def get_and_check_ownership(self, request, allow_anon=False, **kwargs):
try:
# Use queryset, not get_object_list to ensure a distinction
# between a 404 and a 403.
obj = self._meta.queryset.get(**kwargs)
except self._meta.object_class.DoesNotExist:
unavail = self._meta.queryset_base.filter(**kwargs)
if unavail.exists():
obj = unavail[0]
# Owners can see their app no matter what region.
if AppOwnerAuthorization().is_authorized(request, object=obj):
return obj
raise http_error(HttpLegallyUnavailable,
'Not available in your region.')
raise http_error(http.HttpNotFound,
'No such app.')
# If it's public, just return it.
if allow_anon and obj.is_public():
return obj
# Now do the final check to see if you are allowed to see it and
# return a 403 if you can't.
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You do not own that app.')
return obj
def obj_create(self, bundle, request, **kwargs):
# Ensure that people don't pass strings through.
args = PreviewArgsForm(request.GET)
if not args.is_valid():
raise self.form_errors(args)
addon = self.get_object_or_404(Addon,
pk=args.cleaned_data['app'],
type=amo.ADDON_WEBAPP)
if not AppOwnerAuthorization().is_authorized(request, object=addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
data_form = PreviewJSONForm(bundle.data)
if not data_form.is_valid():
raise self.form_errors(data_form)
form = PreviewForm(data_form.cleaned_data)
if not form.is_valid():
raise self.form_errors(form)
form.save(addon)
bundle.obj = form.instance
log.info('Preview created: %s' % bundle.obj.pk)
return bundle
def obj_get(self, request=None, **kwargs):
obj = super(StatusResource, self).obj_get(request=request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('App status retreived: %s' % obj.pk)
return obj
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request,
object=obj.addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('Preview deleted: %s' % obj.pk)
return super(PreviewResource, self).obj_delete(request, **kwargs)
class Meta(MarketplaceModelResource.Meta):
queryset = Addon.objects.filter(type=amo.ADDON_WEBAPP)
fields = ['status', 'disabled_by_user']
list_allowed_methods = []
allowed_methods = ['patch', 'get']
always_return_data = True
authentication = OAuthAuthentication()
authorization = AppOwnerAuthorization()
resource_name = 'status'
serializer = Serializer(formats=['json'])
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not (AppOwnerAuthorization().is_authorized(request,
object=obj.addon)
or OwnerAuthorization().is_authorized(request, object=obj) or
PermissionAuthorization('Users', 'Edit').is_authorized(request)
or PermissionAuthorization('Addons',
'Edit').is_authorized(request)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
log.info('Rating %s deleted from addon %s' % (obj.pk, obj.addon.pk))
return super(RatingResource, self).obj_delete(request, **kwargs)
class Meta(MarketplaceResource.Meta):
api_name = 'apps'
queryset = Webapp.objects.all() # Gets overriden in dispatch.
fields = ['privacy_policy']
detail_allowed_methods = ['get', 'put']
always_return_data = True
authentication = OptionalOAuthAuthentication()
authorization = AppOwnerAuthorization()
resource_name = 'privacy'
serializer = Serializer(formats=['json'])
slug_lookup = 'app_slug'
# Throttle users without Apps:APIUnthrottled at 10 POST requests/day.
throttle = CacheThrottle(throttle_at=10, timeframe=60 * 60 * 24)
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not (AppOwnerAuthorization().is_authorized(request,
object=obj.addon)
or OwnerAuthorization().is_authorized(request, object=obj) or
PermissionAuthorization('Users', 'Edit').is_authorized(request)
or PermissionAuthorization('Addons',
'Edit').is_authorized(request)):
raise http_error(
http.HttpForbidden,
'You do not have permission to delete this review.')
log.info('Rating %s deleted from addon %s' % (obj.pk, obj.addon.pk))
return super(RatingResource, self).obj_delete(request, **kwargs)
class Meta(MarketplaceModelResource.Meta):
queryset = Webapp.objects.all() # Gets overriden in dispatch.
fields = ['categories', 'description', 'device_types', 'homepage',
'id', 'name', 'payment_account', 'premium_type',
'status', 'support_email', 'support_url']
list_allowed_methods = ['get', 'post']
detail_allowed_methods = ['get', 'put', 'delete']
always_return_data = True
authentication = (SharedSecretAuthentication(),
OptionalOAuthAuthentication())
authorization = AppOwnerAuthorization()
resource_name = 'app'
serializer = Serializer(formats=['json'])
slug_lookup = 'app_slug'
# Throttle users without Apps:APIUnthrottled at 10 POST requests/day.
throttle = CacheThrottle(throttle_at=10, timeframe=60 * 60 * 24)
def obj_update(self, bundle, request, **kwargs):
try:
obj = self.get_object_list(bundle.request).get(**kwargs)
except Addon.DoesNotExist:
raise http_error(http.HttpNotFound, 'No such addon.')
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
form = StatusForm(bundle.data, instance=obj)
if not form.is_valid():
raise self.form_errors(form)
form.save()
log.info('App status updated: %s' % obj.pk)
bundle.obj = obj
return bundle