-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathworkspace.py
More file actions
213 lines (178 loc) · 8.36 KB
/
Copy pathworkspace.py
File metadata and controls
213 lines (178 loc) · 8.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
"""
Workspace views.
"""
import secrets
from django.conf import settings
from django.contrib.auth import get_user_model
from rest_framework.exceptions import PermissionDenied, ValidationError
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.renderers import JSONRenderer, TemplateHTMLRenderer
from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet
from django.shortcuts import get_object_or_404, render
from api import models, serializers
User = get_user_model()
class WorkspaceViewSet(ModelViewSet):
"""
ViewSet for Workspace model.
"""
lookup_field = 'id'
lookup_value_regex = r'[-_\w]+'
serializer_class = serializers.WorkspaceSerializer
permission_classes = [IsAuthenticated]
def _require_admin(self, workspace, message):
if not workspace.has_member(self.request.user, role='admin'):
raise PermissionDenied(message)
def get_queryset(self):
return models.workspace.Workspace.objects.filter(
workspacemember__user=self.request.user
).distinct()
def perform_create(self, serializer):
workspace = serializer.save()
models.workspace.WorkspaceMember.objects.create(
user=self.request.user, workspace=workspace, role='admin'
)
def get_object(self):
"""Override to get workspace by id instead of pk"""
return get_object_or_404(self.get_queryset(), id=self.kwargs['id'])
def update(self, request, *args, **kwargs):
"""Only admins can update workspaces"""
workspace = self.get_object()
self._require_admin(workspace, "Only workspace admins can update workspaces")
return super().update(request, *args, **kwargs)
def destroy(self, request, *args, **kwargs):
"""Only admins can delete workspaces"""
workspace = self.get_object()
self._require_admin(workspace, "Only workspace admins can delete workspaces")
if models.workspace.WorkspaceMember.objects.filter(workspace=workspace).count() > 1:
raise PermissionDenied("Cannot delete workspace with more than one member")
return super().destroy(request, *args, **kwargs)
class WorkspaceMemberViewSet(ModelViewSet):
"""
ViewSet for WorkspaceMember model.
"""
serializer_class = serializers.WorkspaceMemberSerializer
permission_classes = [IsAuthenticated]
def get_queryset(self):
workspace = get_object_or_404(models.workspace.Workspace, id=self.kwargs['id'])
# Check if user has access to this workspace
if workspace.has_member(self.request.user):
return models.workspace.WorkspaceMember.objects.filter(workspace=workspace)
return models.workspace.WorkspaceMember.objects.none()
def get_object(self):
"""Override to get member by username and workspace id"""
workspace = get_object_or_404(models.workspace.Workspace, id=self.kwargs['id'])
return get_object_or_404(
models.workspace.WorkspaceMember,
workspace=workspace, user__username=self.kwargs['user']
)
@staticmethod
def _only_member_workspace(member):
return models.workspace.WorkspaceMember.objects.filter(
workspace=member.workspace
).count() == 1
def update(self, request, *args, **kwargs):
"""Update a member. Admins can update any member (role and alerts).
Non-admins can only update their own alerts field."""
member = self.get_object()
is_admin = member.workspace.has_member(request.user, role='admin')
is_only_member = self._only_member_workspace(member)
# Only member cannot modify role
if is_only_member and 'role' in request.data:
raise PermissionDenied("Cannot modify role: workspace only has one member")
# Non-admin users restrictions
if not is_admin:
# Cannot update other members
if request.user != member.user:
raise PermissionDenied("Only workspace admins can update other members")
# Cannot modify own role
if 'role' in request.data:
raise PermissionDenied("Cannot modify your own role")
return super().update(request, *args, **kwargs)
def destroy(self, request, *args, **kwargs):
"""Delete a member. Admins can delete any member.
Non-admins can only delete themselves (leave workspace)."""
member = self.get_object()
is_admin = member.workspace.has_member(request.user, role='admin')
is_only_member = self._only_member_workspace(member)
# Only member cannot delete self
if is_only_member and request.user == member.user:
raise PermissionDenied("Cannot delete: workspace only has one member")
# Non-admin can delete self
if request.user == member.user:
return super().destroy(request, *args, **kwargs)
# Admin can delete any member
if is_admin:
return super().destroy(request, *args, **kwargs)
# Other cases forbidden
raise PermissionDenied("Only workspace admins can remove other members")
class WorkspaceInvitationViewSet(ModelViewSet):
"""
ViewSet for WorkspaceInvitation model.
"""
serializer_class = serializers.WorkspaceInvitationSerializer
def get_permissions(self):
"""
Allow anyone to accept an invitation.
Only authenticated users can create or list invitations.
"""
if self.action == 'retrieve':
return [AllowAny()]
return super().get_permissions()
def get_renderers(self):
if self.action == 'retrieve':
return [JSONRenderer(), TemplateHTMLRenderer()]
return super().get_renderers()
def get_queryset(self):
workspace = get_object_or_404(models.workspace.Workspace, id=self.kwargs['id'])
if workspace.has_member(self.request.user):
return models.workspace.WorkspaceInvitation.objects.filter(
workspace=workspace, accepted=False)
return models.workspace.WorkspaceInvitation.objects.none()
def get_object(self):
"""Override to get invitation by uid and workspace id"""
return get_object_or_404(
models.workspace.WorkspaceInvitation,
workspace=get_object_or_404(models.workspace.Workspace, id=self.kwargs['id']),
token=self.kwargs['uid'],
accepted=False,
)
def retrieve(self, request, *args, **kwargs):
instance = self.get_object()
instance.accept()
user_exists = User.objects.filter(email=instance.email).exists()
data = {
'workspace_id': instance.workspace.id,
'user_exists': user_exists,
'register_url': settings.DRYCC_REGISTER_URL,
}
if isinstance(request.accepted_renderer, TemplateHTMLRenderer):
return render(request, 'workspace/workspace_invitation_accept.html', data)
return Response(data)
def perform_create(self, serializer):
workspace = get_object_or_404(models.workspace.Workspace, id=self.kwargs['id'])
if not workspace.has_member(self.request.user, role='admin'):
raise PermissionDenied("Only workspace admins can create invitations")
email = serializer.validated_data['email']
user = User.objects.filter(email=email).first()
if user and workspace.has_member(user):
raise ValidationError("User is already a member of the workspace")
invitation = models.workspace.WorkspaceInvitation.objects.filter(
email=email, workspace=workspace, accepted=False
).first()
if not invitation:
models.workspace.WorkspaceInvitation.objects.filter(
email=email, workspace=workspace, accepted=True
).delete()
invitation = serializer.save(
token=secrets.token_hex(64), inviter=self.request.user, workspace=workspace)
if settings.EMAIL_HOST:
invitation.send_email(self.request)
else:
invitation.accept()
def destroy(self, request, *args, **kwargs):
"""Only admins can revoke invitations"""
invitation = self.get_object()
if not invitation.workspace.has_member(request.user, role='admin'):
raise PermissionDenied("Only workspace admins can revoke invitations")
return super().destroy(request, *args, **kwargs)