class ChangeViewSet(InstanceBasedMixin, NestedViewSetMixin,
redis_views.ReadOnlyModelViewSet):
model = Change
serializer_class = ChangeSerializer
permission_classes = (
Or(
AdminHasPermissions,
And(
IsApiKeyAccess,
Or(
IsApiKeyIgnoringAcl,
# Force access when allow anonymous read
IsApiKeyAllowingAnonymousRead,
And(HasUser, HasChannelSubscribePermission)))),
EnsureChannelRoom,
OwnerInGoodStanding,
)
def initial(self, request, *args, **kwargs):
self.room, self.last_id = get_from_request_query_params(
self.request, 'room', 'last_id')
if self.last_id:
try:
self.last_id = int(self.last_id) + 1
except ValueError:
self.last_id = None
return super().initial(request, *args, **kwargs)
def list(self, request, *args, **kwargs):
if self.last_id:
self.kwargs['min_pk'] = self.last_id
self.kwargs['room'] = self.room
return super().list(request, *args, **kwargs)
class ApplicationView(PermissionClassesMixin, SidebarContextMixin,
UserContextMixin, FormView):
template_name = 'application/application.html'
form_class = ApplicationForm
active_tab = 'application'
permission_classes = [
And(Or(IsSubmitted, IsIncomplete, And(IsHacker, IsVerified)),
RegistrationOpen)
]
def form_valid(self, form):
form.save(hacker=self.request.user.profile.hacker)
return super().form_valid(form)
def get_success_url(self):
messages.add_message(self.request, messages.SUCCESS,
"Aplicação enviada!")
return reverse_lazy('dashboard:index')
def get_form_kwargs(self):
"""Return the keyword arguments for instantiating the form."""
kwargs = super().get_form_kwargs()
hacker = self.request.user.profile.hacker
kwargs['instance'] = getattr(hacker, 'application', None)
return kwargs
def get_initial(self):
initial = super().get_initial()
initial['first_name'] = self.request.user.first_name
initial['last_name'] = self.request.user.last_name
initial['email'] = self.request.user.email
return initial
class PollDetail(APIView):
permission_classes = [
Or(IsGetRequest, And(IsPutRequest, IsAdminUser),
And(IsDeleteRequest, IsAdminUser))
]
def get_object(self, pk, is_admin_user=True):
polls = get_polls_by_user_perm(is_admin_user)
try:
return polls.get(pk=pk)
except Poll.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
# админ может просматривать любые опросы, а пользователь
# только опубликованные
poll = self.get_object(pk, is_admin(request.user))
serializer = ReadPollSerializer(poll)
return Response(serializer.data)
def put(self, request, pk, format=None):
poll = self.get_object(pk)
serializer = UpdatePollSerializer(poll, data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def delete(self, request, pk, format=None):
poll = self.get_object(pk)
poll.delete()
return Response(status=status.HTTP_204_NO_CONTENT)
class MeetingViewSet(viewsets.ModelViewSet):
serializer_class = MeetingSerializer
queryset = Meeting.objects.all()
permission_classes = [
Or(
And(
IsSafeMethod,
IsPublic,
),
And(
IsSafeMethod,
Not(IsPrivate),
IsMeetingClient,
),
IsMeetingHost,
IsAdminUser,
)
]
def get_queryset(self):
user = self.request.user
if IsClient:
return Meeting.objects.filter(Q(private=False),
Q(public=True) | Q(clients=user.id))
elif IsHost:
return Meeting.objects.filter(Q(hosts=user.id) | Q(public=True))
elif IsSuperUser:
return Meeting.objects.all()
else:
return Meeting.objects.filter(public=True)
class BaseDeviceViewSet(InstanceBasedMixin,
DetailSerializerMixin,
SendPushMessageMixin,
viewsets.ModelViewSet):
filter_backends = (DjangoFilterBackend, )
permission_classes = (
OwnerInGoodStanding,
Or(
# Check admin permissions first
AdminHasPermissions,
And(
# Otherwise when we're dealing with api key access
IsApiKeyAccess,
Or(
# Force access when ignoring acl
IsApiKeyIgnoringAcl,
# Force access when allow annonymous read
IsApiKeyAllowingAnonymousRead,
And(
# Or if user is associated - check relevant Device permissions
HasUser,
HasDevicePermission,
)
)
)
)
)
