class ChangeViewSet(InstanceBasedMixin, NestedViewSetMixin, redis_views.ReadOnlyModelViewSet): model = Change serializer_class = ChangeSerializer permission_classes = ( Or( AdminHasPermissions, And( IsApiKeyAccess, Or( IsApiKeyIgnoringAcl, # Force access when allow anonymous read IsApiKeyAllowingAnonymousRead, And(HasUser, HasChannelSubscribePermission)))), EnsureChannelRoom, OwnerInGoodStanding, ) def initial(self, request, *args, **kwargs): self.room, self.last_id = get_from_request_query_params( self.request, 'room', 'last_id') if self.last_id: try: self.last_id = int(self.last_id) + 1 except ValueError: self.last_id = None return super().initial(request, *args, **kwargs) def list(self, request, *args, **kwargs): if self.last_id: self.kwargs['min_pk'] = self.last_id self.kwargs['room'] = self.room return super().list(request, *args, **kwargs)
class ApplicationView(PermissionClassesMixin, SidebarContextMixin, UserContextMixin, FormView): template_name = 'application/application.html' form_class = ApplicationForm active_tab = 'application' permission_classes = [ And(Or(IsSubmitted, IsIncomplete, And(IsHacker, IsVerified)), RegistrationOpen) ] def form_valid(self, form): form.save(hacker=self.request.user.profile.hacker) return super().form_valid(form) def get_success_url(self): messages.add_message(self.request, messages.SUCCESS, "Aplicação enviada!") return reverse_lazy('dashboard:index') def get_form_kwargs(self): """Return the keyword arguments for instantiating the form.""" kwargs = super().get_form_kwargs() hacker = self.request.user.profile.hacker kwargs['instance'] = getattr(hacker, 'application', None) return kwargs def get_initial(self): initial = super().get_initial() initial['first_name'] = self.request.user.first_name initial['last_name'] = self.request.user.last_name initial['email'] = self.request.user.email return initial
class PollDetail(APIView): permission_classes = [ Or(IsGetRequest, And(IsPutRequest, IsAdminUser), And(IsDeleteRequest, IsAdminUser)) ] def get_object(self, pk, is_admin_user=True): polls = get_polls_by_user_perm(is_admin_user) try: return polls.get(pk=pk) except Poll.DoesNotExist: raise Http404 def get(self, request, pk, format=None): # админ может просматривать любые опросы, а пользователь # только опубликованные poll = self.get_object(pk, is_admin(request.user)) serializer = ReadPollSerializer(poll) return Response(serializer.data) def put(self, request, pk, format=None): poll = self.get_object(pk) serializer = UpdatePollSerializer(poll, data=request.data) if serializer.is_valid(): serializer.save() return Response(serializer.data) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) def delete(self, request, pk, format=None): poll = self.get_object(pk) poll.delete() return Response(status=status.HTTP_204_NO_CONTENT)
class MeetingViewSet(viewsets.ModelViewSet): serializer_class = MeetingSerializer queryset = Meeting.objects.all() permission_classes = [ Or( And( IsSafeMethod, IsPublic, ), And( IsSafeMethod, Not(IsPrivate), IsMeetingClient, ), IsMeetingHost, IsAdminUser, ) ] def get_queryset(self): user = self.request.user if IsClient: return Meeting.objects.filter(Q(private=False), Q(public=True) | Q(clients=user.id)) elif IsHost: return Meeting.objects.filter(Q(hosts=user.id) | Q(public=True)) elif IsSuperUser: return Meeting.objects.all() else: return Meeting.objects.filter(public=True)
class BaseDeviceViewSet(InstanceBasedMixin, DetailSerializerMixin, SendPushMessageMixin, viewsets.ModelViewSet): filter_backends = (DjangoFilterBackend, ) permission_classes = ( OwnerInGoodStanding, Or( # Check admin permissions first AdminHasPermissions, And( # Otherwise when we're dealing with api key access IsApiKeyAccess, Or( # Force access when ignoring acl IsApiKeyIgnoringAcl, # Force access when allow annonymous read IsApiKeyAllowingAnonymousRead, And( # Or if user is associated - check relevant Device permissions HasUser, HasDevicePermission, ) ) ) ) ) def get_queryset(self): queryset = super().get_queryset() if self.request.auth and not self.request.auth.ignore_acl and self.request.auth_user: queryset = queryset.filter(user=self.request.auth_user) return queryset
