From 2822d947d96d1527f7002859816d1f4ece9f954e Mon Sep 17 00:00:00 2001
From: klmp200 <klmp200@klmp200.net>
Date: Sun, 7 Aug 2016 20:32:12 +0200
Subject: [PATCH] Enhaced API : look for permissions, automaticly add /{pk}/id,
 added users, groups and clubs

---
 api/urls.py              |  3 +++
 api/views/__init__.py    | 32 +++++++++++++++++++++++++++
 api/views/api.py         | 47 ++++++++++++++++++++++++++++------------
 api/views/serializers.py | 23 ++++++++++++++++++--
 4 files changed, 89 insertions(+), 16 deletions(-)

diff --git a/api/urls.py b/api/urls.py
index 31673927..9561153b 100644
--- a/api/urls.py
+++ b/api/urls.py
@@ -6,6 +6,9 @@ from rest_framework import routers
 # Router config
 router = routers.DefaultRouter()
 router.register(r'counter', CounterViewSet, base_name='api_counter')
+router.register(r'user', UserViewSet, base_name='api_user')
+router.register(r'club', ClubViewSet, base_name='api_club')
+router.register(r'group', GroupViewSet, base_name='api_group')
 
 urlpatterns = [
 
diff --git a/api/views/__init__.py b/api/views/__init__.py
index d4036221..b03cc1d7 100644
--- a/api/views/__init__.py
+++ b/api/views/__init__.py
@@ -1,2 +1,34 @@
+from rest_framework.response import Response
+from rest_framework import viewsets
+from django.core.exceptions import PermissionDenied
+from rest_framework.decorators import detail_route
+
+from core.views import can_view, can_edit
+
+class RightManagedModelViewSet(viewsets.ModelViewSet):
+
+    @detail_route()
+    def id(self, request, pk=None):
+        """
+            Get by id (api/v1/router/{pk}/id/)
+        """
+        self.queryset = get_object_or_404(self.queryset.filter(id=pk))
+        serializer = self.get_serializer(self.queryset)
+        return Response(serializer.data)
+
+    def dispatch(self, request, *arg, **kwargs):
+        res = super(RightManagedModelViewSet,
+                    self).dispatch(request, *arg, **kwargs)
+        obj = self.queryset
+        user = self.request.user
+        try:
+            if (request.method == 'GET' and can_view(obj, user)):
+                return res
+            elif (request.method == 'PUSH' and can_edit(obj, user)):
+                return res
+        except: pass # To prevent bug with Anonymous user
+        raise PermissionDenied
+
+
 from .api import *
 from .serializers import *
\ No newline at end of file
diff --git a/api/views/api.py b/api/views/api.py
index 45e22d90..03544bef 100644
--- a/api/views/api.py
+++ b/api/views/api.py
@@ -7,8 +7,10 @@ from rest_framework.decorators import list_route
 
 from core.templatetags.renderer import markdown
 from counter.models import Counter
+from core.models import User, Group
+from club.models import Club
 from api.views import serializers
-
+from api.views import RightManagedModelViewSet
 
 @api_view(['GET'])
 def RenderMarkdown(request):
@@ -19,28 +21,45 @@ def RenderMarkdown(request):
         return Response(markdown(request.GET['text']))
 
 
-class CounterViewSet(viewsets.ModelViewSet):
+class CounterViewSet(RightManagedModelViewSet):
     """
-        Manage Counters (api/v1/counter)
+        Manage Counters (api/v1/counter/)
     """
 
-    serializer_class = serializers.Counter
+    serializer_class = serializers.CounterRead
     queryset = Counter.objects.all()
 
     @list_route()
     def bar(self, request):
         """
-            Return all bars (api/v1/counter/bar)
+            Return all bars (api/v1/counter/bar/)
         """
-        self.queryset = Counter.objects.filter(type="BAR")
+        self.queryset = self.queryset.filter(type="BAR")
         serializer = self.get_serializer(self.queryset, many=True)
         return Response(serializer.data)
 
-    @detail_route()
-    def id(self, request, pk=None):
-        """
-            Get by id (api/v1/{nk}/id)
-        """
-        self.queryset = get_object_or_404(Counter.objects.filter(id=pk))
-        serializer = self.get_serializer(self.queryset)
-        return Response(serializer.data)
+
+class UserViewSet(RightManagedModelViewSet):
+    """
+        Manage Users (api/v1/user/)
+    """
+
+    serializer_class = serializers.UserRead
+    queryset = User.objects.all()
+
+
+class ClubViewSet(RightManagedModelViewSet):
+    """
+        Manage Clubs (api/v1/club/)
+    """
+
+    serializer_class = serializers.ClubRead
+    queryset = Club.objects.all()
+
+class GroupViewSet(RightManagedModelViewSet):
+    """
+        Manage Groups (api/v1/group/)
+    """
+
+    serializer_class = serializers.GroupRead
+    queryset = Group.objects.all()
diff --git a/api/views/serializers.py b/api/views/serializers.py
index 09391b60..1225475f 100644
--- a/api/views/serializers.py
+++ b/api/views/serializers.py
@@ -1,15 +1,34 @@
 from rest_framework import serializers
 from counter.models import Counter
+from core.models import User, Group
+from club.models import Club
 
 
-class Counter(serializers.ModelSerializer):
+class CounterRead(serializers.ModelSerializer):
 
     is_open = serializers.BooleanField(read_only=True)
     barman_list = serializers.ListField(
-            child = serializers.IntegerField()
+            child=serializers.IntegerField()
             )
 
     class Meta:
         model = Counter
         fields = ('id', 'name', 'type', 'is_open', 'barman_list')
 
+
+class UserRead(serializers.ModelSerializer):
+
+    class Meta:
+        model = User
+
+
+class ClubRead(serializers.ModelSerializer):
+
+    class Meta:
+        model = Club
+
+
+class GroupRead(serializers.ModelSerializer):
+
+    class Meta:
+        model = Group