def get_and_check_ownership(self, request, allow_anon=False, **kwargs):
try:
# Use queryset, not get_object_list to ensure a distinction
# between a 404 and a 403.
obj = self._meta.queryset.get(**kwargs)
except self._meta.object_class.DoesNotExist:
unavail = self._meta.queryset_base.filter(**kwargs)
if unavail.exists():
obj = unavail[0]
# Owners can see their app no matter what region.
if AppOwnerAuthorization().is_authorized(request, object=obj):
return obj
data = {}
for key in ('name', 'support_email', 'support_url'):
value = getattr(obj, key)
data[key] = unicode(value) if value else ''
raise http_error(HttpLegallyUnavailable,
'Not available in your region.',
extra_data=data)
raise http_error(http.HttpNotFound,
'No such app.')
# If it's public, just return it.
if allow_anon and obj.is_public():
return obj
# Now do the final check to see if you are allowed to see it and
# return a 403 if you can't.
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You do not own that app.')
return obj
def obj_create(self, bundle, request=None, **kwargs):
"""
Handle POST requests to the resource. If the data validates, create a
new Review from bundle data.
"""
form = ReviewForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
app = self.get_app(bundle.data["app"])
# Return 409 if the user has already reviewed this app.
qs = self._meta.queryset.filter(addon=app, user=request.user)
if app.is_packaged:
qs = qs.filter(version_id=bundle.data.get("version", app.current_version.id))
if qs.exists():
raise http_error(http.HttpConflict, "You have already reviewed this app.")
# Return 403 if the user is attempting to review their own app:
if app.has_author(request.user):
raise http_error(http.HttpForbidden, "You may not review your own app.")
# Return 403 if not a free app and the user hasn't purchased it.
if app.is_premium() and not app.is_purchased(request.amo_user):
raise http_error(http.HttpForbidden, "You may not review paid apps you haven't purchased.")
bundle.obj = Review.objects.create(**self._review_data(request, app, form))
amo.log(amo.LOG.ADD_REVIEW, app, bundle.obj)
log.debug("[Review:%s] Created by user %s " % (bundle.obj.id, request.user.id))
record_action("new-review", request, {"app-id": app.id})
return bundle
def handle(self, bundle, request, **kwargs):
form = ReceiptForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
bundle.obj = form.cleaned_data["app"]
type_ = install_type(request, bundle.obj)
if type_ == apps.INSTALL_TYPE_DEVELOPER:
return self.record(bundle, request, apps.INSTALL_TYPE_DEVELOPER)
# The app must be public and if its a premium app, you
# must have purchased it.
if not bundle.obj.is_public():
log.info("App not public: %s" % bundle.obj.pk)
raise http_error(http.HttpForbidden, "App not public.")
if bundle.obj.is_premium() and not bundle.obj.has_purchased(request.amo_user):
# Apps that are premium but have no charge will get an
# automatic purchase record created. This will ensure that
# the receipt will work into the future if the price changes.
if bundle.obj.premium and not bundle.obj.premium.price.price:
log.info("Create purchase record: {0}".format(bundle.obj.pk))
AddonPurchase.objects.get_or_create(addon=bundle.obj, user=request.amo_user, type=CONTRIB_NO_CHARGE)
else:
log.info("App not purchased: %s" % bundle.obj.pk)
raise http_error(HttpPaymentRequired, "You have not purchased this app.")
return self.record(bundle, request, type_)
def get_and_check_ownership(self, request, allow_anon=False, **kwargs):
try:
# Use queryset, not get_object_list to ensure a distinction
# between a 404 and a 403.
obj = self._meta.queryset.get(**kwargs)
except self._meta.object_class.DoesNotExist:
unavail = self._meta.queryset_base.filter(**kwargs)
if unavail.exists():
obj = unavail[0]
# Owners can see their app no matter what region.
if AppOwnerAuthorization().is_authorized(request, object=obj):
return obj
raise http_error(HttpLegallyUnavailable,
'Not available in your region.')
raise http_error(http.HttpNotFound,
'No such app.')