class TeamViewset(PrefetchQuerysetModelMixin, mixins.CreateModelMixin, mixins.UpdateModelMixin, mixins.RetrieveModelMixin, viewsets.GenericViewSet): permission_classes = [ Or( And(IsPostRequest, IsCheckedin, EventIsHappening), # Creating new teams And(IsGetRequest, IsCheckedin, IsTeamMember), # Getting teams And(IsPutPatchRequest, EventIsHappening, IsTeamMember) # Updating teams ) ] queryset = Team.objects.all() serializer_class = SimpleTeamSerializer @action(methods=['post'], detail=False) def leave_team(self, request): hacker = request.user.profile.hacker team = getattr(hacker, 'team', None) if team: team.remove_hacker(hacker) if len(team.members) == 0: team.delete() return Response(status=200) @action(methods=['get'], detail=False) def current_team(self, request): hacker = request.user.profile.hacker team = hacker.team serializer = self.get_serializer_class()(team) data = serializer.data return Response(data)
class PhotoUploadViewSet(ModelViewSet): # curl --verbose --header "Authorization: # jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiMTViY2UwOTA0IiwidXNlcm5hbWUiOiIxNWJjZTA5MDQiLCJleHAiOjE1MjE2NTYzMTEsImVtYWlsIjoiIiwicmVnaXN0cmF0aW9uX251bWJlciI6IjE1YmNlMDkwNCJ9.tVh7p2d-FGlHu-Foh-6ox7BSHo7MNvI15FZbayn7rhE" # --header "Accept: application/json; indent=4" --request POST # --form img=@/Users/bhavesh/Pictures/maxresdefault.jpg http://localhost:8000/api/upload/; echo queryset = Photo.objects.all() course_queryset = Course.objects.all() serializer_class = PhotoSerializer parser_classes = ( MultiPartParser, FormParser, ) permission_classes = [ Or( And( Or(custom_permissions.IsGet, custom_permissions.IsHead, custom_permissions.IsOptions, custom_permissions.IsPost), permissions.IsAuthenticated), And( Or(custom_permissions.IsDelete, custom_permissions.IsPatch, custom_permissions.IsPut), custom_permissions.IsPhotoOwner, ), ) ] def get_queryset(self): user = self.request.user qs = super().get_queryset() if user.is_teacher: return qs.filter(course__teacher=user.teacher) return qs.filter(student=user.student) def perform_create(self, serializer): print('User is in perform_create=', self.request.user) user = self.request.user # print('In PhotoUploadViewSet. serializer=', serializer) _id = self.request.data.get('id') # identification = get_unique_identificaton(serializer) if user.is_teacher: teacher = user.teacher course = get_object_or_404(self.course_queryset, teacher=teacher, id=_id) obj = serializer.save(course=course, img=self.request.data.get('img')) else: print('Student', user.student) obj = serializer.save(student=user.student, img=self.request.data.get('img')) process_photo.delay(obj.id)
class EventViewset(PrefetchQuerysetModelMixin, viewsets.ModelViewSet): """Event Get all events and their basic data authenticated can read, admin can edit """ serializer_class = EventSerializer queryset = Event.objects.all() permission_classes = [ Or(And(CanAttendEvents, And(IsAuthenticated, IsReadyOnlyRequest)), IsAdmin) ]
class PostDetails(generics.RetrieveUpdateDestroyAPIView, PostRetriever): permission_classes = (IsAuthenticated, Or( RequestIsReadOnly, And(RequestIsUpdate, UserIsPostAuthor), And(RequestIsDelete, Or(UserIsPostAuthor, UserIsSuperuser)))) serializer_class = PostContentSerializer def get_object(self): return self.post_instance
class UserViewSet(AutocompleteMixin, AtomicMixin, InstanceBasedMixin, SignalSenderModelMixin, viewsets.ModelViewSet): model = User queryset = User.objects.prefetch_related('groups') serializer_class = UserFullSerializer user_serializer_class = UserFullSerializer data_serializer_class = DataObjectSerializer autocomplete_field = 'username' permission_classes = ( Or( AdminHasPermissions, And( IsApiKeyAccess, Or( IsApiKeyIgnoringAcl, And(HasUser, ApiKeyHasPermissions), HasCreateUserPermission ) ) ), OwnerInGoodStanding, ) def initial(self, request, *args, **kwargs): initial = super().initial(request, *args, **kwargs) self.klass = Klass.get_user_profile() DataObject.load_klass(self.klass) return