Merge pull request #1604 from normanjaeckel/OptionsPermissions

Set permissions for OPTIONS requests.
This commit is contained in:
Norman Jäckel 2015-09-04 15:51:43 +02:00
commit 6b747c8cef
10 changed files with 80 additions and 46 deletions

View File

@ -18,6 +18,7 @@
"angular-gettext": "~2.0.2",
"angular-sanitize": "~1.3.15",
"angular-xeditable": "~0.1.9",
"js-data": "~1.8.0",
"js-data-angular": "~2.1.0",
"ng-fab-form": "~1.2.7",
"ngBootbox": "~0.0.5",

View File

@ -26,8 +26,8 @@ class ItemViewSet(ModelViewSet):
"""
API endpoint for agenda items.
There are the following views: list, retrieve, create, partial_update,
update, destroy, manage_speaker, speak and tree.
There are the following views: metadata, list, retrieve, create,
partial_update, update, destroy, manage_speaker, speak and tree.
"""
queryset = Item.objects.all()
serializer_class = ItemSerializer
@ -36,7 +36,7 @@ class ItemViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve', 'manage_speaker', 'tree'):
if self.action in ('metadata', 'list', 'retrieve', 'manage_speaker', 'tree'):
result = self.request.user.has_perm('agenda.can_see')
# For manage_speaker and tree requests the rest of the check is
# done in the specific method. See below.
@ -113,7 +113,7 @@ class ItemViewSet(ModelViewSet):
try:
Speaker.objects.add(user, item)
except OpenSlidesError as e:
raise ValidationError({'detail': e})
raise ValidationError({'detail': str(e)})
message = _('User %s was successfully added to the list of speakers.') % user
else:

View File

@ -43,9 +43,9 @@ class AssignmentViewSet(ModelViewSet):
"""
API endpoint for assignments.
There are the following views: list, retrieve, create, partial_update,
update, destroy, candidature_self, candidature_other, mark_elected and
create_poll.
There are the following views: metadata, list, retrieve, create,
partial_update, update, destroy, candidature_self, candidature_other,
mark_elected and create_poll.
"""
queryset = Assignment.objects.all()
@ -53,7 +53,7 @@ class AssignmentViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('assignments.can_see')
elif self.action in ('create', 'partial_update', 'update', 'destroy',
'mark_elected', 'create_poll'):

View File

@ -218,8 +218,8 @@ class CustomSlideViewSet(ModelViewSet):
"""
API endpoint for custom slides.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = CustomSlide.objects.all()
serializer_class = CustomSlideSerializer
@ -235,8 +235,8 @@ class TagViewSet(ModelViewSet):
"""
API endpoint for tags.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = Tag.objects.all()
serializer_class = TagSerializer
@ -245,9 +245,9 @@ class TagViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
# Every authenticated user can list or retrieve tags.
# Anonymous users can do so if they are enabled.
if self.action in ('metadata', 'list', 'retrieve'):
# Every authenticated user can see the metadata and list or
# retrieve tags. Anonymous users can do so if they are enabled.
result = self.request.user.is_authenticated() or config['general_system_enable_anonymous']
elif self.action in ('create', 'update', 'destroy'):
result = self.request.user.has_perm('core.can_manage_tags')
@ -287,7 +287,7 @@ class ConfigViewSet(ViewSet):
"""
API endpoint for the config.
There are the following views: list, retrieve and update.
There are the following views: metadata, list, retrieve and update.
"""
metadata_class = ConfigMetadata
@ -295,9 +295,10 @@ class ConfigViewSet(ViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
# Every authenticated user can list or retrieve the config.
# Anonymous users can do so if they are enabled.
if self.action in ('metadata', 'list', 'retrieve'):
# Every authenticated user can see the metadata and list or
# retrieve the config. Anonymous users can do so if they are
# enabled.
result = self.request.user.is_authenticated() or config['general_system_enable_anonymous']
elif self.action == 'update':
result = self.request.user.has_perm('core.can_manage_config')
@ -337,7 +338,7 @@ class ConfigViewSet(ViewSet):
except ConfigNotFound:
raise Http404
except ConfigError as e:
raise ValidationError({'detail': e})
raise ValidationError({'detail': str(e)})
# Return response.
return Response({'key': key, 'value': value})

View File

@ -10,8 +10,8 @@ class MediafileViewSet(ModelViewSet):
"""
API endpoint for mediafile objects.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = Mediafile.objects.all()
serializer_class = MediafileSerializer
@ -22,7 +22,7 @@ class MediafileViewSet(ModelViewSet):
"""
# TODO: Use mediafiles.can_upload permission to create and update some
# objects but restricted concerning the uploader.
if self.action in ('list', 'retrieve'):
if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('mediafiles.can_see')
elif self.action in ('create', 'partial_update', 'update'):
result = (self.request.user.has_perm('mediafiles.can_see') and

