Compare commits

...

1 commit

7 changed files with 118 additions and 52 deletions

View file

@ -22,3 +22,5 @@ uritemplate
# Comprehensive interface to validate VAT numbers, making use of the VIES # Comprehensive interface to validate VAT numbers, making use of the VIES
# service for European countries. # service for European countries.
vat-validator vat-validator
drf-nested-routers

View file

@ -19,7 +19,7 @@ from django.urls import path, include
from django.conf import settings from django.conf import settings
from django.conf.urls.static import static from django.conf.urls.static import static
from rest_framework import routers from rest_framework_nested import routers
from rest_framework.schemas import get_schema_view from rest_framework.schemas import get_schema_view
from opennebula import views as oneviews from opennebula import views as oneviews
@ -51,15 +51,6 @@ router.register(r'service/generic', serviceviews.GenericServiceProductViewSet, b
router.register(r'net/vpn', netviews.VPNNetworkViewSet, basename='vpnnet') router.register(r'net/vpn', netviews.VPNNetworkViewSet, basename='vpnnet')
router.register(r'net/vpnreservation', netviews.VPNNetworkReservationViewSet, basename='vpnnetreservation') router.register(r'net/vpnreservation', netviews.VPNNetworkReservationViewSet, basename='vpnnetreservation')
# Pay
router.register(r'address', payviews.BillingAddressViewSet, basename='address')
router.register(r'bill', payviews.BillViewSet, basename='bill')
router.register(r'order', payviews.OrderViewSet, basename='order')
router.register(r'payment', payviews.PaymentViewSet, basename='payment')
router.register(r'payment-method', payviews.PaymentMethodViewSet, basename='payment-method')
# admin/staff urls # admin/staff urls
router.register(r'admin/bill', payviews.AdminBillViewSet, basename='admin/bill') router.register(r'admin/bill', payviews.AdminBillViewSet, basename='admin/bill')
router.register(r'admin/payment', payviews.AdminPaymentViewSet, basename='admin/payment') router.register(r'admin/payment', payviews.AdminPaymentViewSet, basename='admin/payment')
@ -70,11 +61,21 @@ router.register(r'admin/vpnpool', netviews.VPNPoolViewSet)
router.register(r'admin/opennebula', oneviews.VMViewSet, basename='opennebula') router.register(r'admin/opennebula', oneviews.VMViewSet, basename='opennebula')
# User/Account # User/Account
router.register(r'self', authviews.SelfViewSet, basename='self')
router.register(r'user', authviews.UserViewSet, basename='user') router.register(r'user', authviews.UserViewSet, basename='user')
router.register(r'admin/user', authviews.AdminUserViewSet, basename='useradmin')
users_router = routers.NestedSimpleRouter(router, r'user', lookup='user')
users_router.register(r'bill', payviews.BillViewSet, basename='user-bill')
users_router.register(r'address', payviews.BillingAddressViewSet, basename='user-address')
users_router.register(r'order', payviews.OrderViewSet, basename='user-order')
users_router.register(r'payment', payviews.PaymentViewSet, basename='user-payment')
users_router.register(r'payment-method', payviews.PaymentMethodViewSet, basename='user-payment-method')
urlpatterns = [ urlpatterns = [
path('', include(router.urls)), path('', include(router.urls)),
path('', include(users_router.urls)),
# web/ = stuff to view in the browser # web/ = stuff to view in the browser
path('web/pdf/', payviews.MyPDFView.as_view(), name='pdf'), path('web/pdf/', payviews.MyPDFView.as_view(), name='pdf'),

View file

@ -0,0 +1,24 @@
from rest_framework import permissions
from django.contrib.auth import get_user_model
class IsOwnerOrAdmin(permissions.BasePermission):
"""
Object-level permission to only allow owner or admin to edit an object.
Assumes the model instance has an `owner` attribute.
"""
def has_permission(self, request, view):
if request.user.is_staff:
return True
try:
target_user = get_user_model().objects.get(
username=view.kwargs['user_pk'])
return target_user == request.user
except:
return False
def has_object_permission(self, request, view, obj):
return (obj.owner == request.user) or request.user.is_staff

View file

@ -1,6 +1,7 @@
from django.contrib.auth.models import AbstractUser from django.contrib.auth.models import AbstractUser
from django.db import models from django.db import models
from django.core.validators import MinValueValidator from django.core.validators import MinValueValidator
from rest_framework.reverse import reverse
from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS

View file

@ -1,16 +1,49 @@
from django.contrib.auth import get_user_model from django.contrib.auth import get_user_model
from rest_framework import serializers from rest_framework import serializers
from rest_framework_nested.relations import NestedHyperlinkedRelatedField
from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS from uncloud import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS
class UserSerializer(serializers.ModelSerializer): class UserSerializer(serializers.HyperlinkedModelSerializer):
balance = serializers.DecimalField(max_digits=AMOUNT_MAX_DIGITS, balance = serializers.DecimalField(max_digits=AMOUNT_MAX_DIGITS,
decimal_places=AMOUNT_DECIMALS) decimal_places=AMOUNT_DECIMALS)
bill_endpoint = serializers.HyperlinkedIdentityField(
view_name='user-bill-list',
lookup_field='username',
lookup_url_kwarg='user_pk'
)
order_endpoint = serializers.HyperlinkedIdentityField(
view_name='user-order-list',
lookup_field='username',
lookup_url_kwarg='user_pk'
)
address_endpoint = serializers.HyperlinkedIdentityField(
view_name='user-address-list',
lookup_field='username',
lookup_url_kwarg='user_pk'
)
payment_method_endpoint = serializers.HyperlinkedIdentityField(
view_name='user-payment-method-list',
lookup_field='username',
lookup_url_kwarg='user_pk'
)
payment_endpoint = serializers.HyperlinkedIdentityField(
view_name='user-payment-list',
lookup_field='username',
lookup_url_kwarg='user_pk'
)
class Meta: class Meta:
model = get_user_model() model = get_user_model()
fields = ['username', 'email', 'balance', 'maximum_credit' ] fields = ['username', 'email', 'balance', 'maximum_credit',
'bill_endpoint', 'order_endpoint', 'address_endpoint',
'payment_method_endpoint', 'payment_endpoint']
class ImportUserSerializer(serializers.Serializer): class ImportUserSerializer(serializers.Serializer):
username = serializers.CharField() username = serializers.CharField()

View file

@ -3,9 +3,11 @@ from .serializers import *
from django_auth_ldap.backend import LDAPBackend from django_auth_ldap.backend import LDAPBackend
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.generics import get_object_or_404
from rest_framework import mixins from rest_framework import mixins
from .models import *
class UserViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): class SelfViewSet(mixins.ListModelMixin, viewsets.GenericViewSet):
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated]
serializer_class = UserSerializer serializer_class = UserSerializer
@ -18,9 +20,8 @@ class UserViewSet(mixins.ListModelMixin, viewsets.GenericViewSet):
serializer = self.get_serializer(user, context = {'request': request}) serializer = self.get_serializer(user, context = {'request': request})
return Response(serializer.data) return Response(serializer.data)
class AdminUserViewSet(viewsets.ReadOnlyModelViewSet): class UserViewSet(viewsets.ReadOnlyModelViewSet):
# FIXME: make this admin permission_classes = [permissions.IsAdminUser]
permission_classes = [permissions.IsAuthenticated]
def get_serializer_class(self): def get_serializer_class(self):
if self.action == 'import_from_ldap': if self.action == 'import_from_ldap':
@ -29,7 +30,15 @@ class AdminUserViewSet(viewsets.ReadOnlyModelViewSet):
return UserSerializer return UserSerializer
def get_queryset(self): def get_queryset(self):
return get_user_model().objects.all() return User.objects.all()
# Override default implementation to search by username instead of ID.
def retrieve(self, request, pk):
queryset = self.filter_queryset(self.get_queryset())
instance = get_object_or_404(queryset, username=pk)
serializer = self.get_serializer(instance)
return Response(serializer.data)
@action(detail=False, methods=['post'], url_path='import_from_ldap') @action(detail=False, methods=['post'], url_path='import_from_ldap')
def import_from_ldap(self, request, pk=None): def import_from_ldap(self, request, pk=None):