initial def get_queryset(self): base_query = super().get_queryset() if self.request.auth and self.request.auth_user: return base_query.filter(pk=self.request.auth_user.id) return base_query def get_object(self): obj = super().get_object() # get profile for deletions to work with triggers obj.profile = obj._profile_cache = DataObject.objects.filter(_klass=self.klass, owner=obj).get() return obj @detail_route(methods=['post'], serializer_class=Serializer) def reset_key(self, request, *args, **kwargs): user = self.get_object() user.reset() return Response(data=self.user_serializer_class(user, context=self.get_serializer_context()).data)
class PermissionTeacherStudentMixin: permissions_classes = [ Or( And( Or(custom_permissions.IsGet, custom_permissions.IsHead, custom_permissions.IsOptions), permissions.IsAuthenticated), And( # If the method is post, permission will always be denied. Since Teacher Model extends from User model custom_permissions.IsPost, custom_permissions.NoPermission), And( Or(custom_permissions.IsPatch, custom_permissions.IsPut, custom_permissions.IsDelete), custom_permissions.IsOwner)) ]
class InvitationList(generics.ListCreateAPIView): queryset = Invitation.objects.all() serializer_class = InvitationSerializer permission_classes = (Or(permissions.IsAdminUser, And(IsHostOfPartyWithParam, Not(IsGetRequest))), ) # this is a hook, called when creating an instance # we need to override this method as we are writing to a ReadOnlyField # this is easier than overriding the entire post method def perform_create(self, serializer): invitee_facebook_id = self.request.data.get('invitee_facebook_id') if invitee_facebook_id is None: raise ValidationError("'invitee_facebook_id' was not provided.") invitee = lookup_user_with_facebook_id(invitee_facebook_id) party_id = self.request.data.get('party_id') party = Party.objects.get(pk=party_id) """ Not the best solution... but to avoid internal server error when unique_together on Invitation model fails """ potential_conflict = Invitation.objects.filter(invitee=invitee, party=party) if len(potential_conflict) > 0: raise ValidationError("The invitee, party pair exists already.") serializer.save(invitee=invitee, party=party)
class PaymentView( PermissionClassesMixin, RedirectView): http_method_names = ['get'] permanent = False permission_classes = [And(CanConfirm, IsUnpayed)] def get_redirect_url(self, *args, **kwargs): sett = Settings.get() if not sett.require_payment: add_message(self.request, ERROR, 'Pagamentos desabilitados') return '/' item = PagSeguroItem( id='1', description=f'Ingresso para {settings.EVENT_NAME}', amount=f'{sett.ticket_price}', quantity=1 ) reference = get_random_string(length=32) api = PagSeguroApi(reference=reference) api.add_item(item) checkout = api.checkout() if checkout['success']: hacker = self.request.user.profile.hacker hacker.transaction_reference = reference hacker.save() return checkout['redirect_url'] else: add_message(self.request, ERROR, 'Erro ao criar pedido de pagamento. Tente novamente mais tarde.') return '/'
class DefaultMixin(object): """ Default settings for authentication, authorization and filering. We support 3 types of authentication 1. Basic authentication sending username/password in every request 2. Token authentication, for retriving a token from auth API 3. Session authentication Users are required to be authenticated We allow filtering using arguments and ordering using ordering keyword Permissions are asigned based on objects and affiliations. """ #max_paginate_by = 500 paginate_by = 50 paginate_by_param = 'page_size' authentication_classes = (authentication.SessionAuthentication, authentication.BasicAuthentication, authentication.TokenAuthentication) filter_backends = ( filters.DjangoFilterBackend, filters.SearchFilter, filters.OrderingFilter, filters.DjangoObjectPermissionsFilter, ) permission_classes = [ And(permissions.IsAuthenticated, IsAssociatedWithTenant), ObjectPermissions ]