# If it's public, just return it.
if allow_anon and obj.is_public():
return obj
# Now do the final check to see if you are allowed to see it and
# return a 403 if you can't.
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You do not own that app.')
return obj
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not request.amo_user.read_dev_agreement:
log.info(u'Attempt to use API without dev agreement: %s'
% request.amo_user.pk)
raise http_error(http.HttpUnauthorized,
'Terms of service not accepted.')
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization()
.is_authorized(request, object=form.obj)):
raise http_error(http.HttpForbidden,
'You do not own that app.')
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Addon.from_upload(form.obj, plats,
is_packaged=form.is_packaged)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
self._icons_and_images(bundle.obj)
record_action('app-submitted', request, {'app-id': bundle.obj.pk})
log.info('App created: %s' % bundle.obj.pk)
return bundle
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not request.amo_user.read_dev_agreement:
log.info(u'Attempt to use API without dev agreement: %s'
% request.amo_user.pk)
raise http_error(http.HttpUnauthorized,
'Terms of service not accepted.')
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization()
.is_authorized(request, object=form.obj)):
raise http_error(http.HttpForbidden,
'You do not own that app.')
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Addon.from_upload(form.obj, plats,
is_packaged=form.is_packaged)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
self._icons_and_images(bundle.obj)
record_action('app-submitted', request, {'app-id': bundle.obj.pk})
log.info('App created: %s' % bundle.obj.pk)
return bundle
def build_filters(self, filters=None):
"""
If `addon__exact` is a filter and its value cannot be coerced into an
int, assume that it's a slug lookup.
Run the query necessary to determine the app, and substitute the slug
with the PK in the filter so tastypie will continue doing its thing.
"""
built = super(RatingResource, self).build_filters(filters)
if 'addon__exact' in built:
try:
int(built['addon__exact'])
except ValueError:
app = self.get_app(built['addon__exact'])
if app:
built['addon__exact'] = str(app.pk)
if built.get('user__exact', None) == 'mine':
# This is a cheat. Would prefer /mine/ in the URL.
user = get_user()
if not user:
# You must be logged in to use "mine".
raise http_error(http.HttpUnauthorized,
'You must be logged in to access "mine".')
built['user__exact'] = user.pk
return built
def get_object_list(self, request):
if not request.amo_user:
log.info('Anonymous listing not allowed')
raise http_error(http.HttpForbidden,
'Anonymous listing not allowed.')
return self._meta.queryset.filter(type=amo.ADDON_WEBAPP,
authors=request.amo_user)
def obj_create(self, bundle, request, **kwargs):
with statsd.timer("auth.browserid.verify"):
profile, msg = browserid_authenticate(
request,
bundle.data["assertion"],
browserid_audience=bundle.data["audience"],
is_native=bundle.data.get("is_native", False),
)
if profile is None:
log.info("No profile")
raise http_error(http.HttpUnauthorized, "No profile.")
request.user, request.amo_user = profile.user, profile
request.groups = profile.groups.all()
# TODO: move this to the signal.
profile.log_login_attempt(True)
user_logged_in.send(sender=profile.user.__class__, request=request, user=profile.user)
bundle.data = {
"error": None,
"token": self.get_token(request.user.email),
"settings": {"display_name": request.amo_user.display_name, "email": request.user.email},
}
bundle.data.update(PermissionResource().dehydrate(Bundle(request=request)).data)
return bundle
def obj_create(self, bundle, request, **kwargs):
# Ensure that people don't pass strings through.
args = PreviewArgsForm(request.GET)
if not args.is_valid():
raise self.form_errors(args)
addon = self.get_object_or_404(Addon,
pk=args.cleaned_data['app'],
type=amo.ADDON_WEBAPP)
if not AppOwnerAuthorization().is_authorized(request, object=addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
data_form = PreviewJSONForm(bundle.data)
if not data_form.is_valid():
raise self.form_errors(data_form)
form = PreviewForm(data_form.cleaned_data)
if not form.is_valid():
raise self.form_errors(form)
form.save(addon)
bundle.obj = form.instance
log.info('Preview created: %s' % bundle.obj.pk)
return bundle
def build_filters(self, filters=None):
"""
If `addon__exact` is a filter and its value cannot be coerced into an
int, assume that it's a slug lookup.
Run the query necessary to determine the app, and substitute the slug
with the PK in the filter so tastypie will continue doing its thing.
"""
built = super(RatingResource, self).build_filters(filters)
if 'addon__exact' in built:
try:
int(built['addon__exact'])
except ValueError:
app = self.get_app(built['addon__exact'])
if app:
built['addon__exact'] = str(app.pk)
if built.get('user__exact', None) == 'mine':
# This is a cheat. Would prefer /mine/ in the URL.
user = get_user()
if not user:
# You must be logged in to use "mine".
raise http_error(http.HttpUnauthorized, 'You must be logged in to access "mine".')
built['user__exact'] = user.pk
return built
def get_object_list(self, request):
if not request.amo_user:
log.info('Anonymous listing not allowed')
raise http_error(http.HttpForbidden,
'Anonymous listing not allowed.')
return self._meta.queryset.filter(type=amo.ADDON_WEBAPP,
authors=request.amo_user)
def obj_update(self, bundle, request, **kwargs):
"""
Handle PUT requests to the resource. If authorized and the data
validates, update the indicated resource with bundle data.
"""
obj = self.get_by_resource_or_404(request, **kwargs)
if not OwnerAuthorization().is_authorized(request, object=obj):
raise http_error(
http.HttpForbidden,
'You do not have permission to update this review.')
form = ReviewForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
if 'app' in bundle.data:
error = ('app', "Cannot update a rating's `app`")
raise self.non_form_errors([error])
sup = super(RatingResource, self).obj_update(bundle, request, **kwargs)
amo.log(amo.LOG.EDIT_REVIEW, bundle.obj.addon, bundle.obj)
log.debug('[Review:%s] Edited by %s' % (bundle.obj.id, request.user.id))
return sup
def obj_create(self, bundle, request, **kwargs):
# Ensure that people don't pass strings through.
args = PreviewArgsForm(request.GET)
if not args.is_valid():
raise self.form_errors(args)
addon = self.get_object_or_404(Addon,
pk=args.cleaned_data['app'],
type=amo.ADDON_WEBAPP)
if not AppOwnerAuthorization().is_authorized(request, object=addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
data_form = PreviewJSONForm(bundle.data)
if not data_form.is_valid():
raise self.form_errors(data_form)
form = PreviewForm(data_form.cleaned_data)
if not form.is_valid():
raise self.form_errors(form)
form.save(addon)
bundle.obj = form.instance
log.info('Preview created: %s' % bundle.obj.pk)
return bundle
def dispatch(self, request_type, request, **kwargs):
if not waffle.switch_is_active('stats-api'):
raise http_error(http.HttpNotImplemented,
'Stats not enabled for this host.')
return super(GlobalStatsResource, self).dispatch(request_type, request,
**kwargs)
def obj_create(self, bundle, request, **kwargs):
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request,
bundle.data['assertion'],
browserid_audience=bundle.data['audience'],
is_native=bundle.data.get('is_native', False))
if profile is None:
log.info('No profile')
raise http_error(http.HttpUnauthorized, 'No profile.')
request.user, request.amo_user = profile.user, profile
request.groups = profile.groups.all()
# TODO: move this to the signal.
profile.log_login_attempt(True)
user_logged_in.send(sender=profile.user.__class__,
request=request,
user=profile.user)
bundle.data = {
'error': None,
'token': self.get_token(request.user.email),
'settings': {
'display_name': request.amo_user.display_name,
'email': request.user.email,
}
}
bundle.data.update(PermissionResource().dehydrate(
Bundle(request=request)).data)
return bundle
def obj_create(self, bundle, request, **kwargs):
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request, bundle.data['assertion'],
browserid_audience=bundle.data['audience'],
is_native=bundle.data.get('is_native', False)
)
if profile is None:
log.info('No profile: %s' % (msg or ''))
raise http_error(http.HttpUnauthorized,
'No profile.')
request.user, request.amo_user = profile.user, profile
request.groups = profile.groups.all()
# TODO: move this to the signal.
profile.log_login_attempt(True)
user_logged_in.send(sender=profile.user.__class__, request=request,
user=profile.user)
bundle.data = {
'error': None,
'token': self.get_token(request.amo_user.email),
'settings': {
'display_name': request.amo_user.display_name,
'email': request.amo_user.email,
}
}
bundle.data.update(PermissionResource()
.dehydrate(Bundle(request=request)).data)
return bundle
def obj_get(self, request=None, **kwargs):
obj = super(StatusResource, self).obj_get(request=request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('App status retreived: %s' % obj.pk)
return obj
def obj_get(self, request=None, **kwargs):
obj = super(StatusResource, self).obj_get(request=request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('App status retreived: %s' % obj.pk)
return obj
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request,
object=obj.addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('Preview deleted: %s' % obj.pk)
return super(PreviewResource, self).obj_delete(request, **kwargs)
def obj_update(self, bundle, request, **kwargs):
try:
obj = self.get_object_list(bundle.request).get(**kwargs)
except Addon.DoesNotExist:
raise http_error(http.HttpNotFound, 'No such addon.')
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
form = StatusForm(bundle.data, instance=obj)
if not form.is_valid():
raise self.form_errors(form)
form.save()
log.info('App status updated: %s' % obj.pk)
bundle.obj = obj
return bundle
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not AppOwnerAuthorization().is_authorized(request,
object=obj.addon):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
log.info('Preview deleted: %s' % obj.pk)
return super(PreviewResource, self).obj_delete(request, **kwargs)
def obj_get(self, request=None, **kwargs):
if kwargs.get("pk") == "mine":
kwargs["pk"] = request.amo_user.pk
# TODO: put in acl checks for admins to get other users information.
obj = super(Mine, self).obj_get(request=request, **kwargs)
if not OwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden, "You do not have access to that account.")
return obj
def obj_update(self, bundle, request, **kwargs):
try:
obj = self.get_object_list(bundle.request).get(**kwargs)
except Addon.DoesNotExist:
raise http_error(http.HttpNotFound, 'No such addon.')
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
form = StatusForm(bundle.data, instance=obj)
if not form.is_valid():
raise self.form_errors(form)
form.save()
log.info('App status updated: %s' % obj.pk)
bundle.obj = obj
return bundle
def obj_get(self, request=None, **kwargs):
if kwargs.get('pk') == 'mine':
kwargs['pk'] = request.amo_user.pk
# TODO: put in acl checks for admins to get other users information.
obj = super(Mine, self).obj_get(request=request, **kwargs)
if not OwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You do not have access to that account.')
return obj
def obj_get(self, request, **kw):
if kw['pk'] != 'site':
raise http_error(http.HttpNotFound, 'No such configuration.')
return GenericObject({
# This is the git commit on IT servers.
'version': getattr(settings, 'BUILD_ID_JS', ''),
'flags': waffles(request),
'settings': get_settings(),
})
def obj_get(self, request, **kw):
if kw['pk'] != 'site':
raise http_error(http.HttpNotFound,
'No such configuration.')
return GenericObject({
# This is the git commit on IT servers.
'version': getattr(settings, 'BUILD_ID_JS', ''),
'flags': waffles(request),
'settings': get_settings(),
})
def obj_get(self, request=None, **kwargs):
# Until the perms branch lands, this is the only way to lock
# permissions down on gets, since the object doesn't actually
# get passed through to OwnerAuthorization.
try:
obj = FileUpload.objects.get(pk=kwargs['pk'])
except FileUpload.DoesNotExist:
raise http_error(http.HttpNotFound, 'No upload with that ID.')
log.info('Validation retreived: %s' % obj.pk)
return obj
def obj_get(self, request=None, **kwargs):
# Until the perms branch lands, this is the only way to lock
# permissions down on gets, since the object doesn't actually
# get passed through to OwnerAuthorization.
try:
obj = FileUpload.objects.get(pk=kwargs['pk'])
except FileUpload.DoesNotExist:
raise http_error(http.HttpNotFound, 'No upload with that ID.')
log.info('Validation retreived: %s' % obj.pk)
return obj
def obj_create(self, bundle, request=None, **kwargs):
"""
Handle POST requests to the resource. If the data validates, create a
new Review from bundle data.
