match:
raise AuthHelper.AUTHENTICATION_ERROR
board_id = attrs.get('board_id')
if board_id:
try:
board = user.board_set.get(id=board_id)
except Board.DoesNotExist:
raise AuthHelper.AUTHORIZATION_ERROR
else:
board = user.board_set.all().first()
if not board:
err_detail = ('Please ask your team admin to add you to a board '
'and try again.')
raise CustomAPIException('board', err_detail,
status.HTTP_400_BAD_REQUEST)
if board.team_id != user.team_id:
raise AuthHelper.AUTHORIZATION_ERROR
return {'user': user, 'board': board}
def update(self, instance, validated_data):
board_tasks = Task.objects.filter(column__board_id=instance.board_id)
for task in validated_data.get('tasks'):
try:
task_id = task.pop('id')
except KeyError:
raise CustomAPIException('task.id',
'Task ID cannot be empty.',
status.HTTP_400_BAD_REQUEST)
existing_task = board_tasks.get(id=task_id)
user = validated_data.get('user')
if not user.is_admin \
and task.get('user') != user.username \
and instance.id != existing_task.column_id:
raise AuthHelper.AUTHORIZATION_ERROR
serializer = TaskSerializer(existing_task,
data={**task, 'column': instance.id},
partial=True)
if serializer.is_valid():
serializer.save()
else:
raise serializer.errors
return instance
def validate(self, attrs):
user = attrs.get('username')
pw_bytes = bytes(attrs.get('password'), 'utf-8')
if not bcrypt.checkpw(pw_bytes, bytes(user.password)):
raise CustomAPIException('password', 'Invalid password.',
status.HTTP_400_BAD_REQUEST)
return user
def validate_username(value):
try:
User.objects.get(username=value)
except User.DoesNotExist:
return value
raise CustomAPIException('username', 'Username already exists.',
status.HTTP_400_BAD_REQUEST)
def validate(self, attrs):
user = AuthHelper.authenticate(attrs.get('auth_user'),
attrs.get('auth_token'))
board = attrs.get('board')
if len(board.team.board_set.all()) <= 1:
raise CustomAPIException(
'board', 'You cannot delete the last remaining board.',
status.HTTP_400_BAD_REQUEST)
AuthHelper.authorize(user, board.team_id)
return board
def validate(self, attrs):
authenticated_user = AuthHelper.authenticate(attrs.pop('auth_user'),
attrs.pop('auth_token'))
user = attrs.get('user')
AuthHelper.authorize(authenticated_user, user.team_id)
if user.is_admin:
raise CustomAPIException(
'username', 'Admins cannot be deleted from their teams.',
status.HTTP_403_FORBIDDEN)
return user
def validate(self, attrs):
password_confirmation = attrs.pop('password_confirmation')
if password_confirmation != attrs.get('password'):
raise CustomAPIException('password_confirmation',
'Confirmation must match the password.',
status.HTTP_400_BAD_REQUEST)
invite_code = attrs.get('invite_code')
if invite_code:
try:
attrs['team'] = Team.objects.get(invite_code=invite_code)
except Team.DoesNotExist:
raise CustomAPIException('invite_code', 'Team not found.',
status.HTTP_400_BAD_REQUEST)
attrs['is_admin'] = False
attrs.pop('invite_code')
else:
attrs['is_admin'] = True
return super().validate(attrs)
def validate(self, attrs):
authenticated_user = AuthHelper.authenticate(attrs.pop('auth_user'),
attrs.pop('auth_token'))
board = attrs.get('board')
try:
user = board.team.user_set.get(username=attrs.get('username'))
except User.DoesNotExist:
raise CustomAPIException('username', 'User not found.',
status.HTTP_404_NOT_FOUND)
AuthHelper.authorize(authenticated_user, user.team_id)
self.instance = {
'user': user,
'board': board,
'is_active': attrs.get('is_active')
}
return attrs
def validate_order(value):
if value == '' or value is None or not value:
raise CustomAPIException('order', 'Order cannot be empty.',
status.HTTP_400_BAD_REQUEST)
def validate_done(value):
if value == '' or value is None or not value:
raise CustomAPIException('done', 'Done cannot be empty.',
status.HTTP_400_BAD_REQUEST)
def validate_title(value):
if not value:
raise CustomAPIException('title', 'Title cannot be empty.',
status.HTTP_400_BAD_REQUEST)