def test_other_user_cannot_view_or_edit(self):
other = User.objects.create(username='******', password='******')
other.save()
self.assertFalse(UserAccess(other).can_view(self.project))
self.assertFalse(UserAccess(other).can_edit(self.project))
other.delete()
def retrieve(self, request, pk=None):
post = get_object_or_404(self.queryset, pk=pk)
access = UserAccess(request.user)
if access.can_view(post.project):
serializer = self.serializer_class(post)
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def delete(self, request, pk=None):
post = get_object_or_404(self.queryset, pk=pk)
access = UserAccess(request.user)
if access.can_edit(post.project):
post.delete()
return Response(status=status.HTTP_204_NO_CONTENT)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def test_user_with_view_can_view_but_not_edit(self):
user_with_view = User.objects.create(username='******', password='******')
user_with_view.save()
ProjectAccess.objects.create(user=user_with_view,
project=self.project,
can_edit=False).save()
self.assertTrue(UserAccess(user_with_view).can_view(self.project))
self.assertFalse(UserAccess(user_with_view).can_edit(self.project))
user_with_view.delete()
def test_user_with_edit_can_view_and_edit(self):
user_with_edit = User.objects.create(username='******', password='******')
user_with_edit.save()
ProjectAccess.objects.create(user=user_with_edit,
project=self.project,
can_edit=True).save()
self.assertTrue(UserAccess(user_with_edit).can_view(self.project))
self.assertTrue(UserAccess(user_with_edit).can_edit(self.project))
user_with_edit.delete()
def to_representation(self, project):
d = super().to_representation(project)
try:
user = self.context['user']
user_proxy = UserAccess(user)
if user_proxy.can_edit(project):
d['can_edit'] = True
else:
d['can_edit'] = False
except KeyError:
pass
return d
def update(self, request, pk=None):
tag = get_object_or_404(self.queryset, pk=pk)
access = UserAccess(request.user)
request.data.pop('project', None) # not allowed to change project
if access.can_edit(tag.project):
serializer = self.serializer_class(tag, data=request.data,
partial=True)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def get_project_access(self, request, project):
if not UserAccess(request.user).can_view(project):
return Response(status=status.HTTP_404_NOT_FOUND)
accesses = project.projectaccess_set.all()
serializer = ProjectAccessSerializer(accesses, many=True)
return Response(serializer.data, status=status.HTTP_200_OK)
def retrieve(self, request, pk=None):
project = get_object_or_404(Project, pk=pk)
if not UserAccess(request.user).can_view(project):
return Response(status=status.HTTP_404_NOT_FOUND)
serializer = self.retrieve_serializer_class(project)
return Response(serializer.data, status=status.HTTP_200_OK)
def test_create_project_access_owner(self):
path = self.access_url.format(self.owned_project.id)
data = {'user': self.other_user.id, 'can_edit': True}
resp = self.client.post(path, data=data)
self.assertEqual(resp.status_code, 201)
self.assertIn('can_edit', resp.data)
self.assertTrue(resp.data['can_edit'])
user = UserAccess(self.other_user)
self.assertTrue(user.can_edit(self.owned_project))
self.assertTrue(user.can_view(self.owned_project))
ProjectAccess.objects.get(
user=self.other_user,
project=self.owned_project,
).delete()
def test_create_project_access_owner(self):
path = self.access_url.format(self.owned_project.id)
data = {'user': self.other_user.id, 'can_edit': True}
resp = self.client.post(path, data=data)
self.assertEqual(resp.status_code, 201)
self.assertIn('can_edit', resp.data)
self.assertTrue(resp.data['can_edit'])
user = UserAccess(self.other_user)
self.assertTrue(user.can_edit(self.owned_project))
self.assertTrue(user.can_view(self.owned_project))
ProjectAccess.objects.get(
user=self.other_user,
project=self.owned_project,
).delete()
def create(self, request):
if 'project' not in request.data:
return Response(status=status.HTTP_400_BAD_REQUEST)
project = get_object_or_404(Project, pk=request.data['project'])
access = UserAccess(request.user)
if access.can_edit(project):
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data,
status=status.HTTP_201_CREATED)
else:
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def update(self, request, pk=None):
post = get_object_or_404(self.queryset, pk=pk)
access = UserAccess(request.user)
# Not allowed to change project or date_created
# date_updated is managed automatically
request.data.pop('project', None)
request.data.pop('date_created', None)
request.data.update({'date_updated': timezone.now()})
if access.can_edit(post.project):
serializer = self.serializer_class(post, data=request.data,
partial=True)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def list(self, request):
if 'project' not in request.query_params:
return Response(status=status.HTTP_400_BAD_REQUEST)
proj_id = request.query_params['project']
project = get_object_or_404(self.project_queryset, pk=proj_id)
if UserAccess(request.user).can_view(project):
posts = self.queryset.filter(project=project)
serializer = self.serializer_class(posts, many=True)
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def update(self, request, pk=None):
project = get_object_or_404(Project, pk=pk)
if not UserAccess(request.user).can_edit(project):
return Response(status=status.HTTP_404_NOT_FOUND)
serializer = self.serializer_class(project,
data=request.data,
partial=True)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
def available(self, request):
params = request.query_params
if 'project' not in params or 'title' not in params:
return Response(status=status.HTTP_400_BAD_REQUEST)
project = get_object_or_404(Project, pk=params['project'])
if not UserAccess(request.user).can_edit(project):
return Response(status=status.HTTP_404_NOT_FOUND)
project_tags = self.queryset.filter(project=project)
title = params['title']
data = {
'available': not project_tags.filter(title=title).exists(),
}
return Response(data, status=status.HTTP_200_OK)
def lookup(self, request):
if request.method != 'GET':
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
params = request.query_params
if 'username' not in params or 'title' not in params:
return Response(status=status.HTTP_400_BAD_REQUEST)
user = get_object_or_404(self.user_queryset,
username=params['username'])
user_projects = self.queryset.filter(owner=user)
project = get_object_or_404(user_projects, title=params['title'])
if UserAccess(request.user).can_view(project):
serializer = self.retrieve_serializer_class(project)
return Response(serializer.data, status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_404_NOT_FOUND)
def available(self, request):
if request.method != 'GET':
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
params = request.query_params
if 'project' not in params or 'title' not in params:
return Response(status=status.HTTP_400_BAD_REQUEST)
proj_id = params['project']
project = get_object_or_404(self.project_queryset, pk=proj_id)
if not UserAccess(request.user).can_view(project):
return Response(status=status.HTTP_404_NOT_FOUND)
constrained_queryset = self.queryset.filter(project=project)
title = params['title']
available = not constrained_queryset.filter(title=title).exists()
resp_data = {'available': available}
return Response(resp_data, status=status.HTTP_200_OK)
def test_owner_can_view_and_edit(self):
self.assertTrue(UserAccess(self.owner).can_view(self.project))
self.assertTrue(UserAccess(self.owner).can_edit(self.project))
def delete(self, request, pk=None):
plugin = get_object_or_404(self.queryset, pk=pk)
if UserAccess(request.user).can_edit(plugin.project):
plugin.delete()
return Response(status=status.HTTP_204_NO_CONTENT)
return Response(status=status.HTTP_404_NOT_FOUND)
