c58490bb36
* feat: django-rest-framework + Person/Email API (#8233) * chore: djangorestframework -> requirements.txt * chore: auth/perm/schema classes for drf * chore: settings for drf and friends * chore: comment that api/serializer.py is not DRF * feat: URL router for DRF * feat: simple api/v3/person/{id} endpoint * fix: actually working demo endpoint * chore: no auth for PersonViewSet * ci: params in ci-run-tests.yml * Revert "ci: params in ci-run-tests.yml" This reverts commit 03808ddf94afe42b7382ddd3730959987389612b. * feat: email addresses for person API * feat: email update api (WIP) * fix: working Email API endpoint * chore: annotate address format in api schema * chore: api adjustments * feat: expose SpectacularAPIView At least for now... * chore: better schema_path_prefix * feat: permissions for DRF API * refactor: use permissions classes * refactor: extract NewEmailForm validation for reuse * refactor: ietfauth.validators module * refactor: send new email conf req via helper * feat: API call to issue new address request * chore: move datatracker DRF api to /api/core/ * fix: unused import * fix: lint * test: drf URL names + API tests (#8248) * refactor: better drf URL naming * test: test person-detail view * test: permissions * test: add_email tests + stubs * test: test email update * test: test 404 vs 403 * fix: fix permissions * test: test email partial update * test: assert we have a nonexistent PK * chore: disable DRF api for now * chore: fix git inanity * fix: lint * test: disable tests of disabled code * test: more lint
40 lines
1.5 KiB
Python
40 lines
1.5 KiB
Python
# Copyright The IETF Trust 2024, All Rights Reserved
|
|
#
|
|
from rest_framework import permissions
|
|
from ietf.api.ietf_utils import is_valid_token
|
|
|
|
|
|
class HasApiKey(permissions.BasePermission):
|
|
"""Permissions class that validates a token using is_valid_token
|
|
|
|
The view class must indicate the relevant endpoint by setting `api_key_endpoint`.
|
|
Must be used with an Authentication class that puts a token in request.auth.
|
|
"""
|
|
def has_permission(self, request, view):
|
|
endpoint = getattr(view, "api_key_endpoint", None)
|
|
auth_token = getattr(request, "auth", None)
|
|
if endpoint is not None and auth_token is not None:
|
|
return is_valid_token(endpoint, auth_token)
|
|
return False
|
|
|
|
|
|
class IsOwnPerson(permissions.BasePermission):
|
|
"""Permission to access own Person object"""
|
|
def has_object_permission(self, request, view, obj):
|
|
if not (request.user.is_authenticated and hasattr(request.user, "person")):
|
|
return False
|
|
return obj == request.user.person
|
|
|
|
|
|
class BelongsToOwnPerson(permissions.BasePermission):
|
|
"""Permission to access objects associated with own Person
|
|
|
|
Requires that the object have a "person" field that indicates ownership.
|
|
"""
|
|
def has_object_permission(self, request, view, obj):
|
|
if not (request.user.is_authenticated and hasattr(request.user, "person")):
|
|
return False
|
|
return (
|
|
hasattr(obj, "person") and obj.person == request.user.person
|
|
)
|