class SalaDetail(generics.RetrieveUpdateDestroyAPIView): queryset = Sala.objects.all() serializer_class = SalaSerializer authentication_classes = [ oauth2_provider.contrib.rest_framework.OAuth2Authentication, SessionAuthentication ] permission_classes = [ Or(IsAdminUser, oauth2_provider.contrib.rest_framework.TokenHasReadWriteScope) ] filter_backends = (filters.DjangoFilterBackend, ) filter_class = SalaFilter
class SalaList(generics.ListCreateAPIView): queryset = Sala.objects.all() serializer_class = SalaSerializer authentication_classes = [ oauth2_provider.contrib.rest_framework.OAuth2Authentication, SessionAuthentication ] permission_classes = [ Or(IsAdminUser, oauth2_provider.contrib.rest_framework.TokenHasReadWriteScope) ] filter_backends = (filters.DjangoFilterBackend, ) filter_fields = '__all__'
class TicketViewset(PrefetchQuerysetModelMixin, viewsets.ModelViewSet): ownership_field = "creator" user_relation = "user.profile" permission_classes = [ Or( And(IsPostRequest, CanSubmitTickets), # Creating new tickets And( IsDeleteRequest, Or( IsAdmin, # Admin deleting ticket And(CanSubmitTickets, OwnsObject), # Deleting own ticket )), And(IsGetRequest, CanSubmitTickets), # Geting last ticket, or list of tickets And( IsPutPatchRequest, Or( IsMentor, # Mentors manipulating tickets And(CanSubmitTickets, OwnsObject) # Submitting feedback ))) ] queryset = Ticket.objects.all() serializer_class = TicketSerializer @action(methods=['get'], detail=False) def last_ticket(self, request): self.update ticket = Ticket.objects.filter(creator=request.user.profile).last() if ticket is not None: self.queryset = Ticket.objects.filter(id=ticket.id) queryset = self.get_queryset() else: queryset = Ticket.objects.none() serializer = self.get_serializer_class()(queryset, many=True) data = serializer.data[0] if len(serializer.data) > 0 else {} return Response(data)
class ResponseMessageListCreateView(ListCreateAPIView): model = ResponseMessage serializer_class = ResponseMessageSerializer queryset = ResponseMessage.objects() permission_classes = [Or(build_permission_class('dms.can_manage_messages'), IsGetRequest)] def pre_save(self, obj): in_response_to = self.request.DATA.get('text', '') obj.text = settings.AUTO_RESPONSE_MESSAGE obj.response_to = in_response_to def post_save(self, obj, created=True): auto_response_enabled = AdminSetting.objects(**dict(name='enable_automatic_response', yes_no=True)).first() if auto_response_enabled: send_one_sms.delay(obj)
class InvitationCheckin(generics.UpdateAPIView): queryset = Invitation.objects.all() serializer_class = InvitationSerializer permission_classes = (Or( IsAdmin, Or(IsHostOfInvitationObject, IsBouncerOfInvitationObject)), ) def put(self, request, *args, **kwargs): try: invitation = Invitation.objects.get(pk=kwargs['pk']) except Invitation.DoesNotExist: raise ValidationError("The invitation does not exist.") self.check_object_permissions(request, invitation) if not invitation.has_rsvped: raise ValidationError("The user has not RSVPed yet.") if invitation.has_checkedin: raise ValidationError("The user has already checked in.") invitation.has_checkedin = True invitation.save() # need to explicitly call save here serializer = InvitationSerializer(invitation) return Response(serializer.data, status=status.HTTP_200_OK)
class BaseAttributeApiViewSet(BaseApiViewSet): permission_classes = [ Or(UnauthenticatedReadOnlyPermission, AttributeAuthenticatedUserPermission) ] method_authentication_classes = {"GET": []} def perform_create(self, serializer): # Here is where we could set status based on user role # for now, make it always lowest when set by API, though this is also model default serializer.save(status=APPROVAL_STATUSES[-1][0]) def perform_update(self, serializer): serializer.save(status=APPROVAL_STATUSES[-1][0])
class GroupMembersDetail(generics.RetrieveUpdateDestroyAPIView): serializer_class = MemberSerializer lookup_url_kwarg = "membership_id" permission_classes = (Or(IsGroupAdminPermission, IsGroupMemberPermission), ) def get_queryset(self): membership_id = self.kwargs['membership_id'] group_id = self.kwargs['pk'] try: return Membership.objects.filter(pk=membership_id, group__id=group_id) except ObjectDoesNotExist: return []
