ref(controller): refactor is_app_user to generic function

Matthew Fisher · Matthew Fisher · commit 14bdbccd2c65 · 2015-01-23T08:08:05.000-08:00
Some class views in views.py like ConfigHookViewSet retrieve and
validate against the user in the request method itself. In order to
standardize, I've split this out so it can be used in the views.
diff --git a/controller/api/permissions.py b/controller/api/permissions.py
@@ -5,6 +5,18 @@
 from api import models
 
 
+def is_app_user(request, obj):
+    if request.user.is_superuser or \
+            isinstance(obj, models.App) and obj.owner == request.user or \
+            hasattr(obj, 'app') and obj.app.owner == request.user:
+        return True
+    elif request.user.has_perm('use_app', obj) or \
+            hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app):
+        return request.method != 'DELETE'
+    else:
+        return False
+
+
 class IsAnonymous(permissions.BasePermission):
     """
     View permission to allow anonymous users.
@@ -36,18 +48,7 @@ class IsAppUser(permissions.BasePermission):
     an app-related model.
     """
     def has_object_permission(self, request, view, obj):
-        if request.user.is_superuser:
-            return True
-        if isinstance(obj, models.App) and obj.owner == request.user:
-            return True
-        elif hasattr(obj, 'app') and obj.app.owner == request.user:
-            return True
-        elif request.user.has_perm('use_app', obj):
-            return request.method != 'DELETE'
-        elif hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app):
-            return request.method != 'DELETE'
-        else:
-            return False
+        return is_app_user(request, obj)
 
 
 class IsAdmin(permissions.BasePermission):
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -265,18 +265,13 @@ class PushHookViewSet(BaseHookViewSet):
 
     def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=request.data['receive_repo'])
-        self.user = get_object_or_404(User, username=request.data['receive_user'])
+        request.user = get_object_or_404(User, username=request.data['receive_user'])
         # check the user is authorized for this app
-        if self.user == app.owner or \
-           self.user in get_users_with_perms(app) or \
-           self.user.is_superuser:
-                request.data['app'] = app
-                request.data['owner'] = self.user
-                return super(PushHookViewSet, self).create(request, *args, **kwargs)
-        raise PermissionDenied()
-
-    def perform_create(self, serializer, **kwargs):
-        serializer.save(owner=self.user)
+        if not permissions.is_app_user(request, app):
+            raise PermissionDenied()
+        request.data['app'] = app
+        request.data['owner'] = request.user
+        return super(PushHookViewSet, self).create(request, *args, **kwargs)
 
 
 class BuildHookViewSet(BaseHookViewSet):
@@ -286,24 +281,17 @@ class BuildHookViewSet(BaseHookViewSet):
 
     def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=request.data['receive_repo'])
-        self.user = get_object_or_404(User, username=request.data['receive_user'])
+        self.user = request.user = get_object_or_404(User, username=request.data['receive_user'])
         # check the user is authorized for this app
-        if self.user == app.owner or \
-           self.user in get_users_with_perms(app) or \
-           self.user.is_superuser:
-            request._data = request.data.copy()
-            request.data['app'] = app
-            request.data['owner'] = self.user
-            super(BuildHookViewSet, self).create(request, *args, **kwargs)
-            # return the application databag
-            response = {'release': {'version': app.release_set.latest().version},
-                        'domains': ['.'.join([app.id, settings.DEIS_DOMAIN])]}
-            return Response(response, status=status.HTTP_200_OK)
-        raise PermissionDenied()
-
-    def perform_create(self, serializer, **kwargs):
-        build = serializer.save(owner=self.user)
-        self.post_save(build)
+        if not permissions.is_app_user(request, app):
+            raise PermissionDenied()
+        request.data['app'] = app
+        request.data['owner'] = self.user
+        super(BuildHookViewSet, self).create(request, *args, **kwargs)
+        # return the application databag
+        response = {'release': {'version': app.release_set.latest().version},
+                    'domains': ['.'.join([app.id, settings.DEIS_DOMAIN])]}
+        return Response(response, status=status.HTTP_200_OK)
 
     def post_save(self, build):
         build.create(self.user)
@@ -316,15 +304,13 @@ class ConfigHookViewSet(BaseHookViewSet):
 
     def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=request.data['receive_repo'])
-        user = get_object_or_404(User, username=request.data['receive_user'])
+        request.user = get_object_or_404(User, username=request.data['receive_user'])
         # check the user is authorized for this app
-        if user == app.owner or \
-           user in get_users_with_perms(app) or \
-           user.is_superuser:
-            config = app.release_set.latest().config
-            serializer = self.get_serializer(config)
-            return Response(serializer.data, status=status.HTTP_200_OK)
-        raise PermissionDenied()
+        if not permissions.is_app_user(request, app):
+            raise PermissionDenied()
+        config = app.release_set.latest().config
+        serializer = self.get_serializer(config)
+        return Response(serializer.data, status=status.HTTP_200_OK)
 
 
 class AppPermsViewSet(BaseDeisViewSet):
