Refactor the REST API app

Remove the APIRoot view.

Remove the Endpoint class.

Remove the EndpointSerializer.

Move API documentation generation from the root urls module
to the app's urls module.

Update the app API URL generation to be based on viewsets
instead of an custom api_urls list.

Remove MayanObjectPermissionsFilter and replace it with
MayanViewSetObjectPermissionsFilter which allows mapping
a required permission to a specific viewset action.

Signed-off-by: Roberto Rosario <Roberto.Rosario@mayan-edms.com>

mayan/apps/rest_api/permissions.py

@@ -1,26 +1,31 @@
-from __future__ import absolute_import
-
-from __future__ import unicode_literals
+from __future__ import absolute_import, unicode_literals
 
 from django.core.exceptions import PermissionDenied
-from django.http import Http404
 
 from rest_framework.permissions import BasePermission
 
-from mayan.apps.acls.models import AccessControlList
 from mayan.apps.permissions import Permission
 
 
-class MayanPermission(BasePermission):
+class MayanViewSetPermission(BasePermission):
     def has_permission(self, request, view):
-        required_permission = getattr(
-            view, 'mayan_view_permissions', {}
-        ).get(request.method, None)
+        """
+        Block the API view by access using a permission.
+        Required the view_permission_map class attribute which is a dictionary
+        that matches a view actions ('create', 'destroy', etc) to a single
+        permission instance.
+        Example: view_permission_map = {
+            'update': permission_..._edit
+            'list': permission_..._view
+        }
+        """
+        view_permission_dictionary = getattr(view, 'view_permission_map', {})
+        view_permission = view_permission_dictionary.get(view.action, None)
 
-        if required_permission:
+        if view_permission:
             try:
-                Permission.check_permissions(
-                    requester=request.user, permissions=required_permission
+                Permission.check_user_permission(
+                    permission=view_permission, user=request.user
                 )
             except PermissionDenied:
                 return False
@@ -28,35 +33,3 @@ class MayanPermission(BasePermission):
                 return True
         else:
             return True
-
-    def has_object_permission(self, request, view, obj):
-        required_permission = getattr(
-            view, 'mayan_object_permissions', {}
-        ).get(request.method, None)
-
-        object_permissions_raise_404 = getattr(
-            view, 'mayan_object_permissions_raise_404', ()
-        )
-
-        if required_permission:
-            try:
-                if hasattr(view, 'mayan_permission_attribute_check'):
-                    AccessControlList.objects.check_access(
-                        permissions=required_permission,
-                        user=request.user, obj=obj,
-                        related=view.mayan_permission_attribute_check
-                    )
-                else:
-                    AccessControlList.objects.check_access(
-                        permissions=required_permission, user=request.user,
-                        obj=obj
-                    )
-            except PermissionDenied:
-                if request.method in object_permissions_raise_404:
-                    raise Http404
-                else:
-                    return False
-            else:
-                return True
-        else:
-            return True