can_access_editor API mixin

This commit is contained in:
Laura Klünder 2018-11-29 01:59:18 +01:00
parent 1fdc3bbfe8
commit 38267f2adc

View file

@ -22,7 +22,14 @@ from c3nav.mapdata.models.geometry.space import POI
from c3nav.mapdata.utils.user import can_access_editor from c3nav.mapdata.utils.user import can_access_editor
class EditorViewSet(ViewSet): class EditorViewSetMixin(ViewSet):
def initial(self, request, *args, **kwargs):
if not can_access_editor(request) or 1:
raise PermissionDenied
return super().initial(request, *args, **kwargs)
class EditorViewSet(EditorViewSetMixin, ViewSet):
""" """
Editor API Editor API
/geometries/ returns a list of geojson features, you have to specify ?level=<id> or ?space=<id> /geometries/ returns a list of geojson features, you have to specify ?level=<id> or ?space=<id>
@ -81,9 +88,6 @@ class EditorViewSet(ViewSet):
@action(detail=False, methods=['get']) @action(detail=False, methods=['get'])
@api_etag(etag_func=etag_func, cache_parameters={'level': str, 'space': str}) @api_etag(etag_func=etag_func, cache_parameters={'level': str, 'space': str})
def geometries(self, request, *args, **kwargs): def geometries(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
Level = request.changeset.wrap_model('Level') Level = request.changeset.wrap_model('Level')
Space = request.changeset.wrap_model('Space') Space = request.changeset.wrap_model('Space')
@ -238,9 +242,6 @@ class EditorViewSet(ViewSet):
@action(detail=False, methods=['get']) @action(detail=False, methods=['get'])
@api_etag(etag_func=MapUpdate.current_cache_key, cache_parameters={}) @api_etag(etag_func=MapUpdate.current_cache_key, cache_parameters={})
def geometrystyles(self, request, *args, **kwargs): def geometrystyles(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
return Response({ return Response({
'building': '#aaaaaa', 'building': '#aaaaaa',
'space': '#eeeeee', 'space': '#eeeeee',
@ -263,9 +264,6 @@ class EditorViewSet(ViewSet):
@action(detail=False, methods=['get']) @action(detail=False, methods=['get'])
@api_etag(etag_func=etag_func, cache_parameters={}) @api_etag(etag_func=etag_func, cache_parameters={})
def bounds(self, request, *args, **kwargs): def bounds(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
return Response({ return Response({
'bounds': Source.max_bounds(), 'bounds': Source.max_bounds(),
}) })
@ -311,9 +309,6 @@ class EditorViewSet(ViewSet):
return resolved return resolved
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
resolved = self.resolved resolved = self.resolved
if not resolved: if not resolved:
raise NotFound(_('No matching editor view endpoint found.')) raise NotFound(_('No matching editor view endpoint found.'))
@ -327,7 +322,7 @@ class EditorViewSet(ViewSet):
return response return response
class ChangeSetViewSet(ReadOnlyModelViewSet): class ChangeSetViewSet(EditorViewSetMixin, ReadOnlyModelViewSet):
""" """
List and manipulate changesets. All lists are ordered by last update descending. Use ?offset= to specify an offset. List and manipulate changesets. All lists are ordered by last update descending. Use ?offset= to specify an offset.
Don't forget to set X-Csrftoken for POST requests! Don't forget to set X-Csrftoken for POST requests!
@ -359,8 +354,6 @@ class ChangeSetViewSet(ReadOnlyModelViewSet):
return ChangeSet.qs_for_request(self.request).select_related('last_update', 'last_state_update', 'last_change') return ChangeSet.qs_for_request(self.request).select_related('last_update', 'last_state_update', 'last_change')
def _list(self, request, qs): def _list(self, request, qs):
if not can_access_editor(request):
raise PermissionDenied
offset = 0 offset = 0
if 'offset' in request.GET: if 'offset' in request.GET:
if not request.GET['offset'].isdigit(): if not request.GET['offset'].isdigit():
@ -388,15 +381,10 @@ class ChangeSetViewSet(ReadOnlyModelViewSet):
)) ))
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
return Response(self.get_object().serialize()) return Response(self.get_object().serialize())
@action(detail=False, methods=['get']) @action(detail=False, methods=['get'])
def current(self, request, *args, **kwargs): def current(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
changeset = ChangeSet.get_for_request(request) changeset = ChangeSet.get_for_request(request)
return Response({ return Response({
'direct_editing': changeset.direct_editing, 'direct_editing': changeset.direct_editing,
@ -405,8 +393,6 @@ class ChangeSetViewSet(ReadOnlyModelViewSet):
@action(detail=False, methods=['post']) @action(detail=False, methods=['post'])
def direct_editing(self, request, *args, **kwargs): def direct_editing(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
# django-rest-framework doesn't automatically do this for logged out requests # django-rest-framework doesn't automatically do this for logged out requests
SessionAuthentication().enforce_csrf(request) SessionAuthentication().enforce_csrf(request)
@ -425,8 +411,6 @@ class ChangeSetViewSet(ReadOnlyModelViewSet):
@action(detail=False, methods=['post']) @action(detail=False, methods=['post'])
def deactivate(self, request, *args, **kwargs): def deactivate(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
# django-rest-framework doesn't automatically do this for logged out requests # django-rest-framework doesn't automatically do this for logged out requests
SessionAuthentication().enforce_csrf(request) SessionAuthentication().enforce_csrf(request)
@ -439,8 +423,6 @@ class ChangeSetViewSet(ReadOnlyModelViewSet):
@action(detail=True, methods=['get']) @action(detail=True, methods=['get'])
def changes(self, request, *args, **kwargs): def changes(self, request, *args, **kwargs):
if not can_access_editor(request):
raise PermissionDenied
changeset = self.get_object() changeset = self.get_object()
changeset.fill_changes_cache() changeset.fill_changes_cache()
return Response([obj.serialize() for obj in changeset.iter_changed_objects()]) return Response([obj.serialize() for obj in changeset.iter_changed_objects()])