def get_queryset(self):
queryset = super().get_queryset()
if self.request.auth and not self.request.auth.ignore_acl and self.request.auth_user:
queryset = queryset.filter(user=self.request.auth_user)
return queryset
class TeamViewset(PrefetchQuerysetModelMixin, mixins.CreateModelMixin,
mixins.UpdateModelMixin, mixins.RetrieveModelMixin,
viewsets.GenericViewSet):
permission_classes = [
Or(
And(IsPostRequest, IsCheckedin,
EventIsHappening), # Creating new teams
And(IsGetRequest, IsCheckedin, IsTeamMember), # Getting teams
And(IsPutPatchRequest, EventIsHappening,
IsTeamMember) # Updating teams
)
]
queryset = Team.objects.all()
serializer_class = SimpleTeamSerializer
@action(methods=['post'], detail=False)
def leave_team(self, request):
hacker = request.user.profile.hacker
team = getattr(hacker, 'team', None)
if team:
team.remove_hacker(hacker)
if len(team.members) == 0:
team.delete()
return Response(status=200)
@action(methods=['get'], detail=False)
def current_team(self, request):
hacker = request.user.profile.hacker
team = hacker.team
serializer = self.get_serializer_class()(team)
data = serializer.data
return Response(data)
class PhotoUploadViewSet(ModelViewSet):
# curl --verbose --header "Authorization:
# jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiMTViY2UwOTA0IiwidXNlcm5hbWUiOiIxNWJjZTA5MDQiLCJleHAiOjE1MjE2NTYzMTEsImVtYWlsIjoiIiwicmVnaXN0cmF0aW9uX251bWJlciI6IjE1YmNlMDkwNCJ9.tVh7p2d-FGlHu-Foh-6ox7BSHo7MNvI15FZbayn7rhE"
# --header "Accept: application/json; indent=4" --request POST
# --form img=@/Users/bhavesh/Pictures/maxresdefault.jpg http://localhost:8000/api/upload/; echo
queryset = Photo.objects.all()
course_queryset = Course.objects.all()
serializer_class = PhotoSerializer
parser_classes = (
MultiPartParser,
FormParser,
)
permission_classes = [
Or(
And(
Or(custom_permissions.IsGet, custom_permissions.IsHead,
custom_permissions.IsOptions, custom_permissions.IsPost),
permissions.IsAuthenticated),
And(
Or(custom_permissions.IsDelete, custom_permissions.IsPatch,
custom_permissions.IsPut),
custom_permissions.IsPhotoOwner,
),
)
]
def get_queryset(self):
user = self.request.user
qs = super().get_queryset()
if user.is_teacher:
return qs.filter(course__teacher=user.teacher)
return qs.filter(student=user.student)
def perform_create(self, serializer):
print('User is in perform_create=', self.request.user)
user = self.request.user
# print('In PhotoUploadViewSet. serializer=', serializer)
_id = self.request.data.get('id')
# identification = get_unique_identificaton(serializer)
if user.is_teacher:
teacher = user.teacher
course = get_object_or_404(self.course_queryset,
teacher=teacher,
id=_id)
obj = serializer.save(course=course,
img=self.request.data.get('img'))
else:
print('Student', user.student)
obj = serializer.save(student=user.student,
img=self.request.data.get('img'))
process_photo.delay(obj.id)
class EventViewset(PrefetchQuerysetModelMixin, viewsets.ModelViewSet):
"""Event
Get all events and their basic data
authenticated can read, admin can edit
"""
serializer_class = EventSerializer
queryset = Event.objects.all()
permission_classes = [
Or(And(CanAttendEvents, And(IsAuthenticated, IsReadyOnlyRequest)),
IsAdmin)
]
class PostDetails(generics.RetrieveUpdateDestroyAPIView, PostRetriever):
permission_classes = (IsAuthenticated,
Or(
RequestIsReadOnly,
And(RequestIsUpdate, UserIsPostAuthor),
And(RequestIsDelete,
Or(UserIsPostAuthor, UserIsSuperuser))))
serializer_class = PostContentSerializer
def get_object(self):
return self.post_instance
class UserViewSet(AutocompleteMixin,
AtomicMixin,
InstanceBasedMixin,
SignalSenderModelMixin,
viewsets.ModelViewSet):
model = User
queryset = User.objects.prefetch_related('groups')
serializer_class = UserFullSerializer
user_serializer_class = UserFullSerializer
data_serializer_class = DataObjectSerializer
autocomplete_field = 'username'
permission_classes = (