"""
form = ReviewForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
app = self.get_app(bundle.data['app'])
# Return 409 if the user has already reviewed this app.
qs = self._meta.queryset.filter(addon=app, user=request.user)
if app.is_packaged:
qs = qs.filter(
version_id=bundle.data.get('version', app.current_version.id))
if qs.exists():
raise http_error(http.HttpConflict,
'You have already reviewed this app.')
# Return 403 if the user is attempting to review their own app:
if app.has_author(request.user):
raise http_error(http.HttpForbidden,
'You may not review your own app.')
# Return 403 if not a free app and the user hasn't purchased it.
if app.is_premium() and not app.is_purchased(request.amo_user):
raise http_error(
http.HttpForbidden,
"You may not review paid apps you haven't purchased.")
bundle.obj = Review.objects.create(
**self._review_data(request, app, form))
amo.log(amo.LOG.ADD_REVIEW, app, bundle.obj)
log.debug('[Review:%s] Created by user %s ' %
(bundle.obj.id, request.user.id))
record_action('new-review', request, {'app-id': app.id})
return bundle
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not (
AppOwnerAuthorization().is_authorized(request, object=obj.addon)
or OwnerAuthorization().is_authorized(request, object=obj)
or PermissionAuthorization("Users", "Edit").is_authorized(request)
or PermissionAuthorization("Addons", "Edit").is_authorized(request)
):
raise http_error(http.HttpForbidden, "You do not have permission to delete this review.")
log.info("Rating %s deleted from addon %s" % (obj.pk, obj.addon.pk))
return super(RatingResource, self).obj_delete(request, **kwargs)
def obj_get(self, request, **kw):
if kw["pk"] != "site":
raise http_error(http.HttpNotFound, "No such configuration.")
return GenericObject(
{
# This is the git commit on IT servers.
"version": getattr(settings, "BUILD_ID_JS", ""),
"flags": waffles(request),
"settings": get_settings(),
}
)
def post_list(self, request, **kwargs):
data = self.deserialize(request, request.raw_post_data,
format='application/json')
email = data['email']
try:
validate_email(email)
except ValidationError:
raise http_error(http.HttpBadRequest, 'Invalid email address')
basket.subscribe(data['email'], 'marketplace',
format='H', country=request.REGION.slug,
lang=request.LANG, optin='Y',
trigger_welcome='Y')
def post_list(self, request, **kwargs):
data = self.deserialize(request, request.raw_post_data,
format='application/json')
email = data['email']
try:
validate_email(email)
except ValidationError:
raise http_error(http.HttpBadRequest, 'Invalid email address')
basket.subscribe(data['email'], 'marketplace',
format='H', country=request.REGION.slug,
lang=request.LANG, optin='Y',
trigger_welcome='Y')
def obj_create(self, bundle, request, **kwargs):
region = getattr(request, 'REGION', None)
if region and region.id not in settings.PURCHASE_ENABLED_REGIONS:
log.info('Region {0} is not in {1}'.format(
region.id, settings.PURCHASE_ENABLED_REGIONS))
if not waffle.flag_is_active(request, 'allow-paid-app-search'):
log.info('Flag not active')
raise http_error(http.HttpForbidden,
'Not allowed to purchase for this flag')
bundle.obj = GenericObject(_prepare_pay(request, bundle.data['app']))
return bundle
def obj_create(self, bundle, request, **kwargs):
region = getattr(request, 'REGION', None)
if region and region.id not in settings.PURCHASE_ENABLED_REGIONS:
log.info('Region {0} is not in {1}'
.format(region.id, settings.PURCHASE_ENABLED_REGIONS))
if not waffle.flag_is_active(request, 'allow-paid-app-search'):
log.info('Flag not active')
raise http_error(http.HttpForbidden,
'Not allowed to purchase for this flag')
bundle.obj = GenericObject(_prepare_pay(request, bundle.data['app']))
return bundle
def get_and_check_ownership(self, request, allow_anon=False, **kwargs):
try:
