From 0f6c60020cc4baff91821783011c67fb4fb0414d Mon Sep 17 00:00:00 2001 From: seba Date: Sat, 1 Oct 2011 18:48:40 +0200 Subject: [PATCH] Api2 with multiple auth handlers (for ajax reqs) --- devel/TODO | 1 + k4ever/api2/decorators.py | 5 +++-- k4ever/api2/handlers.py | 28 +++++++++++++++++++++++++--- k4ever/api2/urls.py | 8 ++++++-- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/devel/TODO b/devel/TODO index 9b26d8f..8db1c9d 100644 --- a/devel/TODO +++ b/devel/TODO @@ -10,6 +10,7 @@ Noch zu tun: [x] Ldap anbindung fuer login [ ] doku [ ] API(wget)-Beispiele +[ ] Authblob erlaubt momentan beliebige größe - beschrängen auf 10kb o.ä. Nice-to-haf: diff --git a/k4ever/api2/decorators.py b/k4ever/api2/decorators.py index 9d60333..bcaf8b3 100644 --- a/k4ever/api2/decorators.py +++ b/k4ever/api2/decorators.py @@ -57,6 +57,7 @@ def manglePluginPerms(apiFunc): # 3. put stuff into the request request.user = user request.plugin = plugin + request.pluginperms = perms return apiFunc(self, request, *args, **kwargs) return wrapper @@ -78,7 +79,7 @@ def requirePlugin(apiFunc): except Group.DoesNotExist: pass ret = rc.FORBIDDEN - - return rc.FORBIDDEN + ret.write("\nA plugin is required for this api function\n") + return ret return wrapper diff --git a/k4ever/api2/handlers.py b/k4ever/api2/handlers.py index fe2c79c..9f4f917 100644 --- a/k4ever/api2/handlers.py +++ b/k4ever/api2/handlers.py @@ -132,9 +132,31 @@ class AccountBalanceHandler(BaseHandler): return {'balance': balance} class AuthBlobHandler(BaseHandler): - # allowed_methods = ('GET', 'POST') - # model = - pass + allowed_methods = ('GET', 'POST') + + @requirePlugin + @manglePluginPerms + def read(self, request): + if not request.plugin.pluginCanReadAuthblob: + ret = rc.FORBIDDEN + ret.write("\nThis plugin is not allowed to read the users authblob\n") + return ret + return request.pluginperms.authblob + + @requirePlugin + @manglePluginPerms + def create(self, request): + if not request.plugin.pluginCanWriteAuthblob: + ret = rc.FORBIDDEN + ret.write("\nThis plugin is not allowed to write the users authblob\n") + return ret + if not request.data.has_key('authblob'): + ret = rc.BAD_REQUEST + ret.write("\nTo change the users auth blob you actually need to provide one\n") + request.pluginperms.authblob = request.data['authblob'] + request.pluginperms.authblob.save() + + return rc.ALL_OK class AuthUserHandler(BaseHandler): allowed_methods = ('GET') diff --git a/k4ever/api2/urls.py b/k4ever/api2/urls.py index c61a026..40101c2 100644 --- a/k4ever/api2/urls.py +++ b/k4ever/api2/urls.py @@ -1,6 +1,7 @@ from django.conf.urls.defaults import * from piston.resource import Resource from piston.authentication import HttpBasicAuthentication +from api2.authentication import DjangoAuthentication, MultiAuthentication from api2.handlers import * # taken from @@ -10,8 +11,11 @@ class CsrfExemptResource( Resource ): super( CsrfExemptResource, self ).__init__( handler, authentication ) self.csrf_exempt = getattr( self.handler, 'csrf_exempt', True ) -auth = HttpBasicAuthentication(realm="Freitagsrundenkassensystemapi") -ad = {'authentication': auth} +# build authenticatiooors +basicAuth = HttpBasicAuthentication(realm="Freitagsrundenkassensystemapi") +djangoAuth = DjangoAuthentication() +multiAuth = MultiAuthentication([basicAuth, djangoAuth]) +ad = {'authentication': multiAuth} buyableItemRes = CsrfExemptResource(handler=BuyableItemHandler, **ad) buyableTypeRes = CsrfExemptResource(handler=BuyableTypeHandler, **ad)