Created
May 8, 2014 17:48
-
-
Save danielholmstrom/89e27d4afa9e5349ceb0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| AuthUser views | |
| ~~~~~~~~~~~~~~ | |
| """ | |
| from pluto.views import ( | |
| InvalidDataError, | |
| client_data_schema, | |
| ) | |
| from pluto.modules.auth.models import ( | |
| AuthUser, | |
| ) | |
| from .schemas import ( | |
| Create, | |
| Update, | |
| ) | |
| @client_data_schema(schema=Create) | |
| def create(request): | |
| """Create a user""" | |
| data = request.validated_data | |
| if not request.has_permission('create', AuthUser): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| user = AuthUser(**data) | |
| if not request.has_permission('create', user): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| sess = request.db_session | |
| sess.add(user) | |
| # TODO: Try/except because of unique username constraint. | |
| # Unique contraints should not be tested for in code | |
| sess.commit() | |
| request.response.status = 201 | |
| request.response.location = request.route_url('auth.user.read', id=user.id) | |
| return user | |
| def read(request): | |
| user = request.db_session.query(AuthUser).get(int(request.matchdict['id'])) | |
| if not user: | |
| request.response.status = 404 | |
| return {'message': 'NotFound'} | |
| if not request.has_permission('read', user): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| else: | |
| return user | |
| @client_data_schema(schema=Update) | |
| def update(request): | |
| # Are we at all allowed to do this at all? | |
| if not request.has_permission('update', AuthUser): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| user = request.db_session.query(AuthUser).get(int(request.matchdict['id'])) | |
| # Ok, because the user has the basic permissions to update a user, | |
| # no sniffing can occur | |
| if not user: | |
| request.response.status = 404 | |
| return {'message': 'NotFound'} | |
| # Are we allowed to update this user? | |
| if not request.has_permission('update', user): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| sess = request.db_session | |
| user.fromdict(request.validated_data) | |
| # Did the data change the user to something we're not allowed to update? | |
| if not request.has_permission('update', user): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| sess.add(user) | |
| sess.commit() | |
| request.response.status = 201 | |
| request.response.location = request.route_url('auth.user.read', id=user.id) | |
| return user | |
| def delete(request): | |
| if not request.has_permission('delete', AuthUser): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| user = request.db_session.query(AuthUser).get(int(request.matchdict['id'])) | |
| if not user: | |
| request.response.status = 404 | |
| return {'message': 'NotFound'} | |
| if not request.has_permission('delete', user): | |
| request.response.status = 403 | |
| return {'message': 'Forbidden'} | |
| sess = request.db_session | |
| sess.delete(user) | |
| sess.commit() | |
| request.response.status = 200 | |
| return {'message': 'Ok'} | |
| def includeme(config): | |
| config.add_view(view=create, | |
| route_name='auth.user.create', | |
| request_method='POST', | |
| renderer='json', | |
| content_type='application/json') | |
| config.add_route('auth.user.create', | |
| request_method='POST', | |
| pattern='/') | |
| config.add_view(view=read, | |
| route_name='auth.user.read', | |
| request_method='GET', | |
| renderer='json', | |
| content_type='application/json') | |
| config.add_route('auth.user.read', | |
| request_method='GET', | |
| pattern='/{id:\d+}') | |
| config.add_view(view=update, | |
| route_name='auth.user.update', | |
| request_method='PUT', | |
| renderer='json', | |
| content_type='application/json') | |
| config.add_route('auth.user.update', | |
| request_method='PUT', | |
| pattern='/{id:\d+}') | |
| config.add_view(view=delete, | |
| route_name='auth.user.delete', | |
| request_method='DELETE', | |
| renderer='json', | |
| content_type='application/json') | |
| config.add_route('auth.user.delete', | |
| request_method='DELETE', | |
| pattern='/{id:\d+}') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment