forked from inventree/InvenTree
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapi.py
More file actions
190 lines (133 loc) · 5.27 KB
/
api.py
File metadata and controls
190 lines (133 loc) · 5.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
"""DRF API definition for the 'users' app"""
from django.contrib.auth.models import User
from django.core.exceptions import ObjectDoesNotExist
from django.urls import include, path, re_path
from django_filters.rest_framework import DjangoFilterBackend
from rest_framework import filters, permissions, status
from rest_framework.authtoken.models import Token
from rest_framework.response import Response
from rest_framework.views import APIView
from InvenTree.mixins import ListAPI, RetrieveAPI, RetrieveUpdateAPI
from InvenTree.serializers import UserSerializer
from users.models import Owner, RuleSet, check_user_role
from users.serializers import OwnerSerializer
class OwnerList(ListAPI):
"""List API endpoint for Owner model.
Cannot create.
"""
queryset = Owner.objects.all()
serializer_class = OwnerSerializer
def filter_queryset(self, queryset):
"""Implement text search for the "owner" model.
Note that an "owner" can be either a group, or a user,
so we cannot do a direct text search.
A "hack" here is to post-process the queryset and simply
remove any values which do not match.
It is not necessarily "efficient" to do it this way,
but until we determine a better way, this is what we have...
"""
search_term = str(self.request.query_params.get('search', '')).lower()
queryset = super().filter_queryset(queryset)
if not search_term:
return queryset
results = []
# Extract search term f
for result in queryset.all():
if search_term in result.name().lower():
results.append(result)
return results
class OwnerDetail(RetrieveAPI):
"""Detail API endpoint for Owner model.
Cannot edit or delete
"""
queryset = Owner.objects.all()
serializer_class = OwnerSerializer
class RoleDetails(APIView):
"""API endpoint which lists the available role permissions for the current user.
(Requires authentication)
"""
permission_classes = [
permissions.IsAuthenticated
]
def get(self, request, *args, **kwargs):
"""Return the list of roles / permissions available to the current user"""
user = request.user
roles = {}
for ruleset in RuleSet.RULESET_CHOICES:
role, text = ruleset
permissions = []
for permission in RuleSet.RULESET_PERMISSIONS:
if check_user_role(user, role, permission):
permissions.append(permission)
if len(permissions) > 0:
roles[role] = permissions
else:
roles[role] = None # pragma: no cover
data = {
'user': user.pk,
'username': user.username,
'roles': roles,
'is_staff': user.is_staff,
'is_superuser': user.is_superuser,
}
return Response(data)
class UserDetail(RetrieveAPI):
"""Detail endpoint for a single user."""
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = (permissions.IsAuthenticated,)
class MeUserDetail(RetrieveUpdateAPI, UserDetail):
"""Detail endpoint for current user."""
def get_object(self):
"""Always return the current user object"""
return self.request.user
class UserList(ListAPI):
"""List endpoint for detail on all users."""
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = (permissions.IsAuthenticated,)
filter_backends = [
DjangoFilterBackend,
filters.SearchFilter,
]
search_fields = [
'first_name',
'last_name',
'username',
]
class GetAuthToken(APIView):
"""Return authentication token for an authenticated user."""
permission_classes = [
permissions.IsAuthenticated,
]
def get(self, request, *args, **kwargs):
"""Return an API token if the user is authenticated
- If the user already has a token, return it
- Otherwise, create a new token
"""
if request.user.is_authenticated:
# Get the user token (or create one if it does not exist)
token, created = Token.objects.get_or_create(user=request.user)
return Response({
'token': token.key,
})
def delete(self, request):
"""User has requested deletion of API token"""
try:
request.user.auth_token.delete()
return Response({"success": "Successfully logged out."},
status=status.HTTP_202_ACCEPTED)
except (AttributeError, ObjectDoesNotExist):
return Response({"error": "Bad request"},
status=status.HTTP_400_BAD_REQUEST)
user_urls = [
re_path(r'roles/?$', RoleDetails.as_view(), name='api-user-roles'),
re_path(r'token/?$', GetAuthToken.as_view(), name='api-token'),
re_path(r'^me/', MeUserDetail.as_view(), name='api-user-me'),
re_path(r'^owner/', include([
path('<int:pk>/', OwnerDetail.as_view(), name='api-owner-detail'),
re_path(r'^.*$', OwnerList.as_view(), name='api-owner-list'),
])),
re_path(r'^(?P<pk>[0-9]+)/?$', UserDetail.as_view(), name='user-detail'),
path('', UserList.as_view()),
]