class AdminViewSet(AtomicMixin, InstanceBasedMixin, mixins.RetrieveModelMixin, mixins.UpdateModelMixin, mixins.DestroyModelMixin, mixins.ListModelMixin, GenericViewSet): """API endpoint for admins added to given instance""" model = AdminInstanceRole queryset = AdminInstanceRole.objects lookup_field = 'admin_id' serializer_class = AdminInstanceRoleSerializer permission_classes = (Or(AdminHasPermissions, AllowSelfRoleDeletion), ProtectOwnerAccess, OwnerInGoodStanding) def get_queryset(self): qs = super().get_queryset() return qs.select_related( 'role', 'admin').filter(instance=self.request.instance)
class TeamFileUploadListCreateView(generics.ListCreateAPIView): serializer_class = serializers.TeamFileUploadSerializer queryset = TeamFileUpload.objects.all() pagination_class = TeamFileLimitOffsetPagination # TODO: UPDATE PERMISSIONS permission_classes = [And(Or(IsGet, IsPost), permissions.IsAuthenticated)] def get_queryset(self): return self.queryset.filter(user=self.request.user) def perform_create(self, serializer): obj = serializer.save(user=self.request.user) task = create_teams.delay(obj.id) # Set the task id obj.task_id = task.task_id obj.save()
class CreateView(generics.ListCreateAPIView): """This class defines the create behavior of the rest api.""" serializer_class = ProductSerializer authentication_classes = [OAuth2Authentication, SessionAuthentication] permission_classes = [Or(IsAdminUser, TokenHasReadWriteScope)] filter_backends = (filters.DjangoFilterBackend, ) filter_fields = '__all__' def perform_create(self, serializer): """Save the post data when creating a new product.""" serializer.save(owner=self.request.user, quantity=0) def get_queryset(self): """This view returns the products from the currently authenticated user""" return Product.objects.filter(owner=self.request.user)
class EntradaView(APIView): authentication_classes = [BasicAuthentication, TokenAuthentication] permission_classes = [ IsAuthenticated, Or(IsManagerGroup, IsAdminGroup, IsSnifforGroup, IsReportMakerGroup) ] def get(self, request): """Devuelve las entradas""" data = request.data if 'ids' in data.keys(): ids = data['ids'] ent_list = EntradaService.get_by_ids(ids) serializer = EntradaSerializer(ent_list, many=True) else: raise AttributeError("Falta el parámetro Ids o está vacio") return Response(serializer.data) def post(self, request): """Inserta entradas""" data = request.data entradas = [] for r in data: if "type" in r.keys(): entidades = [] if 'entidades' in r.keys(): entidades = r['entidades'] if r["type"] == "portal": entradas.append( PortalEntrada(content=r["content"], fecha=datetime.datetime.strptime( r["fecha"], "%d/%m/%Y"), etiquetas=r["etiquetas"], fuente=r["fuente_id"], entidades=entidades)) entradas = PreprocessorService.preprocess(entradas) entradas_saved = EntradaService.save_opinions(entradas) ent_ids = [str(ent.id) for ent in entradas_saved] content = {"ids": ent_ids} return Response(content)
class MusicDetail(generics.RetrieveUpdateDestroyAPIView): queryset = Music.objects.all() serializer_class = MusicSerializer authentication_classes = [OAuth2Authentication, SessionAuthentication] permission_classes = [Or(IsAdminUser, TokenHasReadWriteScope)] filter_backends = (filters.DjangoFilterBackend, ) filter_fields = '__all__' class AlbumFilter(filters.FilterSet): date_gte = filters.DateFilter(name="date", lookup_expr='gte') date_lte = filters.DateFilter(name="date", lookup_expr='lte') class Meta: model = Album fields = '__all__'
class GroupViewSet(EndpointAclMixin, v1_views.GroupViewSet): serializer_class = GroupSerializer permission_classes = ( Or( # Check admin permissions AdminHasPermissions, # Check API Key ACL CheckAclPermission, ), OwnerInGoodStanding, ) endpoint_acl_object_field = 'groups_acl' def get_queryset(self): base_query = super().get_queryset() return base_query.filter_acl(self.request)
