permissiosn rough draft

CenterForOpenScience · Feb 14, 2024 · 63cbfa5 · 63cbfa5
1 parent fb7c73b
commit 63cbfa5
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 3 deletions.
diff --git a/addon_service/authorized_storage_account/serializers.py b/addon_service/authorized_storage_account/serializers.py
@@ -47,6 +47,7 @@ def __init__(self, *args, **kwargs):
         many=False,
         queryset=UserReference.objects.all(),
         related_link_view_name=f"{RESOURCE_NAME}-related",
+        read_only=True
     )
     external_storage_service = ExternalStorageServiceField(
         queryset=ExternalStorageService.objects.all(),

diff --git a/addon_service/authorized_storage_account/views.py b/addon_service/authorized_storage_account/views.py
@@ -3,8 +3,17 @@
 from .models import AuthorizedStorageAccount
 from .serializers import AuthorizedStorageAccountSerializer
 
+from addon_service.common.permissions import IsAuthenticated, SessionUserIsAccountOwner
 from addon_service.common.viewsets import RetrieveWriteViewSet
 
 class AuthorizedStorageAccountViewSet(RetrieveWriteViewSet):
     queryset = AuthorizedStorageAccount.objects.all()
     serializer_class = AuthorizedStorageAccountSerializer
+
+    def get_permissions(self):
+        if self.action in ['retrieve', 'update', 'destroy']:
+            return [SessionUserIsAccountOwner()]
+        elif self.action == 'create':
+            return [IsAuthenticated()]
+        else:
+            raise RuntimeError #todo, better exception
diff --git a/addon_service/common/permissions.py b/addon_service/common/permissions.py
@@ -0,0 +1,15 @@
+
+class SessionUserIsAccountOwner(): #Add appropriate base class
+
+    def get_user_uri_for_view(self, view):
+        raise NotImplementedError('Subclass must implement this')
+
+    def has_object_permission(self, request, view, obj):
+        session_user_uri = request.session.get('user_reference_uri')
+        return session_user_uri == obj.account_owner.uri
+
+
+class IsAuthenticated:
+
+    def has_permission(self, request, view):
+        return request.session.get('user_reference_uri') is not None
diff --git a/addon_service/external_storage_service/views.py b/addon_service/external_storage_service/views.py
@@ -1,10 +1,10 @@
-from rest_framework_json_api.views import ReadOnlyViewSet
+from rest_framework_json_api.views import ReadOnlyModelViewSet
 
 from .models import ExternalStorageService
 from .serializers import ExternalStorageServiceSerializer
 
 
-class ExternalStorageServiceViewSet(ReadOnlyViewSet):
+class ExternalStorageServiceViewSet(ReadOnlyModelViewSet):
     queryset = ExternalStorageService.objects.all()
     serializer_class = ExternalStorageServiceSerializer
     # TODO: permissions_classes
diff --git a/addon_service/user_reference/models.py b/addon_service/user_reference/models.py
@@ -7,6 +7,11 @@
 class UserReference(AddonsServiceBaseModel):
     user_uri = models.URLField(unique=True, db_index=True, null=False)
 
+
+    @property
+    def account_owner(self):
+        return self
+
     @property
     def authorized_storage_accounts(self):
         return AuthorizedStorageAccount.objects.filter(

diff --git a/addon_service/user_reference/views.py b/addon_service/user_reference/views.py
@@ -1,9 +1,11 @@
 from .models import UserReference
 from .serializers import UserReferenceSerializer
 
+from addon_service.common.permissions import SessionUserIsAccountOwner
 from addon_service.common.viewsets import RetrieveOnlyViewSet
 
+
 class UserReferenceViewSet(RetrieveOnlyViewSet):
     queryset = UserReference.objects.all()
     serializer_class = UserReferenceSerializer
-    # TODO: permissions_classes
+    permissions = [SessionUserIsAccountOwner]