class InstanceConfigView(InstanceBasedMixin, generics.RetrieveAPIView, generics.UpdateAPIView): serializer_class = InstanceConfigSerializer model = Instance queryset = Instance.objects.all() permission_classes = ( Or(And(permissions.IsAuthenticated, ProtectInstanceAccess), ApiKeyHasPermissions), OwnerInGoodStanding, ) def get_queryset(self): base_query = super().get_queryset() if self.request.user.is_authenticated: return base_query.filter(admin_roles__admin=self.request.user) elif self.request.auth: return base_query.filter(pk=self.request.auth.instance_id) raise PermissionDenied() def get_object(self): try: obj = self.get_queryset().get(pk=self.request.instance.pk) except Instance.DoesNotExist: raise Http404 self.check_object_permissions(self.request, obj) return obj
class KlassViewSet(EndpointAclMixin, v1_views.KlassViewSet): serializer_class = KlassSerializer serializer_detail_class = KlassDetailSerializer permission_classes = ( OwnerInGoodStanding, And( ProtectUserProfileKlass, Or( # Check admin permissions AdminHasPermissions, # Check API Key ACL CheckAclPermission, ), ), ) endpoint_acl_object_field = 'klasses_acl' def get_queryset(self): base_query = super( v1_views.KlassViewSet, self).get_queryset().filter(visible=True).filter_acl(self.request) if self.request.method in permissions.SAFE_METHODS: return base_query.include_object_count() return base_query
class CommentDetails(generics.RetrieveUpdateDestroyAPIView, CommentRetriever): permission_classes = (IsAuthenticated, Or( RequestIsReadOnly, And( RequestIsUpdate, UserIsCommentAuthor, ), And(RequestIsDelete, Or(UserIsCommentAuthor, UserIsStaff)))) serializer_class = CommentSerializer def get_object(self): return self.comment_instance
class InstanceViewSet(AutocompleteMixin, AtomicMixin, DetailSerializerMixin, RenameNameViewSetMixin, viewsets.ModelViewSet): model = Instance queryset = Instance.objects.all() lookup_field = 'name' serializer_class = InstanceSerializer serializer_detail_class = InstanceDetailSerializer permission_classes = ( Or(And(permissions.IsAuthenticated, ProtectInstanceAccess), ApiKeyHasPermissions), InstanceAccessAdminInGoodStanding, InstanceLocationMatch, ) def get_queryset(self): base_query = super().get_queryset().select_related('owner') if self.request.user.is_authenticated: return base_query.filter( admin_roles__admin=self.request.user).extra( select={'role': '"admins_admininstancerole"."role_id"'}) elif self.request.auth: return base_query.filter(pk=self.request.auth.instance_id) raise PermissionDenied() def perform_create(self, serializer): # Lock on admin for the duration of transaction to avoid race conditions admin = Admin.objects.select_for_update().get(pk=self.request.user.id) instances_limit = AdminLimit.get_for_admin( self.request.user.id).get_instances_count() if Instance.objects.filter(owner=admin).count() >= instances_limit: raise InstanceCountExceeded(instances_limit) serializer.save()
class UndoWithdraw(views.APIView): permission_classes = [And(IsWithdraw, CanConfirm)] def post(self, request): hacker = request.user.profile.hacker hacker.admit(False) return views.Response({'message': 'Desistência desfeita', 'state': hacker.profile.state})
class BlogViewSet(viewsets.ModelViewSet): """ ViewSet for viewing and editing Blog objects """ queryset = Blog.objects.all().order_by("-uploaded_time") serializer_class = BlogSerializer permission_classes = (Or(And(ApiTokenPermissions, IsListOrRetrieve), IsAuthenticated), ) filter_backends = (filters.SearchFilter, ) search_fields = ('category', )
class ConfirmPresence(views.APIView): permission_classes = [And(IsAdmitted, CanConfirm)] def post(self, request): hacker = request.user.profile.hacker hacker.confirm() return views.Response({'message': 'Presença confirmada', 'state': hacker.profile.state})
class UserMembershipViewSet(MembershipViewSet): serializer_class = UserMembershipSerializer permission_classes = ( Or(AdminHasPermissions, And(ApiKeyHasPermissions, IsMembershipForCurrentUser)), OwnerInGoodStanding, ) lookup_field = 'group_id' def get_queryset(self): return super().get_queryset().select_related('group')