Or(
AdminHasPermissions,
And(
IsApiKeyAccess,
Or(
IsApiKeyIgnoringAcl,
And(HasUser, ApiKeyHasPermissions),
HasCreateUserPermission
)
)
),
OwnerInGoodStanding,
)
def initial(self, request, *args, **kwargs):
initial = super().initial(request, *args, **kwargs)
self.klass = Klass.get_user_profile()
DataObject.load_klass(self.klass)
return initial
def get_queryset(self):
base_query = super().get_queryset()
if self.request.auth and self.request.auth_user:
return base_query.filter(pk=self.request.auth_user.id)
return base_query
def get_object(self):
obj = super().get_object()
# get profile for deletions to work with triggers
obj.profile = obj._profile_cache = DataObject.objects.filter(_klass=self.klass, owner=obj).get()
return obj
@detail_route(methods=['post'], serializer_class=Serializer)
def reset_key(self, request, *args, **kwargs):
user = self.get_object()
user.reset()
return Response(data=self.user_serializer_class(user,
context=self.get_serializer_context()).data)
class PermissionTeacherStudentMixin:
permissions_classes = [
Or(
And(
Or(custom_permissions.IsGet, custom_permissions.IsHead,
custom_permissions.IsOptions), permissions.IsAuthenticated),
And(
# If the method is post, permission will always be denied. Since Teacher Model extends from User model
custom_permissions.IsPost,
custom_permissions.NoPermission),
And(
Or(custom_permissions.IsPatch, custom_permissions.IsPut,
custom_permissions.IsDelete), custom_permissions.IsOwner))
]
class InvitationList(generics.ListCreateAPIView):
queryset = Invitation.objects.all()
serializer_class = InvitationSerializer
permission_classes = (Or(permissions.IsAdminUser,
And(IsHostOfPartyWithParam, Not(IsGetRequest))), )
# this is a hook, called when creating an instance
# we need to override this method as we are writing to a ReadOnlyField
# this is easier than overriding the entire post method
def perform_create(self, serializer):
invitee_facebook_id = self.request.data.get('invitee_facebook_id')
if invitee_facebook_id is None:
raise ValidationError("'invitee_facebook_id' was not provided.")
invitee = lookup_user_with_facebook_id(invitee_facebook_id)
party_id = self.request.data.get('party_id')
party = Party.objects.get(pk=party_id)
"""
Not the best solution... but to avoid internal server error when unique_together on Invitation model fails
"""
potential_conflict = Invitation.objects.filter(invitee=invitee,
party=party)
if len(potential_conflict) > 0:
raise ValidationError("The invitee, party pair exists already.")
serializer.save(invitee=invitee, party=party)
class PaymentView(
PermissionClassesMixin,
RedirectView):
http_method_names = ['get']
permanent = False
permission_classes = [And(CanConfirm, IsUnpayed)]
def get_redirect_url(self, *args, **kwargs):
sett = Settings.get()
if not sett.require_payment:
add_message(self.request, ERROR, 'Pagamentos desabilitados')
return '/'
item = PagSeguroItem(
id='1',
description=f'Ingresso para {settings.EVENT_NAME}',
amount=f'{sett.ticket_price}',
quantity=1
)
reference = get_random_string(length=32)
api = PagSeguroApi(reference=reference)
api.add_item(item)
checkout = api.checkout()
if checkout['success']:
hacker = self.request.user.profile.hacker
hacker.transaction_reference = reference
hacker.save()
return checkout['redirect_url']
else:
add_message(self.request, ERROR, 'Erro ao criar pedido de pagamento. Tente novamente mais tarde.')
return '/'
class DefaultMixin(object):
"""
Default settings for authentication, authorization and filering. We support 3 types of authentication
1. Basic authentication sending username/password in every request
2. Token authentication, for retriving a token from auth API
3. Session authentication
Users are required to be authenticated
We allow filtering using arguments and ordering using ordering keyword
Permissions are asigned based on objects and affiliations.