# Use queryset, not get_object_list to ensure a distinction
# between a 404 and a 403.
obj = self._meta.queryset.get(**kwargs)
except self._meta.object_class.DoesNotExist:
unavail = self._meta.queryset_base.filter(**kwargs).exists()
if unavail:
raise http_error(HttpLegallyUnavailable,
'Not available in your region.')
raise http_error(http.HttpNotFound,
'No such app.')
# If it's public, just return it.
if allow_anon and obj.is_public():
return obj
# Now do the final check to see if you are allowed to see it and
# return a 403 if you can't.
if not AppOwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You do not own that app.')
return obj
def obj_delete(self, request, **kwargs):
obj = self.get_by_resource_or_404(request, **kwargs)
if not (AppOwnerAuthorization().is_authorized(request,
object=obj.addon)
or OwnerAuthorization().is_authorized(request, object=obj) or
PermissionAuthorization('Users', 'Edit').is_authorized(request)
or PermissionAuthorization('Addons',
'Edit').is_authorized(request)):
raise http_error(
http.HttpForbidden,
'You do not have permission to delete this review.')
log.info('Rating %s deleted from addon %s' % (obj.pk, obj.addon.pk))
return super(RatingResource, self).obj_delete(request, **kwargs)
def obj_create(self, bundle, request, **kwargs):
region = getattr(request, 'REGION', None)
app = bundle.data['app']
if region and region.id not in app.get_price_region_ids():
log.info('Region {0} is not in {1}'.format(
region.id, app.get_price_region_ids()))
if payments_enabled(request):
log.info('Flag not active')
raise http_error(http.HttpForbidden,
'Payments are limited and flag not enabled')
bundle.obj = GenericObject(_prepare_pay(request, bundle.data['app']))
return bundle
def obj_create(self, bundle, request, **kwargs):
region = getattr(request, 'REGION', None)
app = bundle.data['app']
if region and region.id not in app.get_price_region_ids():
log.info('Region {0} is not in {1}'
.format(region.id, app.get_price_region_ids()))
if payments_enabled(request):
log.info('Flag not active')
raise http_error(http.HttpForbidden,
'Payments are limited and flag not enabled')
bundle.obj = GenericObject(_prepare_pay(request, bundle.data['app']))
return bundle
def handle(self, bundle, request, **kwargs):
form = ReceiptForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
bundle.obj = form.cleaned_data['app']
type_ = install_type(request, bundle.obj)
if type_ == apps.INSTALL_TYPE_DEVELOPER:
return self.record(bundle, request, apps.INSTALL_TYPE_DEVELOPER)
# The app must be public and if its a premium app, you
# must have purchased it.
if not bundle.obj.is_public():
log.info('App not public: %s' % bundle.obj.pk)
raise http_error(http.HttpForbidden, 'App not public.')
if (bundle.obj.is_premium()
and not bundle.obj.has_purchased(request.amo_user)):
# Apps that are premium but have no charge will get an
# automatic purchase record created. This will ensure that
# the receipt will work into the future if the price changes.
if bundle.obj.premium and not bundle.obj.premium.price.price:
log.info('Create purchase record: {0}'.format(bundle.obj.pk))
AddonPurchase.objects.get_or_create(addon=bundle.obj,
user=request.amo_user,
type=CONTRIB_NO_CHARGE)
else:
log.info('App not purchased: %s' % bundle.obj.pk)
raise http_error(HttpPaymentRequired,
'You have not purchased this app.')
