first pass at formation permissions

Gabriel Monroy · Gabriel Monroy · commit 37ce448e2854 · 2013-12-12T11:28:05.000-07:00
diff --git a/api/fixtures/tests.json b/api/fixtures/tests.json
@@ -7,7 +7,7 @@
         "first_name": "Otto",
         "last_name": "Test",
         "is_active": true,
-        "is_superuser": false,
+        "is_superuser": true,
         "is_staff": true,
         "last_login": "2013-05-10T16:08:09.357Z",
         "groups": [],
diff --git a/api/serializers.py b/api/serializers.py
@@ -50,7 +50,7 @@ class AdminUserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
         fields = ('username', 'is_superuser')
-        read_only_fields = ('username', )
+        read_only_fields = ('username',)
 
 
 class KeySerializer(serializers.ModelSerializer):
@@ -169,7 +169,7 @@ class AppSerializer(serializers.ModelSerializer):
 
     owner = serializers.Field(source='owner.username')
     id = serializers.SlugField(default=utils.generate_app_name)
-    formation = OwnerSlugRelatedField(slug_field='id', required=False)
+    formation = serializers.SlugRelatedField(slug_field='id', required=False)
 
     class Meta:
         """Metadata options for a :class:`AppSerializer`."""
diff --git a/api/views.py b/api/views.py
@@ -94,6 +94,21 @@ def has_permission(self, request, view):
         return request.user.is_superuser
 
 
+class IsAdminOrSafeMethod(permissions.BasePermission):
+    """
+    View permission to allow only admins to use unsafe methods
+    including POST, PUT, DELETE.
+
+    This allows
+    """
+
+    def has_permission(self, request, view):
+        """
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        return request.method in permissions.SAFE_METHODS or request.user.is_superuser
+
+
 class UserRegistrationView(viewsets.GenericViewSet,
                            viewsets.mixins.CreateModelMixin):
     model = User
@@ -187,13 +202,18 @@ def update(self, request, *args, **kwargs):
         return super(FlavorViewSet, self).update(request, *args, **kwargs)
 
 
-class FormationViewSet(OwnerViewSet):
+class FormationViewSet(viewsets.ModelViewSet):
     """RESTful views for :class:`~api.models.Formation`."""
 
     model = models.Formation
     serializer_class = serializers.FormationSerializer
+    permission_classes = (permissions.IsAuthenticated, IsAdminOrSafeMethod)
     lookup_field = 'id'
 
+    def pre_save(self, obj):
+        if not hasattr(obj, 'owner'):
+            obj.owner = self.request.user
+
     def post_save(self, formation, created=False, **kwargs):
         if created:
             formation.build()
@@ -246,14 +266,18 @@ def destroy(self, request, **kwargs):
         return Response(status=status.HTTP_204_NO_CONTENT)
 
 
-class FormationScopedViewSet(OwnerViewSet):
+class FormationScopedViewSet(viewsets.ModelViewSet):
+
+    permission_classes = (permissions.IsAuthenticated, IsAdmin)
+
+    def pre_save(self, obj):
+        if not hasattr(obj, 'owner'):
+            obj.owner = self.request.user
 
     def get_queryset(self, **kwargs):
-        formations = models.Formation.objects.filter(
-            owner=self.request.user)
+        formations = models.Formation.objects.all()
         formation = get_object_or_404(formations, id=self.kwargs['id'])
-        return self.model.objects.filter(owner=self.request.user,
-                                         formation=formation)
+        return self.model.objects.filter(formation=formation)
 
 
 class FormationLayerViewSet(FormationScopedViewSet):
@@ -269,15 +293,14 @@ def get_object(self, *args, **kwargs):
 
     def create(self, request, **kwargs):
         request._data = request.DATA.copy()
-        formation = models.Formation.objects.get(
-            owner=self.request.user, id=self.kwargs['id'])
+        formation = models.Formation.objects.get(id=self.kwargs['id'])
         request.DATA['formation'] = formation.id
         if not 'ssh_private_key' in request.DATA and not 'ssh_public_key' in request.DATA:
             # SECURITY: figure out best way to get keys with proper entropy
             key = RSA.generate(2048)
             request.DATA['ssh_private_key'] = key.exportKey('PEM')
             request.DATA['ssh_public_key'] = key.exportKey('OpenSSH')
-        return OwnerViewSet.create(self, request, **kwargs)
+        return super(FormationLayerViewSet, self).create(request, **kwargs)
 
     def post_save(self, layer, created=False, **kwargs):
         if created:
@@ -302,10 +325,8 @@ def get_object(self, *args, **kwargs):
 
     def add(self, request, **kwargs):
         fqdn = request.DATA['fqdn']
-        formation = models.Formation.objects.get(
-            owner=self.request.user, id=self.kwargs['id'])
-        layer = models.Layer.objects.get(
-            owner=self.request.user, id=request.DATA['layer'])
+        formation = models.Formation.objects.get(id=self.kwargs['id'])
+        layer = models.Layer.objects.get(id=request.DATA['layer'])
         if self.model.objects.filter(fqdn=fqdn, formation=formation, layer=layer).exists():
             msg = "A node with fqdn={} already exists in the {} formation".format(fqdn, formation)
             return Response(data=msg, status=status.HTTP_409_CONFLICT)
@@ -394,7 +415,7 @@ class NodeViewSet(FormationNodeViewSet):
     """RESTful views for :class:`~api.models.Node`."""
 
     def get_queryset(self, **kwargs):
-        return self.model.objects.filter(owner=self.request.user)
+        return self.model.objects.all()
 
     def converge(self, request, **kwargs):
         node = self.get_object()
