From 9c6e5369f3d898e6f0902014b5b98603fbca6fb7 Mon Sep 17 00:00:00 2001 From: Simone Ianniciello Date: Fri, 10 Nov 2023 16:10:23 +0100 Subject: [PATCH 1/2] add basic auth --- smartreport/settings.py | 13 ++++++++++- smartreport_app/permissions.py | 16 +++++++++++++ smartreport_app/views.py | 42 +++++++++++----------------------- 3 files changed, 41 insertions(+), 30 deletions(-) create mode 100644 smartreport_app/permissions.py diff --git a/smartreport/settings.py b/smartreport/settings.py index 0c58efe..59eaeb4 100644 --- a/smartreport/settings.py +++ b/smartreport/settings.py @@ -47,6 +47,7 @@ "smartreport_app", "corsheaders", 'django_filters', + 'guardian', ] MIDDLEWARE = [ @@ -139,10 +140,20 @@ }, ] +AUTHENTICATION_BACKENDS = [ + 'django.contrib.auth.backends.ModelBackend', + 'guardian.backends.ObjectPermissionBackend', +] + REST_FRAMEWORK = { "DEFAULT_AUTHENTICATION_CLASSES": ( - "rest_framework.authentication.SessionAuthentication", + "rest_framework.authentication.BasicAuthentication", ), + # UNCOMMENT THIS TO ENABLE PERMISSIONS CHECKS + # + # 'DEFAULT_PERMISSION_CLASSES': [ + # 'smartreport_app.permissions.FullObjectPermission', + # ], 'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'] } diff --git a/smartreport_app/permissions.py b/smartreport_app/permissions.py new file mode 100644 index 0000000..0eb5bb6 --- /dev/null +++ b/smartreport_app/permissions.py @@ -0,0 +1,16 @@ +from rest_framework import permissions + + +class FullObjectPermission(permissions.DjangoObjectPermissions): + """ + Similar to `DjangoObjectPermissions`, but adding 'view' permissions. + """ + perms_map = { + 'GET': ['%(app_label)s.view_%(model_name)s'], + 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], + 'HEAD': ['%(app_label)s.view_%(model_name)s'], + 'POST': ['%(app_label)s.add_%(model_name)s'], + 'PUT': ['%(app_label)s.change_%(model_name)s'], + 'PATCH': ['%(app_label)s.change_%(model_name)s'], + 'DELETE': ['%(app_label)s.delete_%(model_name)s'], + } \ No newline at end of file diff --git a/smartreport_app/views.py b/smartreport_app/views.py index a263ec5..34b8e9c 100644 --- a/smartreport_app/views.py +++ b/smartreport_app/views.py @@ -4,66 +4,50 @@ from rest_framework.response import Response from rest_framework import status from rest_framework import viewsets -from django_filters.rest_framework import DjangoFilterBackend from rest_framework.decorators import api_view + from .kb_interface import kb_interface + + class ReportTemplateViewSet(viewsets.ModelViewSet): + queryset = ReportTemplate.objects.all() serializer_class = ReportTemplateSerializer class ReportTemplatePageViewSet(viewsets.ModelViewSet): + queryset = ReportTemplatePage.objects.all() serializer_class = ReportTemplatePageSerializer - - def create(self, request, *args, **kwargs): - return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) class KpiReportElementViewSet(viewsets.ModelViewSet): + queryset = KpiReportElement.objects.all() serializer_class = KpiReportElementSerializer - - def create(self, request, *args, **kwargs): - return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) - - def update(self, request, *args, **kwargs): - return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) -class KpiViewSet(viewsets.ModelViewSet): +class KpiViewSet(viewsets.ReadOnlyModelViewSet): + queryset = Kpi.objects.all() serializer_class = KpiSerializer - filter_backends = [DjangoFilterBackend] - filterset_fields = [ 'user_type' , 'name' ] - - def create(self, request, *args, **kwargs): - return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) - - def update(self, request, *args, **kwargs): - return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) + filterset_fields = [ 'user_type' , 'name' ] class AlarmViewSet(viewsets.ModelViewSet): + queryset = Alarm.objects.all() serializer_class = AlarmSerializer - filter_backends = [DjangoFilterBackend] filterset_fields = [ 'user_type' ] -class ChartTypeViewSet(viewsets.ModelViewSet): +class ChartTypeViewSet(viewsets.ReadOnlyModelViewSet): + queryset = ChartType.objects.all() serializer_class = ChartTypeSerializer - def create(self, request, *args, **kwargs): - return Response({"message": "POST method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) - - def update(self, request, *args, **kwargs): - return Response({"message": "PUT method is not allowed"}, status=status.HTTP_405_METHOD_NOT_ALLOWED) - class DashboardLayoutViewSet(viewsets.ModelViewSet): + queryset = DashboardLayout.objects.all() serializer_class = DashboardLayoutSerializer - filter_backends = [DjangoFilterBackend] filterset_fields = [ 'user_type' ] - @api_view(['GET']) def kpi_data(request, format=None): From 6afbb8c4ae37abae8d9826628d57beab7c90b61e Mon Sep 17 00:00:00 2001 From: Simone Ianniciello Date: Fri, 10 Nov 2023 16:33:21 +0100 Subject: [PATCH 2/2] matteo gay --- smartreport/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/smartreport/settings.py b/smartreport/settings.py index 59eaeb4..102de17 100644 --- a/smartreport/settings.py +++ b/smartreport/settings.py @@ -148,6 +148,7 @@ REST_FRAMEWORK = { "DEFAULT_AUTHENTICATION_CLASSES": ( "rest_framework.authentication.BasicAuthentication", + "rest_framework.authentication.SessionAuthentication", ), # UNCOMMENT THIS TO ENABLE PERMISSIONS CHECKS #