def setUp(self): self.get_permission = Mock self.patch_permission = Mock self.post_permission = Mock self.put_permission = Mock self.permission = ByHttpMethod({ 'get': self.get_permission, }) self.set_permission_mock('get', True)
def setUp(self): self.get_permission = Mock self.patch_permission = Mock self.post_permission = Mock self.put_permission = Mock self.permission = ByHttpMethod({"get": self.get_permission}) self.set_permission_mock("get", True)
class InAppProductViewSet(CORSMixin, MarketplaceView, ModelViewSet): serializer_class = InAppProductSerializer cors_allowed_methods = ('get', 'post', 'put', 'delete') permission_classes = [ ByHttpMethod({ 'options': AllowAny, # Needed for CORS. 'get': AllowAuthor, 'post': AllowAuthor, 'put': AllowAuthor, }) ] authentication_classes = [ RestOAuthAuthentication, RestSharedSecretAuthentication, RestAnonymousAuthentication ] def destroy(self): raise NotImplemented('destroy is not allowed') def pre_save(self, in_app_product): in_app_product.webapp = self.get_app() def get_queryset(self): return InAppProduct.objects.filter(webapp=self.get_app()) def get_app(self): if not hasattr(self, 'app'): app_slug = self.kwargs['app_slug'] self.app = get_object_or_404(Webapp, app_slug=app_slug) return self.app def get_authors(self): return self.get_app().authors.all()
class AppEscalate(_AppAction, CreateAPIView, DestroyAPIView): permission_classes = [ByHttpMethod({ 'options': AllowAny, 'post': GroupPermission('Apps', 'Review'), 'delete': GroupPermission('Apps', 'Edit'), })] verb = "escalate" def delete(self, request, pk, *a, **kw): app = self.get_object() handler = ReviewApp(request, app, app.latest_version, ()) handler.set_data(request.QUERY_PARAMS) handler.process_clear_escalation() return Response()
class TestByHttpMethodPermission(TestCase): def setUp(self): self.get_permission = Mock self.patch_permission = Mock self.post_permission = Mock self.put_permission = Mock self.permission = ByHttpMethod({ 'get': self.get_permission, }) self.set_permission_mock('get', True) def set_permission_mock(self, method, value): mock = self.permission.method_permissions[method] mock.has_permission.return_value = value def set_object_permission_mock(self, method, value): mock = self.permission.method_permissions[method] mock.has_object_permission.return_value = value def test_get(self): self.request = RequestFactory().get('/') eq_(self.permission.has_permission(self.request, 'myview'), True) self.set_permission_mock('get', False) eq_(self.permission.has_permission(self.request, 'myview'), False) def test_get_obj(self): obj = Mock() self.request = RequestFactory().get('/') self.set_object_permission_mock('get', True) eq_(self.permission.has_object_permission(self.request, 'myview', obj), True) self.set_object_permission_mock('get', False) eq_(self.permission.has_object_permission(self.request, 'myview', obj), False) def test_missing_method(self): self.request = RequestFactory().post('/') eq_(self.permission.has_permission(self.request, 'myview'), False) obj = Mock() self.request = RequestFactory().post('/') eq_(self.permission.has_object_permission(self.request, 'myview', obj), False) self.request = RequestFactory().options('/') eq_(self.permission.has_permission(self.request, 'myview'), False)
class InAppProductViewSet(CORSMixin, MarketplaceView, ModelViewSet): serializer_class = InAppProductSerializer cors_allowed_methods = ('get', 'post', 'put', 'patch', 'delete') cors_allowed_headers = ('content-type', 'accept', 'x-fxpay-version') lookup_field = 'guid' permission_classes = [ ByHttpMethod({ 'options': AllowAny, # Needed for CORS. 'get': AllowAny, 'post': AllowAuthor, 'put': AllowAuthor, 'patch': AllowAuthor, }) ] authentication_classes = [ RestOAuthAuthentication, RestSharedSecretAuthentication, RestAnonymousAuthentication ] filter_backends = (MktFilterBackend, ) filter_fields = filter_munge = ('active', ) def destroy(self): raise NotImplemented('destroy is not allowed') def pre_save(self, in_app_product): in_app_product.webapp = self.get_app() def get_queryset(self): return InAppProduct.objects.filter(webapp=self.get_app()) def get_app(self): origin = self.kwargs['origin'] if not hasattr(self, 'app'): if origin.startswith('marketplace:'): lookup = dict(guid=origin.replace('marketplace:', '', 1)) else: lookup = dict(app_domain=origin) self.app = get_object_or_404(Webapp, **lookup) return self.app def get_authors(self): return self.get_app().authors.all()
