diff --git a/uncloud_django_based/uncloud/requirements.txt b/uncloud_django_based/uncloud/requirements.txt index a7fc9f2..8de6786 100644 --- a/uncloud_django_based/uncloud/requirements.txt +++ b/uncloud_django_based/uncloud/requirements.txt @@ -22,3 +22,5 @@ uritemplate # Comprehensive interface to validate VAT numbers, making use of the VIES # service for European countries. vat-validator + +drf-nested-routers diff --git a/uncloud_django_based/uncloud/uncloud/urls.py b/uncloud_django_based/uncloud/uncloud/urls.py index 4d0ada1..64edd47 100644 --- a/uncloud_django_based/uncloud/uncloud/urls.py +++ b/uncloud_django_based/uncloud/uncloud/urls.py @@ -19,7 +19,7 @@ from django.urls import path, include from django.conf import settings from django.conf.urls.static import static -from rest_framework import routers +from rest_framework_nested import routers from rest_framework.schemas import get_schema_view from opennebula import views as oneviews @@ -51,15 +51,6 @@ router.register(r'service/generic', serviceviews.GenericServiceProductViewSet, b router.register(r'net/vpn', netviews.VPNNetworkViewSet, basename='vpnnet') router.register(r'net/vpnreservation', netviews.VPNNetworkReservationViewSet, basename='vpnnetreservation') - -# Pay -router.register(r'address', payviews.BillingAddressViewSet, basename='address') -router.register(r'bill', payviews.BillViewSet, basename='bill') -router.register(r'order', payviews.OrderViewSet, basename='order') -router.register(r'payment', payviews.PaymentViewSet, basename='payment') -router.register(r'payment-method', payviews.PaymentMethodViewSet, basename='payment-method') - - # admin/staff urls router.register(r'admin/bill', payviews.AdminBillViewSet, basename='admin/bill') router.register(r'admin/payment', payviews.AdminPaymentViewSet, basename='admin/payment') @@ -70,11 +61,21 @@ router.register(r'admin/vpnpool', netviews.VPNPoolViewSet) router.register(r'admin/opennebula', oneviews.VMViewSet, basename='opennebula') # User/Account +router.register(r'self', authviews.SelfViewSet, basename='self') router.register(r'user', authviews.UserViewSet, basename='user') -router.register(r'admin/user', authviews.AdminUserViewSet, basename='useradmin') + +users_router = routers.NestedSimpleRouter(router, r'user', lookup='user') +users_router.register(r'bill', payviews.BillViewSet, basename='user-bill') +users_router.register(r'address', payviews.BillingAddressViewSet, basename='user-address') +users_router.register(r'order', payviews.OrderViewSet, basename='user-order') +users_router.register(r'payment', payviews.PaymentViewSet, basename='user-payment') +users_router.register(r'payment-method', payviews.PaymentMethodViewSet, basename='user-payment-method') + + urlpatterns = [ path('', include(router.urls)), + path('', include(users_router.urls)), # web/ = stuff to view in the browser path('web/pdf/', payviews.MyPDFView.as_view(), name='pdf'), diff --git a/uncloud_django_based/uncloud/uncloud_auth/helpers.py b/uncloud_django_based/uncloud/uncloud_auth/helpers.py new file mode 100644 index 0000000..67cfc0a --- /dev/null +++ b/uncloud_django_based/uncloud/uncloud_auth/helpers.py @@ -0,0 +1,24 @@ +from rest_framework import permissions +from django.contrib.auth import get_user_model + +class IsOwnerOrAdmin(permissions.BasePermission): + """ + Object-level permission to only allow owner or admin to edit an object. + Assumes the model instance has an `owner` attribute. + """ + + def has_permission(self, request, view): + if request.user.is_staff: + return True + + try: + target_user = get_user_model().objects.get( + username=view.kwargs['user_pk']) + return target_user == request.user + except: + return False + + def has_object_permission(self, request, view, obj): + return (obj.owner == request.user) or request.user.is_staff + + diff --git a/uncloud_django_based/uncloud/uncloud_auth/models.py b/uncloud_django_based/uncloud/uncloud_auth/models.py index c3a0912..fbb8f22 100644 --- a/uncloud_django_based/uncloud/uncloud_auth/models.py +++ b/uncloud_django_based/uncloud/uncloud_auth/models.py @@ -1,6 +1,7 @@ from django.contrib.auth.models import AbstractUser from django.db import models from django.core.validators import MinValueValidator +from rest_framework.reverse import reverse from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS diff --git a/uncloud_django_based/uncloud/uncloud_auth/serializers.py b/uncloud_django_based/uncloud/uncloud_auth/serializers.py index 71aeb03..14c90a9 100644 --- a/uncloud_django_based/uncloud/uncloud_auth/serializers.py +++ b/uncloud_django_based/uncloud/uncloud_auth/serializers.py @@ -1,16 +1,49 @@ from django.contrib.auth import get_user_model from rest_framework import serializers +from rest_framework_nested.relations import NestedHyperlinkedRelatedField from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS -class UserSerializer(serializers.ModelSerializer): +class UserSerializer(serializers.HyperlinkedModelSerializer): balance = serializers.DecimalField(max_digits=AMOUNT_MAX_DIGITS, decimal_places=AMOUNT_DECIMALS) + bill_endpoint = serializers.HyperlinkedIdentityField( + view_name='user-bill-list', + lookup_field='username', + lookup_url_kwarg='user_pk' + ) + + order_endpoint = serializers.HyperlinkedIdentityField( + view_name='user-order-list', + lookup_field='username', + lookup_url_kwarg='user_pk' + ) + + address_endpoint = serializers.HyperlinkedIdentityField( + view_name='user-address-list', + lookup_field='username', + lookup_url_kwarg='user_pk' + ) + + payment_method_endpoint = serializers.HyperlinkedIdentityField( + view_name='user-payment-method-list', + lookup_field='username', + lookup_url_kwarg='user_pk' + ) + + payment_endpoint = serializers.HyperlinkedIdentityField( + view_name='user-payment-list', + lookup_field='username', + lookup_url_kwarg='user_pk' + ) + class Meta: model = get_user_model() - fields = ['username', 'email', 'balance', 'maximum_credit' ] + fields = ['username', 'email', 'balance', 'maximum_credit', + 'bill_endpoint', 'order_endpoint', 'address_endpoint', + 'payment_method_endpoint', 'payment_endpoint'] class ImportUserSerializer(serializers.Serializer): username = serializers.CharField() diff --git a/uncloud_django_based/uncloud/uncloud_auth/views.py b/uncloud_django_based/uncloud/uncloud_auth/views.py index 9c5bd1f..6b2800d 100644 --- a/uncloud_django_based/uncloud/uncloud_auth/views.py +++ b/uncloud_django_based/uncloud/uncloud_auth/views.py @@ -3,9 +3,11 @@ from .serializers import * from django_auth_ldap.backend import LDAPBackend from rest_framework.decorators import action from rest_framework.response import Response +from rest_framework.generics import get_object_or_404 from rest_framework import mixins +from .models import * -class UserViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): +class SelfViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): permission_classes = [permissions.IsAuthenticated] serializer_class = UserSerializer @@ -18,9 +20,8 @@ class UserViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): serializer = self.get_serializer(user, context = {'request': request}) return Response(serializer.data) -class AdminUserViewSet(viewsets.ReadOnlyModelViewSet): - # FIXME: make this admin - permission_classes = [permissions.IsAuthenticated] +class UserViewSet(viewsets.ReadOnlyModelViewSet): + permission_classes = [permissions.IsAdminUser] def get_serializer_class(self): if self.action == 'import_from_ldap': @@ -29,7 +30,15 @@ class AdminUserViewSet(viewsets.ReadOnlyModelViewSet): return UserSerializer def get_queryset(self): - return get_user_model().objects.all() + return User.objects.all() + + # Override default implementation to search by username instead of ID. + def retrieve(self, request, pk): + queryset = self.filter_queryset(self.get_queryset()) + instance = get_object_or_404(queryset, username=pk) + serializer = self.get_serializer(instance) + + return Response(serializer.data) @action(detail=False, methods=['post'], url_path='import_from_ldap') def import_from_ldap(self, request, pk=None): diff --git a/uncloud_django_based/uncloud/uncloud_pay/views.py b/uncloud_django_based/uncloud/uncloud_pay/views.py index aaf90e2..a4d4387 100644 --- a/uncloud_django_based/uncloud/uncloud_pay/views.py +++ b/uncloud_django_based/uncloud/uncloud_pay/views.py @@ -18,28 +18,25 @@ from .serializers import * from datetime import datetime from vat_validator import sanitize_vat import uncloud_pay.stripe as uncloud_stripe +from uncloud_auth.helpers import IsOwnerOrAdmin logger = logging.getLogger(__name__) +# FIXME: user resolution from user_pk field might fail if queried for +# non-existing username by an admin. It should return 404 instead. + ### # Payments and Payment Methods. class PaymentViewSet(viewsets.ReadOnlyModelViewSet): serializer_class = PaymentSerializer - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] def get_queryset(self): - return Payment.objects.filter(owner=self.request.user) - -class OrderViewSet(viewsets.ReadOnlyModelViewSet): - serializer_class = OrderSerializer - permission_classes = [permissions.IsAuthenticated] - - def get_queryset(self): - return Order.objects.filter(owner=self.request.user) + return Payment.objects.filter(owner__username=self.kwargs['user_pk']) class PaymentMethodViewSet(viewsets.ModelViewSet): - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] def get_serializer_class(self): if self.action == 'create': @@ -52,21 +49,22 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): return PaymentMethodSerializer def get_queryset(self): - return PaymentMethod.objects.filter(owner=self.request.user) + return PaymentMethod.objects.filter(owner__username=self.kwargs['user_pk']) # XXX: Handling of errors is far from great down there. @transaction.atomic - def create(self, request): + def create(self, request, user_pk): + user = get_user_model().objects.get(user_pk) serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) # Set newly created method as primary if no other method is. - if PaymentMethod.get_primary_for(request.user) == None: + if PaymentMethod.get_primary_for(user) == None: serializer.validated_data['primary'] = True if serializer.validated_data['source'] == "stripe": # Retrieve Stripe customer ID for user. - customer_id = uncloud_stripe.get_customer_id_for(request.user) + customer_id = uncloud_stripe.get_customer_id_for(user) if customer_id == None: return Response( {'error': 'Could not resolve customer stripe ID.'}, @@ -79,7 +77,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): status=status.HTTP_500_INTERNAL_SERVER_ERROR) payment_method = PaymentMethod.objects.create( - owner=request.user, + owner=user, stripe_setup_intent_id=setup_intent.id, **serializer.validated_data) @@ -90,11 +88,11 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): stripe_registration_url = reverse('api-root', request=request) + path return Response({'please_visit': stripe_registration_url}) else: - serializer.save(owner=request.user, **serializer.validated_data) + serializer.save(owner=user, **serializer.validated_data) return Response(serializer.data) @action(detail=True, methods=['post']) - def charge(self, request, pk=None): + def charge(self, request, pk=None, user_pk=None): payment_method = self.get_object() serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) @@ -107,7 +105,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR) @action(detail=True, methods=['get'], url_path='register-stripe-cc', renderer_classes=[TemplateHTMLRenderer]) - def register_stripe_cc(self, request, pk=None): + def register_stripe_cc(self, request, pk=None, user_pk=None): payment_method = self.get_object() if payment_method.source != 'stripe': @@ -143,7 +141,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): return Response(template_args, template_name='stripe-payment.html.j2') @action(detail=True, methods=['post'], url_path='activate-stripe-cc') - def activate_stripe_cc(self, request, pk=None): + def activate_stripe_cc(self, request, pk=None, user_pk=None): payment_method = self.get_object() try: setup_intent = uncloud_stripe.get_setup_intent( @@ -165,9 +163,10 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): return Response({'error': error}) @action(detail=True, methods=['post'], url_path='set-as-primary') - def set_as_primary(self, request, pk=None): + def set_as_primary(self, request, pk=None, user_pk=None): + user = get_user_model().objects.get(user_pk) payment_method = self.get_object() - payment_method.set_as_primary_for(request.user) + payment_method.set_as_primary_for(user) serializer = self.get_serializer(payment_method) return Response(serializer.data) @@ -177,28 +176,24 @@ class PaymentMethodViewSet(viewsets.ModelViewSet): class BillViewSet(viewsets.ReadOnlyModelViewSet): serializer_class = BillSerializer - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] def get_queryset(self): - return Bill.objects.filter(owner=self.request.user) - - def unpaid(self, request): - return Bill.objects.filter(owner=self.request.user, paid=False) - + return Bill.objects.filter(owner__username=self.kwargs['user_pk']) class OrderViewSet(viewsets.ReadOnlyModelViewSet): serializer_class = OrderSerializer - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] def get_queryset(self): - return Order.objects.filter(owner=self.request.user) + return Order.objects.filter(owner__username=self.kwargs['user_pk']) class BillingAddressViewSet(mixins.CreateModelMixin, mixins.RetrieveModelMixin, mixins.UpdateModelMixin, mixins.ListModelMixin, viewsets.GenericViewSet): - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] def get_serializer_class(self): if self.action == 'update': @@ -207,16 +202,17 @@ class BillingAddressViewSet(mixins.CreateModelMixin, return BillingAddressSerializer def get_queryset(self): - return self.request.user.billingaddress_set.all() + return BillingAddress.objects.filter(owner__username=self.kwargs['user_pk']) + + def create(self, request, user_pk): + user = get_user_model().objects.get(username=user_pk) - def create(self, request): serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) # Validate VAT numbers. country = serializer.validated_data["country"] vat_number = serializer.validated_data["vat_number"] - # We ignore empty VAT numbers. if vat_number != "": if not validate_vat(country, vat_number): @@ -238,7 +234,7 @@ class BillingAddressViewSet(mixins.CreateModelMixin, status=status.HTTP_500_INTERNAL_SERVER_ERROR) - serializer.save(owner=request.user) + serializer.save(owner=user) return Response(serializer.data) ###