トークンによる認証を追加

api/accounting/views.py

@@ -1,7 +1,5 @@
-import django_filters
 from django.db.models import Q
-from django.shortcuts import render
-from rest_framework import filters, permissions, viewsets
+from rest_framework import permissions, viewsets, authtoken
 
 from utils import perm_method
 from web import settings
@@ -11,9 +9,13 @@
                          ProjectSerializer, PurchaseSerializer, CreateProjectApprovalSerializer, CreatePurchaseSerializer)
 
 
+def is_token_auth(request):
+    return isinstance(request.auth, authtoken.models.Token)
+
+
 class AdminPermission(permissions.BasePermission):
     def has_permission(self, request, view):
-        return request.user and request.user.is_superuser
+        return request.user and request.user.is_superuser and not is_token_auth(request)
 
 
 class ReadOnlyPermission(permissions.BasePermission):
@@ -23,6 +25,9 @@ def has_permission(self, request, view):
 
 class ProjectOwnerPermission(permissions.BasePermission):
     def has_permission(self, request, view):
+        if is_token_auth(request):
+            return False
+
         if 'pk' not in view.kwargs:
             return False
 
@@ -48,10 +53,16 @@ def has_permission(self, request, view):
         if request.method not in {'POST', 'PATCH', 'GET'}:
             return False
 
+        if is_token_auth(request) and request.method != 'GET':
+            return False
+
         return True
 
 class ProjectApprovalRequestPermission(permissions.BasePermission):
     def has_permission(self, request, view):
+        if is_token_auth(request):
+            return False
+
         if not request.user:
             return False
 
@@ -64,6 +75,10 @@ class PurchaseOwnerPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if not request.user or not request.user.is_authenticated:
             return False
+
+        if is_token_auth(request):
+            return False
+
         return True
 
 
@@ -91,6 +106,9 @@ def has_object_permission(self, request, view, obj):
         if obj.closed:
             return False
 
+        if is_token_auth(request):
+            return False
+
         return True
 
 
@@ -103,6 +121,9 @@ def has_permission(self, request, view):
                    for perm_class in allowed_perm_classes)
 
     def has_object_permission(self, request, view, obj):
+        if is_token_auth(request):
+            return False
+
         if request.method == 'PATCH':
             if request.user.is_superuser:
                 return True

api/storaging/views.py

@@ -1,26 +1,24 @@
-import datetime
-import logging
-import uuid
-import pytz
-
 import boto3
 
-from rest_framework import permissions, views
+from rest_framework import permissions, authtoken
 from rest_framework.response import Response
 from rest_framework.generics import (
     CreateAPIView,
 )
 
 import constants
-from web import settings
 
 from .models import Medium
 from .serializer import MediumSerializer
 
 
+def is_token_auth(request):
+    return isinstance(request.auth, authtoken.models.Token)
+
+
 class AdminPermission(permissions.BasePermission):
     def has_permission(self, request, view):
-        return request.user and request.user.is_superuser
+        return request.user and request.user.is_superuser and not is_token_auth(request)
 
 
 class GeneralPermission(permissions.BasePermission):

api/web/settings.py

@@ -49,6 +49,7 @@
     'authenticate',
     'storaging',
     'rest_framework',
+    'rest_framework.authtoken',
     'drf_yasg',
     'web',
     'corsheaders'
@@ -85,6 +86,7 @@
     'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated', ),
     'DEFAULT_AUTHENTICATION_CLASSES': [
         'web.authenticate.CsrfExemptSessionAuthentication',
+        'rest_framework.authentication.TokenAuthentication',
     ],
     'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'
 }