# Anonymous users will fall through, they don't need anything else
# handling.
if request.user.is_authenticated():
return self.record(bundle, request, type_)
def handle(self, bundle, request, **kwargs):
form = ReceiptForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
bundle.obj = form.cleaned_data['app']
# Developers get handled quickly.
if check_ownership(request, bundle.obj, require_owner=False,
ignore_disabled=True, admin=False):
return self.record(bundle, request, apps.INSTALL_TYPE_DEVELOPER)
# The app must be public and if its a premium app, you
# must have purchased it.
if not bundle.obj.is_public():
log.info('App not public: %s' % bundle.obj.pk)
raise http_error(http.HttpForbidden, 'App not public.')
if (bundle.obj.is_premium() and
not bundle.obj.has_purchased(request.amo_user)):
# Apps that are premium but have no charge will get an
# automatic purchase record created. This will ensure that
# the receipt will work into the future if the price changes.
if bundle.obj.premium and not bundle.obj.premium.has_price():
log.info('Create purchase record: {0}'.format(bundle.obj.pk))
AddonPurchase.objects.get_or_create(addon=bundle.obj,
user=request.amo_user, type=CONTRIB_NO_CHARGE)
else:
log.info('App not purchased: %s' % bundle.obj.pk)
raise http_error(HttpPaymentRequired, 'You have not purchased this app.')
# Anonymous users will fall through, they don't need anything else
# handling.
if request.user.is_authenticated():
return self.record(bundle, request, apps.INSTALL_TYPE_USER)
def post_list(self, request, **kwargs):
data = self.deserialize(request, request.raw_post_data, format="application/json")
email = data["email"]
try:
validate_email(email)
except ValidationError:
raise http_error(http.HttpBadRequest, "Invalid email address")
basket.subscribe(
data["email"],
"marketplace",
format="H",
country=request.REGION.slug,
lang=request.LANG,
optin="Y",
trigger_welcome="Y",
)
def obj_get(self, request=None, **kw):
try:
obj = super(StatusPayResource, self).obj_get(request=request, **kw)
except ObjectDoesNotExist:
# Anything that's not correct will be raised as a 404 so that it's
# harder to iterate over contribution values.
log.info('Contribution not found')
return None
if not OwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
if not obj.addon.has_purchased(request.amo_user):
log.info('Not in AddonPurchase table')
return None
return obj
def obj_get(self, request=None, **kw):
try:
obj = super(StatusPayResource, self).obj_get(request=request, **kw)
except ObjectDoesNotExist:
# Anything that's not correct will be raised as a 404 so that it's
# harder to iterate over contribution values.
log.info('Contribution not found')
return None
if not OwnerAuthorization().is_authorized(request, object=obj):
raise http_error(http.HttpForbidden,
'You are not an author of that app.')
if not obj.addon.has_purchased(request.amo_user):
log.info('Not in AddonPurchase table')
return None
return obj
def get_detail(self, request, **kwargs):
metric = kwargs.get('metric')
if metric not in STATS:
raise http_error(http.HttpNotFound, 'No metric by that name.')
# Trigger form validation which doesn't normally happen for GETs.
bundle = self.build_bundle(data=request.GET, request=request)
self.is_valid(bundle, request)
start = bundle.data.get('start')
end = bundle.data.get('end')
interval = bundle.data.get('interval')
client = get_monolith_client()
data = list(client(STATS[metric]['metric'], start, end, interval))
to_be_serialized = self.alter_list_data_to_serialize(
request, {'objects': data})
return self.create_response(request, to_be_serialized)
def get_list(self, request=None, **kwargs):
form_data = self.search_form(request)
is_admin = acl.action_allowed(request, 'Admin', '%')
is_reviewer = acl.action_allowed(request, 'Apps', 'Review')
# Pluck out status and addon type first since it forms part of the base
# query, but only for privileged users.
status = form_data['status']
addon_type = form_data['type']
base_filters = {
'type': addon_type,
}
# Allow reviewers and admins to search by statuses other than PUBLIC.
if status and (status == 'any' or status != amo.STATUS_PUBLIC):
if is_admin or is_reviewer:
base_filters['status'] = status
else:
raise http_error(http.HttpUnauthorized,
_('Unauthorized to filter by status.'))
