def dispatch(self, request_type, request, **kwargs): """ Handles the common operations (allowed HTTP method, authentication, throttling, method lookup) surrounding most CRUD interactions. """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META: request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE'] request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=http.HttpNotImplemented()) self.is_authenticated(request) self.throttle_check(request) # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponseBase): return http.HttpNoContent() return response
def dispatch_public(self, request_type, request, **kwargs): """ Same as `tastypie.resources.Resource.dispatch` except that we don't check if the user is authenticated """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META: request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE'] request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=http.HttpNotImplemented()) self.throttle_check(request) # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponse): return http.HttpNoContent() return response
def is_authorized(self, request, **kwargs): # allow all GET request limited by 'apply_limits' if request.method == 'GET': return True request = convert_post_to_put(request) if not "pk" in kwargs: # post list data = json.loads(request.raw_post_data) if not "team" in data: return HttpBadRequest("team attribute required") # get pk from /api/v1/team/2/ team url string pk = data["team"].split("/")[4] team = Team.objects.get(pk=pk) if request.user in team.admins: # i am team admin? return True else: # put detail team_attr = TeamAttr.objects.get(pk=kwargs["pk"]) if request.user in team_attr.team.admins: # allow team admins return True if request.user == team_attr.user and "is_admin" not in request.raw_post_data: # permit current user to change its own attributes return True log.error("user %s is not authorized" % request.user) return False
def nested_dispatch(self, request_type, request, **kwargs): """ Handles the common operations (allowed HTTP method, authentication, throttling, method lookup) surrounding most CRUD interactions. """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "nested_%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=HttpNotImplemented()) self.is_authenticated(request) self.is_authorized(request) self.throttle_check(request) # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponse): return HttpAccepted() return response
def is_authorized(self, request, **kwargs): # allow all GET request limited by 'apply_limits' if request.method == 'GET': return True request = convert_post_to_put(request) data = dict() if request.raw_post_data: data = json.loads(request.raw_post_data) OTHER_PROJECT_ADMIN = False if "project" in data: # get pk from /api/v1/project/2/ project url string pk = data["project"].split("/")[4] project = Project.objects.get(pk=pk) if request.user in project.team.admins: # team admin for other project? OTHER_PROJECT_ADMIN = True if not "pk" in kwargs: # post list if not "project" in data: return HttpBadRequest("project attribute required") return OTHER_PROJECT_ADMIN else: # put detail sprint = SprintMeeting.objects.get(pk=kwargs["pk"]) if request.user in sprint.project.team.admins: # allow team admins if "project" in data: return OTHER_PROJECT_ADMIN return True log.error("user %s is not authorized" % request.user) return False
def dispatch(self, request_type, request, **kwargs): """ From original Tastypie structure: - lookup the API method - authenticate Other modifications: - use of the "downloadID" cookie """ request_method = request.method.lower() method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=HttpNotImplemented()) # self.is_authenticated(request) convert_post_to_put(request) logger.info('calling method: %s.%s_%s', self._meta.resource_name, request_method, request_type) response = method(request, **kwargs) # # If what comes back isn't a ``HttpResponse``, assume that the # # request was accepted and that some action occurred. This also # # prevents Django from freaking out. if not isinstance(response, HttpResponseBase): return HttpNoContent() # Custom ICCB parameter: set cookie to tell the browser javascript # UI that the download request is finished downloadID = request.GET.get('downloadID', None) if downloadID: logger.info('set cookie "downloadID" %r', downloadID ) response.set_cookie('downloadID', downloadID) else: logger.debug('no downloadID: %s' % request.GET ) return response
def dispatch(self, request_type, request, **kwargs): """ Same as the usual dispatch, but knows if its being called from a nested resource. """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=http.HttpNotImplemented()) self.is_authenticated(request) self.throttle_check(request) nested_name = kwargs.get('nested_name', None) parent_resource = kwargs.get('parent_resource', None) parent_object = kwargs.get('parent_object', None) if nested_name is None: self.is_authorized(request) else: self.is_authorized_nested(request, nested_name, parent_resource, parent_object) # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponse): return http.HttpNoContent() return response
def dispatch(self, request_type, request, **kwargs): """ Handles the common operations (allowed HTTP method, authentication, throttling, method lookup) surrounding most CRUD interactions. """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META: request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE'] request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=http.HttpNotImplemented()) self.is_authenticated(request) self.throttle_check(request) # Set the pk of the request to that of the logged in user if request_type == 'detail': kwargs['pk'] = request.user.id # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponse): return http.HttpNoContent() return response
def dispatch(self, request_type, request, **kwargs): """ Same as the usual dispatch, but knows if its being called from a nested resource. """ allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None) request_method = self.method_check(request, allowed=allowed_methods) method = getattr(self, "%s_%s" % (request_method, request_type), None) if method is None: raise ImmediateHttpResponse(response=http.HttpNotImplemented()) self.is_authenticated(request) self.throttle_check(request) parent_resource = kwargs.get('parent_resource', None) if parent_resource is None: self.is_authorized(request) else: self.is_authorized_nested(request, kwargs['nested_name'], parent_resource, kwargs['parent_object']) # All clear. Process the request. request = convert_post_to_put(request) response = method(request, **kwargs) # Add the throttled request. self.log_throttled_access(request) # If what comes back isn't a ``HttpResponse``, assume that the # request was accepted and that some action occurred. This also # prevents Django from freaking out. if not isinstance(response, HttpResponse): return http.HttpNoContent() return response