class CountryReportViewSet(viewsets.ModelViewSet): permission_classes = (Or(IsAuthenticated, get_guest_permissions_class(['list', 'retrieve'])), ) serializer_class = CountryReportSerializer queryset = CountryReport.objects.all() def list(self, request, *args, **kwargs): queryset = CountryReport.objects.all() serializer = CountryReportSerializer(queryset, many=True) return Response(serializer.data) def retrieve(self, request, pk=None, *args, **kwargs): queryset = CountryReport.objects.all() countryreport = get_object_or_404(queryset, pk=pk) serializer = CountryReportRetrieveSerializer(countryreport) return Response(serializer.data)
class PublishedArtifactGroupView(MajoraUUID4orDiceNameLookupMixin, RequiredParamRetrieveMixin, MajoraCeleryListingMixin, mixins.RetrieveModelMixin, viewsets.GenericViewSet): serializer_class = serializers.RestyPublishedArtifactGroupSerializer majora_alternative_field = "published_name" queryset = models.PublishedArtifactGroup.objects.all() celery_task = tasks.task_get_pag_by_qc_v3 permission_classes = (Or(permissions.IsAuthenticated, APIKeyPermission), ) majora_api_permission = "majora2.can_read_dataview_via_api" majora_required_params = ["mdv"] #renderer_classes = [JSONRenderer] def get_serializer_context(self): context = super().get_serializer_context() mdv = self.request.query_params.get("mdv") # I tried to raise http400 here but it didnt seem to work context.update({"mdv": mdv}) return context def get_queryset(self): queryset = self.queryset service = self.request.query_params.get('service', None) public = self.request.query_params.get('public', None) private = self.request.query_params.get('private', None) if public and private: # Ignore pass elif public: if service: queryset = queryset.filter(accessions__service=service) else: queryset = queryset.filter(is_public=True) elif private: if service: queryset = queryset.filter(~Q(accessions__service=service)) else: queryset = queryset.filter(is_public=False) return queryset
class PartyDetail(generics.RetrieveUpdateDestroyAPIView): queryset = Party.objects.all() permission_classes = (Or(IsAdmin, And(IsAuth, IsHostOfPartyObjectOrReadOnly)), ) def get_serializer_class(self): if self.request.method == 'GET': party_id = self.kwargs['pk'] party = Party.objects.get(pk=party_id) user = self.request.user if user.is_staff or user == party.host: return PartyManagerSerializer elif user in party.bouncers.all() or user in party.invitees.all(): return PartySerializer else: return PartySummarySerializer else: return PartyManagerSerializer
class ProfileImageView(MongoAPIView): permission_classes = [ Or(build_permission_class('dms.can_manage_users'), IsCurrentUsersProfile), ] DEFAULT_IMAGE_PATH = settings.STATICFILES_DIRS[ 0] + "/img/default_profile.jpg" def get(self, request, *args, **kwargs): try: profile = UserProfile.objects.get(id=kwargs['id']) if profile and hasattr(profile, 'photo'): photo = profile.photo.read() return HttpResponse(photo, content_type=profile.photo.content_type) except: return HttpResponse(open(self.DEFAULT_IMAGE_PATH), content_type='image/jpeg')
class AppointmentScheduleViewSet(GenericViewSet, mixins.ListModelMixin): """ List appointment schedules with doctors For filtering by date, use GET /api/v1/appointments/schedules? appointment_starts=2017-1-1&appointment_ends=2017-12-31 """ queryset = AppointmentSchedule.objects.all().order_by('-id') serializer_class = AppointmentScheduleSerializer permission_classes = (Or(IsSuperAdmin, IsClinicsAdmin, IsDoctor), ) filter_backends = ( AppointmentScheduleFilter, DjangoFilterBackend, ) filter_class = AppointmentScheduleDateTimeFilter pagination_class = ViewPagination
class UserSelfDetailsOrCreate(generics.ListCreateAPIView): permission_classes = [ Or( # Only GET and POST allowed, all other are Not Allowed. And(IsReadyOnlyRequest, permissions.IsAuthenticated ), # Any authenticated user can get its details. IsPostRequest, # Anyone should be allowed to POST, i.e. to create new user. ) ] def get_serializer_class(self): if self.request.method in permissions.SAFE_METHODS: return UserSerializerReadSerializer else: return UserSerializerWriteSerializer def get_queryset(self): return models.User.objects.filter(pk=self.request.user.pk)
