From aa8b541f0b730ceab07e233e83dce15fc53b5b06 Mon Sep 17 00:00:00 2001
From: Andre Anjos <andre.dos.anjos@gmail.com>
Date: Fri, 1 Jul 2016 12:48:41 +0200
Subject: [PATCH] [api] Fix access permissions for diff-view on usable objects

---
 beat/web/algorithms/api.py |  6 ++++--
 beat/web/code/api.py       | 41 ++++++++++++++++++++++++++++++++++++++
 beat/web/libraries/api.py  |  5 +++--
 beat/web/plotters/api.py   |  3 ++-
 4 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/beat/web/algorithms/api.py b/beat/web/algorithms/api.py
index feca27acc..e9b7c7723 100644
--- a/beat/web/algorithms/api.py
+++ b/beat/web/algorithms/api.py
@@ -33,8 +33,10 @@ from .serializers import AlgorithmCreationSerializer
 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer
 
-from ..common.api import (CheckContributionNameView, DiffView,
-                          ListContributionView, ListCreateContributionView)
+from ..common.api import (CheckContributionNameView, ListContributionView,
+    ListCreateContributionView)
+
+from ..code.api import DiffView
 
 
 #----------------------------------------------------------
diff --git a/beat/web/code/api.py b/beat/web/code/api.py
index 22ebaac24..1a0fdd037 100644
--- a/beat/web/code/api.py
+++ b/beat/web/code/api.py
@@ -29,12 +29,16 @@ from django.utils import six
 from django.shortcuts import get_object_or_404
 from django.core.exceptions import ValidationError
 
+from rest_framework import generics
+from rest_framework import permissions
 from rest_framework.response import Response
 from rest_framework.exceptions import PermissionDenied, ParseError
 from rest_framework import serializers
 
+from ..common.responses import ForbiddenResponse
 from ..common.api import ShareView, RetrieveUpdateDestroyContributionView
 from ..common.utils import validate_restructuredtext, ensure_html
+from ..common.serializers import DiffSerializer
 
 from ..code.models import Code
 from .serializers import CodeSharingSerializer, CodeSerializer
@@ -52,6 +56,43 @@ class ShareCodeView(ShareView):
         obj.share(public=public, users=users, teams=teams)
 
 
+class DiffView(generics.RetrieveAPIView):
+    model = Code
+    permission_classes = [permissions.IsAuthenticated]
+    serializer_class = DiffSerializer
+
+    def get(self, request, author1, name1, version1, author2, name2, version2):
+        # Retrieve the objects
+        try:
+            object1 = self.model.objects.get(author__username__iexact=author1,
+                                               name__iexact=name1,
+                                               version=int(version1))
+        except:
+            return Response('%s/%s/%s' % (author1, name1, version1), status=404)
+
+        try:
+            object2 = self.model.objects.get(author__username__iexact=author2,
+                                               name__iexact=name2,
+                                               version=int(version2))
+        except:
+            return Response('%s/%s/%s' % (author2, name2, version2), status=404)
+
+
+        # Check that the user can access them
+        accessibility = object1.accessibility_for(request.user)
+        if not accessibility[1]:
+            return ForbiddenResponse(object1.fullname())
+
+        accessibility = object2.accessibility_for(request.user)
+        if not accessibility[1]:
+            return ForbiddenResponse(object2.fullname())
+
+        # Compute the diff
+        serializer = self.get_serializer({'object1': object1,
+                                          'object2': object2})
+        return Response(serializer.data)
+
+
 class RetrieveUpdateDestroyCodeView(RetrieveUpdateDestroyContributionView):
     model = Code
     serializer_class = CodeSerializer
diff --git a/beat/web/libraries/api.py b/beat/web/libraries/api.py
index e7e592a3a..2473d1c9a 100644
--- a/beat/web/libraries/api.py
+++ b/beat/web/libraries/api.py
@@ -33,9 +33,10 @@ from .serializers import LibraryCreationSerializer
 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer
 
-from ..common.api import (CheckContributionNameView, DiffView,
-                          ListContributionView, ListCreateContributionView)
+from ..common.api import (CheckContributionNameView, ListContributionView,
+    ListCreateContributionView)
 
+from ..code.api import DiffView
 
 #----------------------------------------------------------
 
diff --git a/beat/web/plotters/api.py b/beat/web/plotters/api.py
index 0838d4052..a0960a9a4 100644
--- a/beat/web/plotters/api.py
+++ b/beat/web/plotters/api.py
@@ -34,8 +34,9 @@ from django.db.models import Q
 
 from ..code.api import ShareCodeView, RetrieveUpdateDestroyCodeView
 from ..code.serializers import CodeDiffSerializer
+from ..code.api import DiffView
 
-from ..common.api import (CheckContributionNameView, ShareView, DiffView,
+from ..common.api import (CheckContributionNameView, ShareView,
                           ListContributionView, ListCreateContributionView, RetrieveUpdateDestroyContributionView)
 from ..common.utils import validate_restructuredtext, ensure_html
 from ..common.responses import BadRequestResponse
-- 
GitLab