def api_search(request, resource_name): if request.method != 'POST': return response_403() # Setup model = get_resource_model(resource_name) data = json.loads(request.body) search_params = data['search_params'] #meta_data = data.get('meta', {}) #full_user = _make_fulluser(request, meta_data) # Validate search params # search_params must be a list of [field_name, match_type, value] tuples. # for example, 'username', 'iexact', 'bobRoss' for field_name, match_type, value in search_params: if not permissions.is_allowed_search(model, field_name, match_type): return response_403() # Execute search kwargs = {field_name + '__' + match_type: value for field_name, match_type, value in search_params} qs = model.objects.filter(**kwargs) # Build and return result fields = permissions.get_model_default_readable_fields(model) result_data = [object_to_dict(m, fields) for m in qs] return HttpJsonResponse(json.dumps(result_data, cls=APIEncoder))
def pusher_auth(request): from common.views import response_403, json_response from main import permissions from main import pusher_helpers channel_name = request.POST['channel_name'] tokens = pusher_helpers.parse_channel_name(channel_name) if len(tokens) < 3: return response_403() channel_type, channel_model, model_id = tokens socket_id = request.POST['socket_id'] args = None if channel_model == 'page': page = get_object_or_404(Page, id=model_id) if not permissions.request_can_view(request, page): return response_403() if channel_type == 'presence': user_id = get_user_presence_id(request, page) args = dict(user_id=user_id) elif channel_model == 'user': user_id = int(model_id) user = request.user if not (user.is_authenticated() and user.id == user_id): return response_403() token = pusher_helpers.make_permission(channel_name, socket_id, args) return json_response(token)
def update(model, full_user, instance, data): updateable_fields = permissions.get_updateable_fields(model, full_user, instance) if updateable_fields is None: return (response_403(), None) filtered_data = dict_subset(data, updateable_fields) for f_name, f_val in filtered_data.items(): assert permissions.validate_field(model, f_name, f_val) setattr(instance, f_name, f_val) instance.save() return (HttpResponse(''), instance)
def instance_method(request, resource_name, pk, method_name): assert request.method == 'POST' data = json.loads(request.body) meta_data = data.get('meta', {}) model = get_resource_model(resource_name) full_user = _make_fulluser(request, meta_data) instance = get_object_or_404(model, pk=pk) if not permissions.can_execute_method(model, full_user, instance, method_name): return response_403() result = getattr(instance, method_name)() return HttpJsonResponse(json.dumps(result, cls=APIEncoder))
def create(model, full_user, data): createable_fields = permissions.get_createable_fields(model, full_user, data) if createable_fields is None: return (response_403(), None) filtered_data = dict_subset(data, createable_fields) m = model(**filtered_data) permissions.final_data_validation(model, m) try: permissions.add_custom_create_data(model, full_user, data, m) except APIException as e: response = HttpJsonResponse(serialize_object(e, ('errors', 'message')), status=500) return (response, None) m.save() # Send back `id` so client knows it fields = permissions.post_create_response_fields(model) response = HttpJsonResponse(serialize_object(m, fields)) return (response, m)
def delete(model, full_user, instance): if not permissions.can_delete(model, full_user, instance): return (response_403(), None) instance.delete() return (HttpResponse(''), instance)
def read(model, full_user, instance): fields = permissions.get_readable_fields(model, full_user, instance) if fields is None: return (response_403(), None) return (HttpJsonResponse(serialize_object(instance, fields)), None)