class DataObjectHighLevelApiViewSet(GenericEndpointViewSetMixin, v1_views.DataObjectHighLevelApiViewSetBase): serializer_class = DataObjectHighLevelApiSerializer serializer_detail_class = DataObjectHighLevelApiDetailSerializer permission_classes = ( Or(AdminHasPermissions, ApiKeyHasPermissions, AllowEndpointAction), OwnerInGoodStanding, ) def endpoint_get(self, request, *args, **kwargs): return self.run_view(request, *args, **kwargs) @force_atomic(False) def endpoint_post(self, request, *args, **kwargs): queryset = self.filter_queryset(self.get_queryset()) lookup_url_kwarg = self.lookup_url_kwarg or self.lookup_field filter_kwargs = {self.lookup_field: self.kwargs[lookup_url_kwarg]} self.object = get_object_or_404(queryset, **filter_kwargs) return self.run_data_api_view(request)
class userkeysViewSet(viewsets.ReadOnlyModelViewSet): """ API endpoint that allows users to be viewed or edited. """ queryset = userkeys.objects.all() serializer_class = userkeys_serializer permission_classes = (Or(baseAPIPermission, IsAuthenticated, HasAPIAccess), ) pagination_class = basePagination filter_backends = (DjangoFilterBackend, ) filterset_fields = ('user', ) def get_queryset(self): username = self.request.query_params.get('username', None) print("USERNAME QUERYSET: ", username, file=sys.stderr) if username: user_selected = User.objects.get(username=username) self.queryset = self.queryset.filter(user=user_selected) return self.queryset
class StudentAttendance(APIView): authentication_classes = (authentication.SessionAuthentication,) permission_classes = (Or(permissions.IsAdminUser, WriteTokenOnly),) def get(self, request, format = None): course_id = request.GET.get('course_id') date = request.GET.get('date') lectures = Lecture.objects.filter(course = course_id, begin__date = date) response = [] for lecture in lectures: student_att = StudentsAttendLectures.objects.filter(lecture = lecture) att_list = {att.student.student.user.email: [att.present, att.id] for att in student_att} att_list['time'] = lecture.begin.time() response.append(att_list) return Response(response)
class TotalStudentAttendance(APIView): authentication_classes = (authentication.SessionAuthentication,) permission_classes = (Or(permissions.IsAdminUser, WriteTokenOnly),) def get(self, request, format = None): course_id = request.GET.get('course_id') students = [sac.student for sac in StudentAttendCourses.objects.filter(course = course_id)] lectures = Lecture.objects.filter(course = course_id) response = {} for student in students: att = 0 for lecture in lectures: student_att = StudentsAttendLectures.objects.get(lecture = lecture, student = student) att += int(student_att.present) response[student.student.user.email] = att*1.0/len(lectures) if len(lectures) > 0 else 0 return Response(response)
class UpdateDestroyUser( mixins.UpdateModelMixin, mixins.DestroyModelMixin, generics.GenericAPIView): queryset = MyUser.objects.all() serializer_class = UpdateUserSerializer permission_classes = [Or(IsSameUser,IsSuperAdmin)] def put(self, request, *args, **kwargs): return self.update(request, *args, **kwargs) def delete(self, request, *args, **kwargs): return self.destroy(request, *args, **kwargs) def getPk(self): return self.kwargs['pk']
