Skip to content

Commit

Permalink
Modified UserObjectsOnlyAuthorization to check auth for update actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@dashdrum @rolandgeider
dashdrum authored and rolandgeider committed May 29, 2014
1 parent 3d7668e commit c5e5d78
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 22 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,5 @@ versiontools*
htmlcov

# Editor, etc. configs
.idea/*
.idea/*
/CACHE
38 changes: 17 additions & 21 deletions wger/manager/tests/testcase.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,14 +530,13 @@ def test_get(self):
response = self.api_client.get(self.url)
self.assertValidJSONResponse(response)


## NOTE: post is not implemented by tastypie - dashdrum 2/20/2014
def test_post(self):
'''
Tests a POST request
Read-only at the moment, all requests fail
'''

# Only perform the checks on derived classes
# Only perform the checks on derived classes
if self.__class__.__name__ == 'ApiBaseResourceTestCase':
return

Expand All @@ -546,18 +545,19 @@ def test_post(self):
response = self.api_client.post(self.url, data=self.data)
self.assertHttpUnauthorized(response)

# User with access
if self.resource_updatable:
response = self.api_client.post(self.url,
data=self.data,
authentication=self.get_credentials())
self.assertHttpNotImplemented(response)

# If a different user should fail, test
response = self.api_client.post(self.url,
data=self.data,
authentication=self.get_credentials(self.user_fail))
self.assertHttpNotImplemented(response)
self.assertHttpUnauthorized(response)

# User with access
response = self.api_client.post(self.url,
data=self.data,
authentication=self.get_credentials())
self.assertHttpAccepted(response)

# public resource (ingredients, exercises), no authentication needed
else:
Expand All @@ -570,8 +570,6 @@ def test_post(self):
def test_delete(self):
'''
Tests a DELETE request
Read-only at the moment, all requests fail
'''

# Only perform the checks on derived classes
Expand All @@ -583,16 +581,18 @@ def test_delete(self):
response = self.api_client.delete(self.url)
self.assertHttpUnauthorized(response)

# User with access

if self.resource_updatable:
response = self.api_client.delete(self.url, authentication=self.get_credentials())
self.assertHttpUnauthorized(response)

# If a different user should fail, test
authentication = self.get_credentials(self.user_fail)
response = self.api_client.delete(self.url,
authentication=authentication)
self.assertHttpUnauthorized(response)

# User with access
response = self.api_client.delete(self.url, authentication=self.get_credentials())
self.assertHttpAccepted(response)

# public resource (ingredients, exercises), no authentication needed
else:
Expand All @@ -605,8 +605,6 @@ def test_delete(self):
def test_put(self):
'''
Tests a PUT request
Read-only at the moment, all requests fail
'''

# Only perform the checks on derived classes
Expand All @@ -623,7 +621,7 @@ def test_put(self):
response = self.api_client.put(self.url,
data=self.data,
authentication=self.get_credentials())
self.assertHttpUnauthorized(response)
self.assertHttpAccepted(response)

# If a different user should fail, test
response = self.api_client.put(self.url,
Expand All @@ -642,8 +640,6 @@ def test_put(self):
def test_patch(self):
'''
Tests a PATCH request
Read-only at the moment, all requests fail
'''

# Only perform the checks on derived classes
Expand All @@ -660,7 +656,7 @@ def test_patch(self):
response = self.api_client.patch(self.url,
data=self.data,
authentication=self.get_credentials())
self.assertHttpUnauthorized(response)
self.assertHttpAccepted(response)

# If a different user should fail, test
authentication = self.get_credentials(self.user_fail)
Expand Down
27 changes: 27 additions & 0 deletions wger/utils/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import logging

from tastypie.authorization import ReadOnlyAuthorization
from tastypie.exceptions import TastypieError, Unauthorized

logger = logging.getLogger('wger.custom')

Expand All @@ -35,3 +36,29 @@ def read_detail(self, object_list, bundle):
# Objects without owner information can be accessed
except AttributeError:
return True

def create_detail(self, object_list, bundle):
### In what scenario is this method used? - dashdrum 2/20/2014
raise TastypieError('create_detail authorization check')
try:
return bundle.obj.get_owner_object().user == bundle.request.user
except AttributeError:
raise Unauthorized("You are not allowed to access that resource.")

def update_detail(self, object_list, bundle):
# Check for an owner_object and compare users
try:
return bundle.obj.get_owner_object().user == bundle.request.user
# Only objects with owner information should use this authorization class
# Fail authorization attempt if the attribute is not found
except AttributeError:
raise Unauthorized("You are not allowed to access that resource.")

def delete_detail(self, object_list, bundle):
# Check for an owner_object and compare users
try:
return bundle.obj.get_owner_object().user == bundle.request.user
# Only objects with owner information should use this authorization class
# Fail authorization attempt if the attribute is not found
except AttributeError:
raise Unauthorized("You are not allowed to access that resource.")

0 comments on commit c5e5d78

Please sign in to comment.