Api2 with multiple auth handlers (for ajax reqs)

2011-10-01 18:48:40 +02:00 · 2011-10-01 18:48:40 +02:00 · 0f6c60020c
parent 3aa0339387
commit 0f6c60020c
4 changed files with 35 additions and 7 deletions
--- a/devel/TODO
+++ b/devel/TODO
@ -10,6 +10,7 @@ Noch zu tun:
 [x] Ldap anbindung fuer login
 [ ] doku
 [ ] API(wget)-Beispiele
+[ ] Authblob erlaubt momentan beliebige größe - beschrängen auf 10kb o.ä.


 Nice-to-haf:
--- a/k4ever/api2/decorators.py
+++ b/k4ever/api2/decorators.py
@ -57,6 +57,7 @@ def manglePluginPerms(apiFunc):
 		# 3. put stuff into the request
 		request.user = user 
 		request.plugin = plugin
+		request.pluginperms = perms
 		return apiFunc(self, request, *args, **kwargs)
 	return wrapper

@ -78,7 +79,7 @@ def requirePlugin(apiFunc):
 		except Group.DoesNotExist:
 			pass
 		ret = rc.FORBIDDEN
-
-		return rc.FORBIDDEN
+		ret.write("\nA plugin is required for this api function\n")
+		return ret
 	return wrapper

--- a/k4ever/api2/handlers.py
+++ b/k4ever/api2/handlers.py
@ -132,9 +132,31 @@ class AccountBalanceHandler(BaseHandler):
 		return {'balance': balance}

 class AuthBlobHandler(BaseHandler):
-	# allowed_methods = ('GET', 'POST')
-	# model = 
-	pass
+	allowed_methods = ('GET', 'POST')
+	
+	@requirePlugin
+	@manglePluginPerms
+	def read(self, request):
+		if not request.plugin.pluginCanReadAuthblob:
+			ret = rc.FORBIDDEN
+			ret.write("\nThis plugin is not allowed to read the users authblob\n")
+			return ret
+		return request.pluginperms.authblob
+	
+	@requirePlugin
+	@manglePluginPerms
+	def create(self, request):
+		if not request.plugin.pluginCanWriteAuthblob:
+			ret = rc.FORBIDDEN
+			ret.write("\nThis plugin is not allowed to write the users authblob\n")
+			return ret
+		if not request.data.has_key('authblob'):
+			ret = rc.BAD_REQUEST
+			ret.write("\nTo change the users auth blob you actually need to provide one\n")
+		request.pluginperms.authblob = request.data['authblob']
+		request.pluginperms.authblob.save()
+		
+		return rc.ALL_OK

 class AuthUserHandler(BaseHandler):
 	allowed_methods = ('GET')
--- a/k4ever/api2/urls.py
+++ b/k4ever/api2/urls.py
@ -1,6 +1,7 @@
 from django.conf.urls.defaults import *
 from piston.resource import Resource
 from piston.authentication import HttpBasicAuthentication
+from api2.authentication import DjangoAuthentication, MultiAuthentication
 from api2.handlers import *

 # taken from
@ -10,8 +11,11 @@ class CsrfExemptResource( Resource ):
 		super( CsrfExemptResource, self ).__init__( handler, authentication )
 		self.csrf_exempt = getattr( self.handler, 'csrf_exempt', True )

-auth = HttpBasicAuthentication(realm="Freitagsrundenkassensystemapi")
-ad = {'authentication': auth}
+# build authenticatiooors
+basicAuth = HttpBasicAuthentication(realm="Freitagsrundenkassensystemapi")
+djangoAuth = DjangoAuthentication()
+multiAuth = MultiAuthentication([basicAuth, djangoAuth])
+ad = {'authentication': multiAuth}

 buyableItemRes    = CsrfExemptResource(handler=BuyableItemHandler,     **ad)
 buyableTypeRes    = CsrfExemptResource(handler=BuyableTypeHandler,     **ad)