class image_objectsViewSet(viewsets.ModelViewSet): """ API endpoint that allows to be view or edit image objects. get: List image objects matching url parameters. post: Create a new image object instance. patch: edit and update an existing image object. delete: permanently delete an existing image object. """ queryset = image_objects.objects.all() serializer_class = image_objects_serializer permission_classes = (Or(baseAPIPermission, IsAuthenticated, HasAPIAccess), ) pagination_class = basePagination distance_filter_field = 'geom' bbox_filter_field = 'geom' filter_backends = (DjangoFilterBackend, DistanceToPointFilter, InBBoxFilter) filterset_fields = ('panorama', 'type') def get_queryset(self): as_geojson = self.request.query_params.get('as_geojson', None) if as_geojson: self.serializer_class = image_objects_geo_serializer self.pagination_class = GeoJsonPagination return self.queryset def initial(self, request, *args, **kwargs): if request.method == 'GET': self.permission_classes = (Or(baseAPIPermission, IsAuthenticated, HasAPIAccess), ) #Or(baseAPIPermission, HasAPIAccess), else: self.permission_classes = (IsAuthenticated, ) super(image_objectsViewSet, self).initial(request, *args, **kwargs)
class CreditCardDetail(generics.RetrieveUpdateDestroyAPIView): queryset = CreditCard.objects.all() serializer_class = CreditCardSerializer authentication_classes = [OAuth2Authentication, SessionAuthentication] permission_classes = [Or(IsAdminUser, TokenHasReadWriteScope)] def destroy(self, request, *args, **kwargs): instance = self.get_object() if Wallet.objects.filter(cards=instance.pk): return Response( status=status.HTTP_400_BAD_REQUEST, data={ "non_field_errors": ["To delete a card, please remove it from the wallet!"] }) self.perform_destroy(instance) return Response(status=status.HTTP_204_NO_CONTENT) def perform_destroy(self, instance): instance.delete()
class BaseLineUpload(generics.ListCreateAPIView): serializer_class = serializers.FileUploadSerializer queryset = FileUpload.objects.all() pagination_class = FileUploadLimitOffsetPagination # TODO: UPDATE PERMISSIONS permission_classes = [ Or( And(IsGet, permissions.IsAuthenticated), And(IsPost, permissions.IsAuthenticated, IsAllowedToUpload), ) ] def get_queryset(self): return self.queryset.filter(user=self.request.user) def perform_create(self, serializer): obj = serializer.save(user=self.request.user) task = import_to_db.delay(obj.id) # Set the task id obj.task_id = task.task_id obj.save()
class GroupMembershipViewSet(v1_views.GroupMembershipViewSet): """ Groups of a User ViewSet """ serializer_class = GroupMembershipSerializer permission_classes = ( Or( # Check admin permissions AdminHasPermissions, # Check API Key ACL CheckGroupMembershipAclPermission, ), OwnerInGoodStanding, ) def get_queryset(self): base_query = super(v1_views.GroupMembershipViewSet, self).get_queryset() return base_query.select_related('user').prefetch_related( 'user__groups')
class UserViewSet(viewsets.ModelViewSet): """ API endpoint that allows users to be viewed or edited. """ queryset = User.objects.all().order_by('-date_joined') def get_queryset(self): """ This view should return a list of all the purchases for the currently authenticated user. """ user = self.request.user return User.objects.filter( cliente=user.cliente).order_by('-date_joined') serializer_class = UserSerializer permission_classes = [ permissions.IsAuthenticated, Or(IsAdminGroup, IsSuperAdminGroup) ]
class BatchView(InstanceBasedMixin, generics.GenericAPIView): permission_classes = (OwnerInGoodStanding, Or(permissions.IsAuthenticated, IsApiKeyAccess)) serializer_class = BatchSerializer def get_queryset(self): # Workaround so that browsable API does not complain. return def create_headers(self, request): return {'X_BATCHING': '1'} def post(self, request, *args, **kwargs): serializer = self.get_serializer(data=request.data) if serializer.is_valid(): batch_limit = settings.BATCH_MAX_SIZE requests_data = serializer.data['requests'] if len(requests_data) > batch_limit: raise BatchLimitExceeded(batch_limit) headers = self.create_headers(request) max_response_size = settings.MAX_RESPONSE_SIZE responses = [] for data in requests_data: wsgi_request = get_wsgi_request_object(request._request, method=data['method'], url=data['path'], headers=headers, body=data['body']) response, response_len = get_response( wsgi_request, instance=request.instance) if 'content' in response: max_response_size -= response_len max_response_size = max(max_response_size, 0) responses.append(response) return Response(responses, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)