diff --git a/mayan/apps/user_management/api_views.py b/mayan/apps/user_management/api_views.py index 58b66f6222..e4963ee5c2 100644 --- a/mayan/apps/user_management/api_views.py +++ b/mayan/apps/user_management/api_views.py @@ -1,12 +1,12 @@ from __future__ import unicode_literals from django.contrib.auth import get_user_model -from django.contrib.auth.models import Group, User +from django.contrib.auth.models import Group +from django.shortcuts import get_object_or_404 from rest_framework import generics -from rest_framework.response import Response -from rest_framework.views import APIView +from acls.models import AccessControlList from rest_api.filters import MayanObjectPermissionsFilter from rest_api.permissions import MayanPermission @@ -15,8 +15,44 @@ from .permissions import ( permission_group_view, permission_user_create, permission_user_delete, permission_user_edit, permission_user_view ) -from .serializers import GroupSerializer, UserSerializer -from rest_framework import authentication, permissions +from .serializers import ( + GroupSerializer, UserSerializer, UserGroupListSerializer +) + + +class APICurrentUserView(generics.RetrieveUpdateDestroyAPIView): + serializer_class = UserSerializer + + def get_object(self): + return self.request.user + + def delete(self, *args, **kwargs): + """ + Delete the current user. + """ + + return super(APICurrentUserView, self).delete(*args, **kwargs) + + def get(self, *args, **kwargs): + """ + Return the details of the current user. + """ + + return super(APICurrentUserView, self).get(*args, **kwargs) + + def patch(self, *args, **kwargs): + """ + Partially edit the current user. + """ + + return super(APICurrentUserView, self).patch(*args, **kwargs) + + def put(self, *args, **kwargs): + """ + Edit the current user. + """ + + return super(APICurrentUserView, self).put(*args, **kwargs) class APIGroupListView(generics.ListCreateAPIView): @@ -144,74 +180,50 @@ class APIUserView(generics.RetrieveUpdateDestroyAPIView): return super(APIUserView, self).put(*args, **kwargs) -class APICurrentUserView(generics.RetrieveUpdateDestroyAPIView): - serializer_class = UserSerializer - - def get_object(self): - return self.request.user - - def delete(self, *args, **kwargs): - """ - Delete the current user. - """ - - return super(APICurrentUserView, self).delete(*args, **kwargs) - - def get(self, *args, **kwargs): - """ - Return the details of the current user. - """ - - return super(APICurrentUserView, self).get(*args, **kwargs) - - def patch(self, *args, **kwargs): - """ - Partially edit the current user. - """ - - return super(APICurrentUserView, self).patch(*args, **kwargs) - - def put(self, *args, **kwargs): - """ - Edit the current user. - """ - - return super(APICurrentUserView, self).put(*args, **kwargs) - -class APIUserGroupMap(APIView): +class APIUserGroupList(generics.ListCreateAPIView): """ - View to map user with groups - - - **Arguments:** - - request: Http request object. - - pk:primary key of User - - **Returns:** User Details - - **Raises:** Nothing. - - This methods handles http POST request. - - This method map users with group. - - - * Requires token authentication.\n - * Only admin users are able to access this view. + Returns a list of all the groups to which an user belongs. """ - authentication_classes = (authentication.TokenAuthentication,) - permission_classes = (permissions.IsAdminUser,) - - def post(self, request,pk,format=None): + + mayan_object_permissions = { + 'GET': (permission_user_view,), + 'POST': (permission_user_edit,) + } + permission_classes = (MayanPermission,) + + def get_serializer_class(self): + if self.request.method == 'GET': + return GroupSerializer + elif self.request.method == 'POST': + return UserGroupListSerializer + + def get_serializer_context(self): """ - Maps user with groups + Extra context provided to the serializer class. """ - groups = request.POST['group_ids'].split(',') - userObj = User.objects.get(pk=pk) - for group in groups: - groupObj = Group.objects.get(pk=group) - groupObj.user_set.add(userObj) - mapped_group_ids = userObj.groups.all().values_list('id', flat=True) - result = { "id":userObj.id,"groups":mapped_group_ids,"username":userObj.username, - "fname":userObj.first_name,"lname":userObj.last_name } - return Response({ 'data':result }) + return { + 'format': self.format_kwarg, + 'request': self.request, + 'user': self.get_user(), + 'view': self + } + + def get_queryset(self): + user = self.get_user() + + return AccessControlList.objects.filter_by_access( + permission_group_view, self.request.user, + queryset=user.groups.all() + ) + + def get_user(self): + return get_object_or_404(get_user_model(), pk=self.kwargs['pk']) + + def perform_create(self, serializer): + serializer.save(user=self.get_user()) + + def post(self, request, *args, **kwargs): + """ + Add a user to a list of groups. + """ + return super(APIUserGroupList, self).post(request, *args, **kwargs) diff --git a/mayan/apps/user_management/serializers.py b/mayan/apps/user_management/serializers.py index 0165b5e1f4..6562b40aa9 100644 --- a/mayan/apps/user_management/serializers.py +++ b/mayan/apps/user_management/serializers.py @@ -3,8 +3,10 @@ from __future__ import unicode_literals from django.contrib.auth import get_user_model from django.contrib.auth.models import Group from django.contrib.auth.password_validation import validate_password +from django.utils.translation import ugettext_lazy as _ from rest_framework import serializers +from rest_framework.exceptions import ValidationError class GroupSerializer(serializers.HyperlinkedModelSerializer): @@ -21,6 +23,27 @@ class GroupSerializer(serializers.HyperlinkedModelSerializer): return instance.user_set.count() +class UserGroupListSerializer(serializers.Serializer): + group_pk_list = serializers.CharField( + help_text=_( + 'Comma separated list of group primary keys to assign this ' + 'user to.' + ) + ) + + def create(self, validated_data): + validated_data['user'].groups.clear() + try: + pk_list = validated_data['group_pk_list'].split(',') + + for group in Group.objects.filter(pk__in=pk_list): + validated_data['user'].groups.add(group) + except Exception as exception: + raise ValidationError(exception) + + return {'group_pk_list': validated_data['group_pk_list']} + + class UserSerializer(serializers.HyperlinkedModelSerializer): groups = GroupSerializer(many=True) diff --git a/mayan/apps/user_management/urls.py b/mayan/apps/user_management/urls.py index 1231c45e0c..583ad581b5 100644 --- a/mayan/apps/user_management/urls.py +++ b/mayan/apps/user_management/urls.py @@ -3,8 +3,8 @@ from __future__ import unicode_literals from django.conf.urls import url from .api_views import ( - APICurrentUserView, APIGroupListView, APIGroupView, APIUserListView, - APIUserView, APIUserGroupMap + APICurrentUserView, APIGroupListView, APIGroupView, APIUserGroupList, + APIUserListView, APIUserView ) from .views import ( GroupCreateView, GroupDeleteView, GroupEditView, GroupListView, @@ -64,6 +64,8 @@ api_urls = [ url( r'^users/current/$', APICurrentUserView.as_view(), name='user-current' ), - url(r'^users/(?P[0-9]+)/groups/$',APIUserGroupMap.as_view(), - name='users-group-map'), + url( + r'^users/(?P[0-9]+)/groups/$', APIUserGroupList.as_view(), + name='users-group-list' + ), ]