diff --git a/api/accounting/views.py b/api/accounting/views.py index 231e9c2..b436f4a 100644 --- a/api/accounting/views.py +++ b/api/accounting/views.py @@ -1,7 +1,5 @@ -import django_filters from django.db.models import Q -from django.shortcuts import render -from rest_framework import filters, permissions, viewsets +from rest_framework import permissions, viewsets, authtoken from utils import perm_method from web import settings @@ -11,9 +9,13 @@ ProjectSerializer, PurchaseSerializer, CreateProjectApprovalSerializer, CreatePurchaseSerializer) +def is_token_auth(request): + return isinstance(request.auth, authtoken.models.Token) + + class AdminPermission(permissions.BasePermission): def has_permission(self, request, view): - return request.user and request.user.is_superuser + return request.user and request.user.is_superuser and not is_token_auth(request) class ReadOnlyPermission(permissions.BasePermission): @@ -23,6 +25,9 @@ def has_permission(self, request, view): class ProjectOwnerPermission(permissions.BasePermission): def has_permission(self, request, view): + if is_token_auth(request): + return False + if 'pk' not in view.kwargs: return False @@ -48,10 +53,16 @@ def has_permission(self, request, view): if request.method not in {'POST', 'PATCH', 'GET'}: return False + if is_token_auth(request) and request.method != 'GET': + return False + return True class ProjectApprovalRequestPermission(permissions.BasePermission): def has_permission(self, request, view): + if is_token_auth(request): + return False + if not request.user: return False @@ -64,6 +75,10 @@ class PurchaseOwnerPermission(permissions.BasePermission): def has_permission(self, request, view): if not request.user or not request.user.is_authenticated: return False + + if is_token_auth(request): + return False + return True @@ -91,6 +106,9 @@ def has_object_permission(self, request, view, obj): if obj.closed: return False + if is_token_auth(request): + return False + return True @@ -103,6 +121,9 @@ def has_permission(self, request, view): for perm_class in allowed_perm_classes) def has_object_permission(self, request, view, obj): + if is_token_auth(request): + return False + if request.method == 'PATCH': if request.user.is_superuser: return True diff --git a/api/storaging/views.py b/api/storaging/views.py index b77180e..a590c80 100644 --- a/api/storaging/views.py +++ b/api/storaging/views.py @@ -1,26 +1,24 @@ -import datetime -import logging -import uuid -import pytz - import boto3 -from rest_framework import permissions, views +from rest_framework import permissions, authtoken from rest_framework.response import Response from rest_framework.generics import ( CreateAPIView, ) import constants -from web import settings from .models import Medium from .serializer import MediumSerializer +def is_token_auth(request): + return isinstance(request.auth, authtoken.models.Token) + + class AdminPermission(permissions.BasePermission): def has_permission(self, request, view): - return request.user and request.user.is_superuser + return request.user and request.user.is_superuser and not is_token_auth(request) class GeneralPermission(permissions.BasePermission): diff --git a/api/web/settings.py b/api/web/settings.py index 85a6306..81b7d67 100644 --- a/api/web/settings.py +++ b/api/web/settings.py @@ -49,6 +49,7 @@ 'authenticate', 'storaging', 'rest_framework', + 'rest_framework.authtoken', 'drf_yasg', 'web', 'corsheaders' @@ -85,6 +86,7 @@ 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated', ), 'DEFAULT_AUTHENTICATION_CLASSES': [ 'web.authenticate.CsrfExemptSessionAuthentication', + 'rest_framework.authentication.TokenAuthentication', ], 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination' }