"""
#max_paginate_by = 500
paginate_by = 50
paginate_by_param = 'page_size'
authentication_classes = (authentication.SessionAuthentication,
authentication.BasicAuthentication,
authentication.TokenAuthentication)
filter_backends = (
filters.DjangoFilterBackend,
filters.SearchFilter,
filters.OrderingFilter,
filters.DjangoObjectPermissionsFilter,
)
permission_classes = [
And(permissions.IsAuthenticated, IsAssociatedWithTenant),
ObjectPermissions
]
class InstanceConfigView(InstanceBasedMixin, generics.RetrieveAPIView,
generics.UpdateAPIView):
serializer_class = InstanceConfigSerializer
model = Instance
queryset = Instance.objects.all()
permission_classes = (
Or(And(permissions.IsAuthenticated, ProtectInstanceAccess),
ApiKeyHasPermissions),
OwnerInGoodStanding,
)
def get_queryset(self):
base_query = super().get_queryset()
if self.request.user.is_authenticated:
return base_query.filter(admin_roles__admin=self.request.user)
elif self.request.auth:
return base_query.filter(pk=self.request.auth.instance_id)
raise PermissionDenied()
def get_object(self):
try:
obj = self.get_queryset().get(pk=self.request.instance.pk)
except Instance.DoesNotExist:
raise Http404
self.check_object_permissions(self.request, obj)
return obj
class KlassViewSet(EndpointAclMixin, v1_views.KlassViewSet):
serializer_class = KlassSerializer
serializer_detail_class = KlassDetailSerializer
permission_classes = (
OwnerInGoodStanding,
And(
ProtectUserProfileKlass,
Or(
# Check admin permissions
AdminHasPermissions,
# Check API Key ACL
CheckAclPermission,
),
),
)
endpoint_acl_object_field = 'klasses_acl'
def get_queryset(self):
base_query = super(
v1_views.KlassViewSet,
self).get_queryset().filter(visible=True).filter_acl(self.request)
if self.request.method in permissions.SAFE_METHODS:
return base_query.include_object_count()
return base_query
class CommentDetails(generics.RetrieveUpdateDestroyAPIView, CommentRetriever):
permission_classes = (IsAuthenticated,
Or(
RequestIsReadOnly,
And(
RequestIsUpdate,
UserIsCommentAuthor,
),
And(RequestIsDelete,
Or(UserIsCommentAuthor, UserIsStaff))))
serializer_class = CommentSerializer
def get_object(self):
return self.comment_instance
class InstanceViewSet(AutocompleteMixin, AtomicMixin, DetailSerializerMixin,
RenameNameViewSetMixin, viewsets.ModelViewSet):
model = Instance
queryset = Instance.objects.all()
lookup_field = 'name'
serializer_class = InstanceSerializer
serializer_detail_class = InstanceDetailSerializer
permission_classes = (
Or(And(permissions.IsAuthenticated, ProtectInstanceAccess),
ApiKeyHasPermissions),
InstanceAccessAdminInGoodStanding,
InstanceLocationMatch,
)
def get_queryset(self):
base_query = super().get_queryset().select_related('owner')
if self.request.user.is_authenticated:
return base_query.filter(
admin_roles__admin=self.request.user).extra(
select={'role': '"admins_admininstancerole"."role_id"'})
elif self.request.auth:
return base_query.filter(pk=self.request.auth.instance_id)
raise PermissionDenied()
def perform_create(self, serializer):
# Lock on admin for the duration of transaction to avoid race conditions
admin = Admin.objects.select_for_update().get(pk=self.request.user.id)
instances_limit = AdminLimit.get_for_admin(
self.request.user.id).get_instances_count()
if Instance.objects.filter(owner=admin).count() >= instances_limit:
raise InstanceCountExceeded(instances_limit)
serializer.save()
class UndoWithdraw(views.APIView):
permission_classes = [And(IsWithdraw, CanConfirm)]
def post(self, request):
hacker = request.user.profile.hacker
hacker.admit(False)
return views.Response({'message': 'Desistência desfeita', 'state': hacker.profile.state})
class BlogViewSet(viewsets.ModelViewSet):
""" ViewSet for viewing and editing Blog objects """
queryset = Blog.objects.all().order_by("-uploaded_time")
serializer_class = BlogSerializer
permission_classes = (Or(And(ApiTokenPermissions, IsListOrRetrieve),
IsAuthenticated), )
filter_backends = (filters.SearchFilter, )
search_fields = ('category', )
class ConfirmPresence(views.APIView):
permission_classes = [And(IsAdmitted, CanConfirm)]
def post(self, request):
hacker = request.user.profile.hacker
hacker.confirm()
return views.Response({'message': 'Presença confirmada', 'state': hacker.profile.state})
class UserMembershipViewSet(MembershipViewSet):
serializer_class = UserMembershipSerializer
permission_classes = (
Or(AdminHasPermissions, And(ApiKeyHasPermissions, IsMembershipForCurrentUser)),
OwnerInGoodStanding,
)
lookup_field = 'group_id'
def get_queryset(self):
return super().get_queryset().select_related('group')
class PeriodDetailView(generics.RetrieveUpdateDestroyAPIView):
