def api_search(request, resource_name):
if request.method != 'POST':
return response_403()
# Setup
model = get_resource_model(resource_name)
data = json.loads(request.body)
search_params = data['search_params']
#meta_data = data.get('meta', {})
#full_user = _make_fulluser(request, meta_data)
# Validate search params
# search_params must be a list of [field_name, match_type, value] tuples.
# for example, 'username', 'iexact', 'bobRoss'
for field_name, match_type, value in search_params:
if not permissions.is_allowed_search(model, field_name, match_type):
return response_403()
# Execute search
kwargs = {field_name + '__' + match_type: value
for field_name, match_type, value in search_params}
qs = model.objects.filter(**kwargs)
# Build and return result
fields = permissions.get_model_default_readable_fields(model)
result_data = [object_to_dict(m, fields) for m in qs]
return HttpJsonResponse(json.dumps(result_data, cls=APIEncoder))
def pusher_auth(request):
from common.views import response_403, json_response
from main import permissions
from main import pusher_helpers
channel_name = request.POST['channel_name']
tokens = pusher_helpers.parse_channel_name(channel_name)
if len(tokens) < 3:
return response_403()
channel_type, channel_model, model_id = tokens
socket_id = request.POST['socket_id']
args = None
if channel_model == 'page':
page = get_object_or_404(Page, id=model_id)
if not permissions.request_can_view(request, page):
return response_403()
if channel_type == 'presence':
user_id = get_user_presence_id(request, page)
args = dict(user_id=user_id)
elif channel_model == 'user':
user_id = int(model_id)
user = request.user
if not (user.is_authenticated() and user.id == user_id):
return response_403()
token = pusher_helpers.make_permission(channel_name, socket_id, args)
return json_response(token)
def update(model, full_user, instance, data):
updateable_fields = permissions.get_updateable_fields(model, full_user, instance)
if updateable_fields is None:
return (response_403(), None)
filtered_data = dict_subset(data, updateable_fields)
for f_name, f_val in filtered_data.items():
assert permissions.validate_field(model, f_name, f_val)
setattr(instance, f_name, f_val)
instance.save()
return (HttpResponse(''), instance)
def instance_method(request, resource_name, pk, method_name):
assert request.method == 'POST'
data = json.loads(request.body)
meta_data = data.get('meta', {})
model = get_resource_model(resource_name)
full_user = _make_fulluser(request, meta_data)
instance = get_object_or_404(model, pk=pk)
if not permissions.can_execute_method(model, full_user, instance, method_name):
return response_403()
result = getattr(instance, method_name)()
return HttpJsonResponse(json.dumps(result, cls=APIEncoder))
def create(model, full_user, data):
createable_fields = permissions.get_createable_fields(model, full_user, data)
if createable_fields is None:
return (response_403(), None)
filtered_data = dict_subset(data, createable_fields)
m = model(**filtered_data)
permissions.final_data_validation(model, m)
try:
permissions.add_custom_create_data(model, full_user, data, m)
except APIException as e:
response = HttpJsonResponse(serialize_object(e, ('errors', 'message')), status=500)
return (response, None)
m.save()
# Send back `id` so client knows it
fields = permissions.post_create_response_fields(model)
response = HttpJsonResponse(serialize_object(m, fields))
return (response, m)
def delete(model, full_user, instance):
if not permissions.can_delete(model, full_user, instance):
return (response_403(), None)
instance.delete()
return (HttpResponse(''), instance)
def read(model, full_user, instance):
fields = permissions.get_readable_fields(model, full_user, instance)
if fields is None:
return (response_403(), None)
return (HttpJsonResponse(serialize_object(instance, fields)), None)