class RatingViewSet(CORSMixin, MarketplaceView, ModelViewSet): # Unfortunately, the model class name for ratings is "Review". queryset = Review.objects.valid() cors_allowed_methods = ('get', 'post', 'put', 'delete') permission_classes = [ ByHttpMethod({ 'options': AllowAny, # Needed for CORS. 'get': AllowAny, 'post': IsAuthenticated, 'put': AnyOf(AllowOwner, GroupPermission('Addons', 'Edit')), 'delete': AnyOf(AllowOwner, AllowRelatedAppOwner, GroupPermission('Users', 'Edit'), GroupPermission('Addons', 'Edit')), }) ] authentication_classes = [ RestOAuthAuthentication, RestSharedSecretAuthentication, RestAnonymousAuthentication ] serializer_class = RatingSerializer paginator_class = RatingPaginator # FIXME: Add throttling ? Original tastypie version didn't have it... def get_queryset(self): qs = super(RatingViewSet, self).get_queryset() # Mature regions show only reviews from within that region. # FIXME: what is client_data, how is it filled ? There was no tests # for this. if not self.request.REGION.adolescent: qs = qs.filter(client_data__region=self.request.REGION.id) return qs def filter_queryset(self, queryset): """ Custom filter method allowing us to filter on app slug/pk and user pk (or the special user value "mine"). A full FilterSet is overkill here. """ filters = {} app = self.request.GET.get('app') user = self.request.GET.get('user') if app: self.app = self.get_app(app) filters['addon'] = self.app if user: filters['user'] = self.get_user(user) if filters: queryset = queryset.filter(**filters) return queryset def get_user(self, ident): pk = ident if pk == 'mine': user = amo.get_user() if not user: # You must be logged in to use "mine". raise NotAuthenticated() pk = user.pk return pk def get_app(self, ident): try: app = Webapp.objects.by_identifier(ident) except Webapp.DoesNotExist: raise Http404 current_region = get_region() if ((not app.is_public() or not app.listed_in(region=current_region)) and not check_addon_ownership(self.request, app)): # App owners and admin can see the app even if it's not public # or not available in the current region. Regular users or # anonymous users can't. raise PermissionDenied('The app requested is not public or not ' 'available in region "%s".' % current_region.slug) return app def list(self, request, *args, **kwargs): response = super(RatingViewSet, self).list(request, *args, **kwargs) app = getattr(self, 'app', None) if app: user, info = self.get_extra_data(app, request.amo_user) response.data['user'] = user response.data['info'] = info return response def destroy(self, request, *args, **kwargs): obj = self.get_object() amo.log(amo.LOG.DELETE_REVIEW, obj.addon, obj) log.debug('[Review:%s] Deleted by %s' % (obj.pk, self.request.amo_user.id)) return super(RatingViewSet, self).destroy(request, *args, **kwargs) def post_save(self, obj, created=False): app = obj.addon if created: amo.log(amo.LOG.ADD_REVIEW, app, obj) log.debug('[Review:%s] Created by user %s ' % (obj.pk, self.request.amo_user.id)) record_action('new-review', self.request, {'app-id': app.id}) else: amo.log(amo.LOG.EDIT_REVIEW, app, obj) log.debug('[Review:%s] Edited by %s' % (obj.pk, self.request.amo_user.id)) def partial_update(self, *args, **kwargs): # We don't need/want PATCH for now. raise MethodNotAllowed('PATCH is not supported for this endpoint.') def get_extra_data(self, app, amo_user): extra_user = None if amo_user and not amo_user.is_anonymous(): if app.is_premium(): # If the app is premium, you need to purchase it to rate it. can_rate = app.has_purchased(amo_user) else: # If the app is free, you can not be one of the authors. can_rate = not app.has_author(amo_user) filters = {'addon': app, 'user': amo_user} if app.is_packaged: filters['version'] = app.current_version extra_user = { 'can_rate': can_rate, 'has_rated': Review.objects.valid().filter(**filters).exists() } extra_info = { 'average': app.average_rating, 'slug': app.app_slug, 'current_version': getattr(app.current_version, 'version', None) } return extra_user, extra_info @action(methods=['POST'], permission_classes=[AllowAny]) def flag(self, request, pk=None): self.kwargs[self.lookup_field] = pk self.get_object() # Will check that the Review instance is valid. request._request.CORS = RatingFlagViewSet.cors_allowed_methods view = RatingFlagViewSet.as_view({'post': 'create'}) return view(request, *self.args, **{'review': pk})