permission_classes = [
And(
permissions.IsAuthenticated,
IsPeriodOwner # Period object does not contain .user attribute,
# Period.subject contains user attribute.
)
]
serializer_class = serializers.PeriodSerializer
queryset = models.Period.objects
class ListViewSet(viewsets.ModelViewSet):
queryset = List.objects.all()
serializer_class = ListSerializer
permission_classes = (Or(IsSafeMethod, permissions.IsAdminUser,
And(IsPurchase, permissions.IsAuthenticated)), )
@action(detail=True, methods=['POST'])
def purchase(self, request, *args, **kwargs):
list = self.get_object()
user = request.user
if list.price > user.point:
return Response(status=status.HTTP_402_PAYMENT_REQUIRED)
user.point -= list.price
user.save()
try:
user_mon = UserMonster.objects.get(user=user, list=list)
except UserMonster.DoesNotExist:
user_mon = UserMonster(user=user, list=list)
# user_mon = UserMonster(user=user, list=list)
user_mon.count += 1
user_mon.save()
serializer = UserMonsterSerializer(
user.monsters.all(),
many=True,
context=self.get_serializer_context())
return Response(serializer.data)
@action(detail=False, methods=['POST'], url_path='purchase')
@transaction.atomic()
def purchase_mons(selfs, request, *args, **kwargs):
mons = request.data['mons']
user = request.user
sid = transaction.savepoint()
for i in mons:
list = List.objects.get(id=i['mon_id'])
count = int(i['count'])
if list.price * count > user.point:
transaction.savepoint_rollback(sid)
return Response(status=status.HTTP_402_PAYMENT_REQUIRED)
user.point -= list.price
user.save()
try:
user_mon = UserMonster.objects.get(user=user, list=list)
except UserMonster.DoesNotExist:
user_mon = UserMonster(user=user, list=list)
# user_mon = UserMonster(user=user, list=list)
user_mon.count += count
user_mon.save()
transaction.savepoint_commit(sid)
serializer = UserMonsterSerializer(user.monsters.all(), many=True)
return Response(serializer.data)
class RequestViewSet(AbstractCramsRequestViewSet):
"""
class RequestViewSet
"""
permission_classes = [
And(IsCramsAuthenticated, Or(IsProjectContact, IsRequestApprover))
]
queryset = Request.objects.all()
serializer_class = CramsRequestSerializer
ordering_fields = ('project', 'creation_ts')
ordering = ('project', '-creation_ts')
class AttendanceDetailView(generics.RetrieveUpdateDestroyAPIView):
permission_classes = [
And(
permissions.IsAuthenticated,
IsAttendanceOwner # Attendance object does not contain .user attribute,
# Attendance.subject contains user attribute.
)
]
serializer_class = serializers.AttendanceSerializer
queryset = models.Attendance.objects
class BaseLineUploadDetailView(generics.RetrieveUpdateDestroyAPIView):
serializer_class = serializers.FileUploadSerializer
queryset = FileUpload.objects.all()
permission_classes = [
And(
Or(IsGet, IsDelete),
permissions.IsAuthenticated,
IsAllowedToUpload,
IsTaskOwner,
)
]
class AuthorViewSet(ViewSet):
authentication_classes = [
BearerTokenAuthentication,
]
permission_classes = [Or(And(IsAuthenticated, IsAuthor), IsSuperAdmin)]
def create_author(self):
return
def get_my_details(self, request):
return JsonResponse({'message': 'Get detail.'})
class SuggestionViewSet(viewsets.ModelViewSet):
serializer_class = SuggestionSerializer
queryset = Suggestion.objects.all()
permission_classes = [
Or(
And(IsSafeMethod, IsPublic),
And(
IsPOST,
IsClient,
),
And(
Or(IsChange, IsDELETE),
IsOwner,
),
IsAdminUser,
IsMeetingHost,
)
]
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
class BaseLineUpload(generics.ListCreateAPIView):
serializer_class = serializers.FileUploadSerializer
queryset = FileUpload.objects.all()
pagination_class = FileUploadLimitOffsetPagination
# TODO: UPDATE PERMISSIONS
permission_classes = [
Or(
And(IsGet, permissions.IsAuthenticated),
And(IsPost, permissions.IsAuthenticated, IsAllowedToUpload),
)
]
def get_queryset(self):
return self.queryset.filter(user=self.request.user)
def perform_create(self, serializer):
obj = serializer.save(user=self.request.user)
task = import_to_db.delay(obj.id)
# Set the task id
obj.task_id = task.task_id
obj.save()
