Merge pull request #18 from SmartReports/simone_dev

add basic auth
SmartReports · Nov 10, 2023 · 2adfd83 · 2adfd83
2 parents 53e94bc + 6afbb8c
commit 2adfd83
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 29 deletions.
diff --git a/smartreport/settings.py b/smartreport/settings.py
@@ -47,6 +47,7 @@
     "smartreport_app",
     "corsheaders",
     'django_filters',
+    'guardian',
 ]
 
 MIDDLEWARE = [
@@ -139,10 +140,21 @@
     },
 ]
 
+AUTHENTICATION_BACKENDS = [
+    'django.contrib.auth.backends.ModelBackend',
+    'guardian.backends.ObjectPermissionBackend',
+]
+
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": (
+        "rest_framework.authentication.BasicAuthentication",
         "rest_framework.authentication.SessionAuthentication",
     ),
+    # UNCOMMENT THIS TO ENABLE PERMISSIONS CHECKS
+    # 
+    # 'DEFAULT_PERMISSION_CLASSES': [
+    #     'smartreport_app.permissions.FullObjectPermission',
+    # ],
     'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend']
 }
 

diff --git a/smartreport_app/permissions.py b/smartreport_app/permissions.py
@@ -0,0 +1,16 @@
+from rest_framework import permissions
+
+
+class FullObjectPermission(permissions.DjangoObjectPermissions):
+    """
+    Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
+    """
+    perms_map = {
+        'GET': ['%(app_label)s.view_%(model_name)s'],
+        'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
+        'HEAD': ['%(app_label)s.view_%(model_name)s'],
+        'POST': ['%(app_label)s.add_%(model_name)s'],
+        'PUT': ['%(app_label)s.change_%(model_name)s'],
+        'PATCH': ['%(app_label)s.change_%(model_name)s'],
+        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+    }
diff --git a/smartreport_app/views.py b/smartreport_app/views.py
@@ -4,66 +4,50 @@
 from rest_framework.response import Response
 from rest_framework import status
 from rest_framework import viewsets
-from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.decorators import api_view
+
 from .kb_interface import kb_interface
 
+
+
 class ReportTemplateViewSet(viewsets.ModelViewSet):
+
     queryset = ReportTemplate.objects.all()
     serializer_class = ReportTemplateSerializer
 
 class ReportTemplatePageViewSet(viewsets.ModelViewSet):
+
     queryset = ReportTemplatePage.objects.all()
     serializer_class = ReportTemplatePageSerializer
-
-    def create(self, request, *args, **kwargs):
-        return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
 
 class KpiReportElementViewSet(viewsets.ModelViewSet):
+
     queryset = KpiReportElement.objects.all()
     serializer_class = KpiReportElementSerializer
-
-    def create(self, request, *args, **kwargs):
-        return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
-    def update(self, request, *args, **kwargs):
-        return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
 
-class KpiViewSet(viewsets.ModelViewSet):
+class KpiViewSet(viewsets.ReadOnlyModelViewSet):
+
     queryset = Kpi.objects.all()
     serializer_class = KpiSerializer
-    filter_backends = [DjangoFilterBackend]
-    filterset_fields = [ 'user_type' , 'name' ]    
-
-    def create(self, request, *args, **kwargs):
-        return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
-    def update(self, request, *args, **kwargs):
-        return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
+    filterset_fields = [ 'user_type' , 'name' ]
 
 class AlarmViewSet(viewsets.ModelViewSet):
+
     queryset = Alarm.objects.all()
     serializer_class = AlarmSerializer
-    filter_backends = [DjangoFilterBackend]
     filterset_fields = [ 'user_type' ]
 
-class ChartTypeViewSet(viewsets.ModelViewSet):
+class ChartTypeViewSet(viewsets.ReadOnlyModelViewSet):
+
     queryset = ChartType.objects.all()
     serializer_class = ChartTypeSerializer
 
-    def create(self, request, *args, **kwargs):
-        return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
-    def update(self, request, *args, **kwargs):
-        return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
 class DashboardLayoutViewSet(viewsets.ModelViewSet):
+
     queryset = DashboardLayout.objects.all()
     serializer_class = DashboardLayoutSerializer
-    filter_backends = [DjangoFilterBackend]
     filterset_fields = [ 'user_type' ]
 
-
 @api_view(['GET'])
 def kpi_data(request, format=None):