Merge branch 'issue_425' into 'master'

[api] Fix access permissions for diff-view on usable objects Closes #425 See merge request !207

Merge branch 'issue_425' into 'master'
22f8fe94 · André Anjos · b1446a4e · aa8b541f · 22f8fe94 · 22f8fe94
Commit 22f8fe94 authored 8 years ago by André Anjos
--- a/beat/web/algorithms/api.py
+++ b/beat/web/algorithms/api.py
@@ -33,8 +33,10 @@ from .serializers import AlgorithmCreationSerializer
 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer

-from ..common.api import (CheckContributionNameView, DiffView,
-                          ListContributionView, ListCreateContributionView)
+from ..common.api import (CheckContributionNameView, ListContributionView,
+    ListCreateContributionView)
+
+from ..code.api import DiffView


 #----------------------------------------------------------

--- a/beat/web/code/api.py
+++ b/beat/web/code/api.py
@@ -29,12 +29,16 @@ from django.utils import six
 from django.shortcuts import get_object_or_404
 from django.core.exceptions import ValidationError

+from rest_framework import generics
+from rest_framework import permissions
 from rest_framework.response import Response
 from rest_framework.exceptions import PermissionDenied, ParseError
 from rest_framework import serializers

+from ..common.responses import ForbiddenResponse
 from ..common.api import ShareView, RetrieveUpdateDestroyContributionView
 from ..common.utils import validate_restructuredtext, ensure_html
+from ..common.serializers import DiffSerializer

 from ..code.models import Code
 from .serializers import CodeSharingSerializer, CodeSerializer
@@ -52,6 +56,43 @@ class ShareCodeView(ShareView):
        obj.share(public=public, users=users, teams=teams)


+class DiffView(generics.RetrieveAPIView):
+    model = Code
+    permission_classes = [permissions.IsAuthenticated]
+    serializer_class = DiffSerializer
+
+    def get(self, request, author1, name1, version1, author2, name2, version2):
+        # Retrieve the objects
+        try:
+            object1 = self.model.objects.get(author__username__iexact=author1,
+                                               name__iexact=name1,
+                                               version=int(version1))
+        except:
+            return Response('%s/%s/%s' % (author1, name1, version1), status=404)
+
+        try:
+            object2 = self.model.objects.get(author__username__iexact=author2,
+                                               name__iexact=name2,
+                                               version=int(version2))
+        except:
+            return Response('%s/%s/%s' % (author2, name2, version2), status=404)
+
+
+        # Check that the user can access them
+        accessibility = object1.accessibility_for(request.user)
+        if not accessibility[1]:
+            return ForbiddenResponse(object1.fullname())
+
+        accessibility = object2.accessibility_for(request.user)
+        if not accessibility[1]:
+            return ForbiddenResponse(object2.fullname())
+
+        # Compute the diff
+        serializer = self.get_serializer({'object1': object1,
+                                          'object2': object2})
+        return Response(serializer.data)
+
+
 class RetrieveUpdateDestroyCodeView(RetrieveUpdateDestroyContributionView):
    model = Code
    serializer_class = CodeSerializer

--- a/beat/web/libraries/api.py
+++ b/beat/web/libraries/api.py
@@ -33,9 +33,10 @@ from .serializers import LibraryCreationSerializer
 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer

-from ..common.api import (CheckContributionNameView, DiffView,
-                          ListContributionView, ListCreateContributionView)
+from ..common.api import (CheckContributionNameView, ListContributionView,
+    ListCreateContributionView)

+from ..code.api import DiffView

 #----------------------------------------------------------


--- a/beat/web/plotters/api.py
+++ b/beat/web/plotters/api.py
@@ -34,8 +34,9 @@ from django.db.models import Q

 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer
+from ..code.api import DiffView

-from ..common.api import (CheckContributionNameView, ShareView, DiffView,
+from ..common.api import (CheckContributionNameView, ShareView,
                          ListContributionView, ListCreateContributionView, RetrieveUpdateDestroyContributionView)
 from ..common.utils import validate_restructuredtext, ensure_html
 from ..common.responses import BadRequestResponse