class PeriodDetailView(generics.RetrieveUpdateDestroyAPIView): permission_classes = [ And( permissions.IsAuthenticated, IsPeriodOwner # Period object does not contain .user attribute, # Period.subject contains user attribute. ) ] serializer_class = serializers.PeriodSerializer queryset = models.Period.objects
class ListViewSet(viewsets.ModelViewSet): queryset = List.objects.all() serializer_class = ListSerializer permission_classes = (Or(IsSafeMethod, permissions.IsAdminUser, And(IsPurchase, permissions.IsAuthenticated)), ) @action(detail=True, methods=['POST']) def purchase(self, request, *args, **kwargs): list = self.get_object() user = request.user if list.price > user.point: return Response(status=status.HTTP_402_PAYMENT_REQUIRED) user.point -= list.price user.save() try: user_mon = UserMonster.objects.get(user=user, list=list) except UserMonster.DoesNotExist: user_mon = UserMonster(user=user, list=list) # user_mon = UserMonster(user=user, list=list) user_mon.count += 1 user_mon.save() serializer = UserMonsterSerializer( user.monsters.all(), many=True, context=self.get_serializer_context()) return Response(serializer.data) @action(detail=False, methods=['POST'], url_path='purchase') @transaction.atomic() def purchase_mons(selfs, request, *args, **kwargs): mons = request.data['mons'] user = request.user sid = transaction.savepoint() for i in mons: list = List.objects.get(id=i['mon_id']) count = int(i['count']) if list.price * count > user.point: transaction.savepoint_rollback(sid) return Response(status=status.HTTP_402_PAYMENT_REQUIRED) user.point -= list.price user.save() try: user_mon = UserMonster.objects.get(user=user, list=list) except UserMonster.DoesNotExist: user_mon = UserMonster(user=user, list=list) # user_mon = UserMonster(user=user, list=list) user_mon.count += count user_mon.save() transaction.savepoint_commit(sid) serializer = UserMonsterSerializer(user.monsters.all(), many=True) return Response(serializer.data)
class RequestViewSet(AbstractCramsRequestViewSet): """ class RequestViewSet """ permission_classes = [ And(IsCramsAuthenticated, Or(IsProjectContact, IsRequestApprover)) ] queryset = Request.objects.all() serializer_class = CramsRequestSerializer ordering_fields = ('project', 'creation_ts') ordering = ('project', '-creation_ts')
class AttendanceDetailView(generics.RetrieveUpdateDestroyAPIView): permission_classes = [ And( permissions.IsAuthenticated, IsAttendanceOwner # Attendance object does not contain .user attribute, # Attendance.subject contains user attribute. ) ] serializer_class = serializers.AttendanceSerializer queryset = models.Attendance.objects
class BaseLineUploadDetailView(generics.RetrieveUpdateDestroyAPIView): serializer_class = serializers.FileUploadSerializer queryset = FileUpload.objects.all() permission_classes = [ And( Or(IsGet, IsDelete), permissions.IsAuthenticated, IsAllowedToUpload, IsTaskOwner, ) ]
class AuthorViewSet(ViewSet): authentication_classes = [ BearerTokenAuthentication, ] permission_classes = [Or(And(IsAuthenticated, IsAuthor), IsSuperAdmin)] def create_author(self): return def get_my_details(self, request): return JsonResponse({'message': 'Get detail.'})
class SuggestionViewSet(viewsets.ModelViewSet): serializer_class = SuggestionSerializer queryset = Suggestion.objects.all() permission_classes = [ Or( And(IsSafeMethod, IsPublic), And( IsPOST, IsClient, ), And( Or(IsChange, IsDELETE), IsOwner, ), IsAdminUser, IsMeetingHost, ) ] def perform_create(self, serializer): serializer.save(owner=self.request.user)
class BaseLineUpload(generics.ListCreateAPIView): serializer_class = serializers.FileUploadSerializer queryset = FileUpload.objects.all() pagination_class = FileUploadLimitOffsetPagination # TODO: UPDATE PERMISSIONS permission_classes = [ Or( And(IsGet, permissions.IsAuthenticated), And(IsPost, permissions.IsAuthenticated, IsAllowedToUpload), ) ] def get_queryset(self): return self.queryset.filter(user=self.request.user) def perform_create(self, serializer): obj = serializer.save(user=self.request.user) task = import_to_db.delay(obj.id) # Set the task id obj.task_id = task.task_id obj.save()