class RatingViewSet(CORSMixin, MarketplaceView, ModelViewSet): # Unfortunately, the model class name for ratings is "Review". # We prefetch 'version' because it's often going to be similar, and select # related 'user' to avoid extra queries. queryset = (Review.objects.valid() .prefetch_related('version') .select_related('user')) cors_allowed_methods = ('get', 'post', 'put', 'delete') permission_classes = [ByHttpMethod({ 'options': AllowAny, # Needed for CORS. 'get': AllowAny, 'head': AllowAny, 'post': IsAuthenticated, 'put': AnyOf(AllowOwner, GroupPermission('Apps', 'Edit')), 'delete': AnyOf(AllowOwner, AllowRelatedAppOwner, GroupPermission('Users', 'Edit'), GroupPermission('Apps', 'Edit')), })] authentication_classes = [RestOAuthAuthentication, RestSharedSecretAuthentication, RestAnonymousAuthentication] serializer_class = RatingSerializer def paginator_class(self, *args, **kwargs): paginator = super(RatingViewSet, self).paginator_class(*args, **kwargs) if hasattr(self, 'app'): # If an app is passed, we want the paginator count to match the # number of reviews on the app, without doing an extra query. paginator._count = self.app.total_reviews return paginator # FIXME: Add throttling ? Original tastypie version didn't have it... def filter_queryset(self, queryset): """ Custom filter method allowing us to filter on app slug/pk and user pk (or the special user value "mine"). A full FilterSet is overkill here. """ filters = Q() app = self.request.GET.get('app') user = self.request.GET.get('user') lang = self.request.GET.get('lang') match_lang = self.request.GET.get('match_lang') if app: self.app = self.get_app(app) filters &= Q(addon=self.app) if user: filters &= Q(user=self.get_user(user)) elif lang and match_lang == '1': filters &= Q(lang=lang) if filters: queryset = queryset.filter(filters) return queryset def get_user(self, ident): pk = ident if pk == 'mine': user = mkt.get_user() if not user or not user.is_authenticated(): # You must be logged in to use "mine". raise NotAuthenticated() pk = user.pk return pk def get_app(self, ident): try: app = Webapp.objects.by_identifier(ident) except Webapp.DoesNotExist: raise Http404 current_region = get_region() if ((not app.is_public() or not app.listed_in(region=current_region)) and not check_addon_ownership(self.request, app)): # App owners and admin can see the app even if it's not public # or not available in the current region. Regular users or # anonymous users can't. raise PermissionDenied( 'The app requested is not public or not available in region ' '"%s".' % current_region.slug) return app def list(self, request, *args, **kwargs): response = super(RatingViewSet, self).list(request, *args, **kwargs) app = getattr(self, 'app', None) if app: user, info = self.get_extra_data(app, request.user) response.data['user'] = user response.data['info'] = info return response def destroy(self, request, *args, **kwargs): obj = self.get_object() mkt.log(mkt.LOG.DELETE_REVIEW, obj.addon, obj, details=dict(title=unicode(obj.title), body=unicode(obj.body), addon_id=obj.addon.id, addon_title=unicode(obj.addon.name))) log.debug('[Review:%s] Deleted by %s' % (obj.pk, self.request.user.id)) return super(RatingViewSet, self).destroy(request, *args, **kwargs) def post_save(self, obj, created=False): app = obj.addon if created: mkt.log(mkt.LOG.ADD_REVIEW, app, obj) log.debug('[Review:%s] Created by user %s ' % (obj.pk, self.request.user.id)) record_action('new-review', self.request, {'app-id': app.id}) else: mkt.log(mkt.LOG.EDIT_REVIEW, app, obj) log.debug('[Review:%s] Edited by %s' % (obj.pk, self.request.user.id)) def partial_update(self, *args, **kwargs): # We don't need/want PATCH for now. raise MethodNotAllowed('PATCH is not supported for this endpoint.') def get_extra_data(self, app, user): extra_user = None if user.is_authenticated(): if app.is_premium(): # If the app is premium, you need to purchase it to rate it. can_rate = app.has_purchased(user) else: # If the app is free, you can not be one of the authors. can_rate = not app.has_author(user) filters = { 'addon': app, 'user': user } if app.is_packaged: filters['version'] = app.current_version extra_user = { 'can_rate': can_rate, 'has_rated': Review.objects.valid().filter(**filters).exists() } extra_info = { 'average': app.average_rating, 'slug': app.app_slug, 'total_reviews': app.total_reviews, 'current_version': getattr(app.current_version, 'version', None) } return extra_user, extra_info @action(methods=['POST'], permission_classes=[AllowAny]) def flag(self, request, pk=None): self.kwargs[self.lookup_field] = pk self.get_object() # Will check that the Review instance is valid. request._request.CORS = RatingFlagViewSet.cors_allowed_methods view = RatingFlagViewSet.as_view({'post': 'create'}) return view(request, *self.args, **{'review': pk})