View File

@ -0,0 +1,32 @@
from django.conf import settings
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('motions', '0001_initial'),
]
operations = [
migrations.AlterField(
model_name='motion',
name='attachments',
field=models.ManyToManyField(blank=True, to='mediafiles.Mediafile'),
),
migrations.AlterField(
model_name='motion',
name='submitters',
field=models.ManyToManyField(blank=True, related_name='motion_submitters', to=settings.AUTH_USER_MODEL),
),
migrations.AlterField(
model_name='motion',
name='supporters',
field=models.ManyToManyField(blank=True, related_name='motion_supporters', to=settings.AUTH_USER_MODEL),
),
migrations.AlterField(
model_name='motion',
name='tags',
field=models.ManyToManyField(blank=True, to='core.Tag'),
),
]

View File

@ -69,7 +69,7 @@ class Motion(RESTModelMixin, models.Model):
ForeignKey to one category of motions.
"""
attachments = models.ManyToManyField(Mediafile)
attachments = models.ManyToManyField(Mediafile, blank=True)
"""
Many to many relation to mediafile objects.
"""
@ -81,17 +81,17 @@ class Motion(RESTModelMixin, models.Model):
Null if the motion is not an amendment.
"""
tags = models.ManyToManyField(Tag)
tags = models.ManyToManyField(Tag, blank=True)
"""
Tags to categorise motions.
"""
submitters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name='motion_submitters')
submitters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name='motion_submitters', blank=True)
"""
Users who submit this motion.
"""
supporters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name='motion_supporters')
supporters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name='motion_supporters', blank=True)
"""
Users who support this motion.
"""

View File

@ -30,8 +30,8 @@ class MotionViewSet(ModelViewSet):
"""
API endpoint for motions.
There are the following views: list, retrieve, create, partial_update,
update, destroy, manage_version, support and set_state.
There are the following views: metadata, list, retrieve, create,
partial_update, update, destroy, manage_version, support and set_state.
"""
queryset = Motion.objects.all()
serializer_class = MotionSerializer
@ -40,7 +40,7 @@ class MotionViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve', 'partial_update', 'update'):
if self.action in ('metadata', 'list', 'retrieve', 'partial_update', 'update'):
result = self.request.user.has_perm('motions.can_see')
# For partial_update and update requests the rest of the check is
# done in the update method. See below.
@ -236,8 +236,8 @@ class CategoryViewSet(ModelViewSet):
"""
API endpoint for categories.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = Category.objects.all()
serializer_class = CategorySerializer
@ -246,7 +246,7 @@ class CategoryViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('motions.can_see')
elif self.action in ('create', 'partial_update', 'update', 'destroy'):
result = (self.request.user.has_perm('motions.can_see') and
@ -260,8 +260,8 @@ class WorkflowViewSet(ModelViewSet):
"""
API endpoint for workflows.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = Workflow.objects.all()
serializer_class = WorkflowSerializer
@ -270,7 +270,7 @@ class WorkflowViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('motions.can_see')
elif self.action in ('create', 'partial_update', 'update', 'destroy'):
result = (self.request.user.has_perm('motions.can_see') and

View File

@ -24,8 +24,8 @@ class UserViewSet(ModelViewSet):
"""
API endpoint for users.
There are the following views: list, retrieve, create, partial_update,
update, destroy and reset_password.
There are the following views: metadata, list, retrieve, create,
partial_update, update, destroy and reset_password.
"""
queryset = User.objects.all()
@ -33,7 +33,7 @@ class UserViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('users.can_see_name')
elif self.action in ('create', 'partial_update', 'update', 'destroy', 'reset_password'):
result = (self.request.user.has_perm('users.can_see_name') and
@ -72,8 +72,8 @@ class GroupViewSet(ModelViewSet):
"""
API endpoint for groups.
There are the following views: list, retrieve, create, partial_update,
update and destroy.
There are the following views: metadata, list, retrieve, create,
partial_update, update and destroy.
"""
queryset = Group.objects.all()
serializer_class = GroupSerializer
@ -82,9 +82,9 @@ class GroupViewSet(ModelViewSet):
"""
Returns True if the user has required permissions.
"""
if self.action in ('list', 'retrieve'):
# Every authenticated user can list or retrieve groups.
# Anonymous users can do so if they are enabled.
if self.action in ('metadata', 'list', 'retrieve'):
# Every authenticated user can see the metadata and list or
# retrieve groups. Anonymous users can do so if they are enabled.
result = self.request.user.is_authenticated() or config['general_system_enable_anonymous']
elif self.action in ('create', 'partial_update', 'update', 'destroy'):
# Users with all app permissions can edit groups.

View File

@ -3,7 +3,7 @@ Django>=1.7.1,<1.9
beautifulsoup4>=4.1,<4.4
bleach>=1.4,<1.5
django-haystack>=2.1,<2.5
djangorestframework>=3.0.5,<3.2.0
djangorestframework>=3.2.0,<3.3.0
jsonfield>=0.9.19,<1.1
natsort>=3.2,<4.1
reportlab>=3.0,<3.3