# Only allow reviewers and admin to search by private fields or fields
# depending on the latest_version (which may or may not be public yet).
restricted_data = [form_data.get('is_privileged', None),
form_data.get('has_editor_comment', None),
form_data.get('has_info_request', None),
form_data.get('is_escalated', None)]
if not (is_admin or is_reviewer) and any(f is not None
for f in restricted_data):
return http.HttpUnauthorized(content=json.dumps(
{'reason': _('Unauthorized to filter by private fields.')}))
# Filter by device feature profile.
profile = None
if request.GET.get('dev') in ('firefoxos', 'android'):
sig = request.GET.get('pro')
if sig:
profile = FeatureProfile.from_signature(sig)
# Filter by region.
region = getattr(request, 'REGION', mkt.regions.WORLDWIDE)
qs = _get_query(request, region, gaia=request.GAIA,
mobile=request.MOBILE, tablet=request.TABLET,
filters=base_filters, new_idx=True)
qs = _filter_search(request, qs, form_data, region=region,
profile=profile)
paginator = self._meta.paginator_class(request.GET, qs,
resource_uri=self.get_resource_list_uri(),
limit=self._meta.limit)
page = paginator.page()
# Rehydrate the results as per tastypie.
objs = []
for obj in page['objects']:
obj.pk = obj.id
objs.append(self.build_bundle(obj=obj, request=request))
page['objects'] = [self.full_dehydrate(bundle) for bundle in objs]
# This isn't as quite a full as a full TastyPie meta object,
# but at least it's namespaced that way and ready to expand.
to_be_serialized = self.alter_list_data_to_serialize(request, page)
return self.create_response(request, to_be_serialized)
def get_list(self, request=None, **kwargs):
form_data = self.search_form(request)
is_admin = acl.action_allowed(request, 'Admin', '%')
is_reviewer = acl.action_allowed(request, 'Apps', 'Review')
uses_es = waffle.switch_is_active('search-api-es')
# Pluck out status and addon type first since it forms part of the base
# query, but only for privileged users.
status = form_data['status']
addon_type = form_data['type']
base_filters = {
'type': addon_type,
}
# Allow reviewers and admins to search by statuses other than PUBLIC.
if status and (status == 'any' or status != amo.STATUS_PUBLIC):
if is_admin or is_reviewer:
base_filters['status'] = status
else:
raise http_error(http.HttpUnauthorized,
_('Unauthorized to filter by status.'))
# Filter by device feature profile.
profile = None
# TODO: Remove uses_es conditional with 'search-api-es' waffle.
if uses_es and request.GET.get('dev') in ('firefoxos', 'android'):
sig = request.GET.get('pro')
if sig:
profile = FeatureProfile.from_signature(sig)
# Filter by region.
region = getattr(request, 'REGION', mkt.regions.WORLDWIDE)
qs = _get_query(request, region, gaia=request.GAIA,
mobile=request.MOBILE, tablet=request.TABLET,
filters=base_filters, new_idx=True)
qs = _filter_search(request, qs, form_data, region=region,
profile=profile)
paginator = self._meta.paginator_class(request.GET, qs,
resource_uri=self.get_resource_list_uri(),
limit=self._meta.limit)
page = paginator.page()
# Rehydrate the results as per tastypie.
objs = []
for obj in page['objects']:
obj.pk = obj.id
objs.append(self.build_bundle(obj=obj, request=request))
if uses_es:
page['objects'] = [self.full_dehydrate(bundle)
for bundle in objs]
else:
page['objects'] = [AppResource().full_dehydrate(bundle)
for bundle in objs]
# This isn't as quite a full as a full TastyPie meta object,
# but at least it's namespaced that way and ready to expand.
to_be_serialized = self.alter_list_data_to_serialize(request, page)
return self.create_response(request, to_be_serialized)