View file

@ -18,28 +18,25 @@ from .serializers import *
from datetime import datetime from datetime import datetime
from vat_validator import sanitize_vat from vat_validator import sanitize_vat
import uncloud_pay.stripe as uncloud_stripe import uncloud_pay.stripe as uncloud_stripe
from uncloud_auth.helpers import IsOwnerOrAdmin
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# FIXME: user resolution from user_pk field might fail if queried for
# non-existing username by an admin. It should return 404 instead.
### ###
# Payments and Payment Methods. # Payments and Payment Methods.
class PaymentViewSet(viewsets.ReadOnlyModelViewSet): class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = PaymentSerializer serializer_class = PaymentSerializer
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_queryset(self): def get_queryset(self):
return Payment.objects.filter(owner=self.request.user) return Payment.objects.filter(owner__username=self.kwargs['user_pk'])
class OrderViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = OrderSerializer
permission_classes = [permissions.IsAuthenticated]
def get_queryset(self):
return Order.objects.filter(owner=self.request.user)
class PaymentMethodViewSet(viewsets.ModelViewSet): class PaymentMethodViewSet(viewsets.ModelViewSet):
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_serializer_class(self): def get_serializer_class(self):
if self.action == 'create': if self.action == 'create':
@ -52,21 +49,22 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
return PaymentMethodSerializer return PaymentMethodSerializer
def get_queryset(self): def get_queryset(self):
return PaymentMethod.objects.filter(owner=self.request.user) return PaymentMethod.objects.filter(owner__username=self.kwargs['user_pk'])
# XXX: Handling of errors is far from great down there. # XXX: Handling of errors is far from great down there.
@transaction.atomic @transaction.atomic
def create(self, request): def create(self, request, user_pk):
user = get_user_model().objects.get(user_pk)
serializer = self.get_serializer(data=request.data) serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
# Set newly created method as primary if no other method is. # Set newly created method as primary if no other method is.
if PaymentMethod.get_primary_for(request.user) == None: if PaymentMethod.get_primary_for(user) == None:
serializer.validated_data['primary'] = True serializer.validated_data['primary'] = True
if serializer.validated_data['source'] == "stripe": if serializer.validated_data['source'] == "stripe":
# Retrieve Stripe customer ID for user. # Retrieve Stripe customer ID for user.
customer_id = uncloud_stripe.get_customer_id_for(request.user) customer_id = uncloud_stripe.get_customer_id_for(user)
if customer_id == None: if customer_id == None:
return Response( return Response(
{'error': 'Could not resolve customer stripe ID.'}, {'error': 'Could not resolve customer stripe ID.'},
@ -79,7 +77,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
status=status.HTTP_500_INTERNAL_SERVER_ERROR) status=status.HTTP_500_INTERNAL_SERVER_ERROR)
payment_method = PaymentMethod.objects.create( payment_method = PaymentMethod.objects.create(
owner=request.user, owner=user,
stripe_setup_intent_id=setup_intent.id, stripe_setup_intent_id=setup_intent.id,
**serializer.validated_data) **serializer.validated_data)
@ -90,11 +88,11 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
stripe_registration_url = reverse('api-root', request=request) + path stripe_registration_url = reverse('api-root', request=request) + path
return Response({'please_visit': stripe_registration_url}) return Response({'please_visit': stripe_registration_url})
else: else:
serializer.save(owner=request.user, **serializer.validated_data) serializer.save(owner=user, **serializer.validated_data)
return Response(serializer.data) return Response(serializer.data)
@action(detail=True, methods=['post']) @action(detail=True, methods=['post'])
def charge(self, request, pk=None): def charge(self, request, pk=None, user_pk=None):
payment_method = self.get_object() payment_method = self.get_object()
serializer = self.get_serializer(data=request.data) serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
@ -107,7 +105,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR) return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
@action(detail=True, methods=['get'], url_path='register-stripe-cc', renderer_classes=[TemplateHTMLRenderer]) @action(detail=True, methods=['get'], url_path='register-stripe-cc', renderer_classes=[TemplateHTMLRenderer])
def register_stripe_cc(self, request, pk=None): def register_stripe_cc(self, request, pk=None, user_pk=None):
payment_method = self.get_object() payment_method = self.get_object()
if payment_method.source != 'stripe': if payment_method.source != 'stripe':
@ -143,7 +141,7 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
return Response(template_args, template_name='stripe-payment.html.j2') return Response(template_args, template_name='stripe-payment.html.j2')
@action(detail=True, methods=['post'], url_path='activate-stripe-cc') @action(detail=True, methods=['post'], url_path='activate-stripe-cc')
def activate_stripe_cc(self, request, pk=None): def activate_stripe_cc(self, request, pk=None, user_pk=None):
payment_method = self.get_object() payment_method = self.get_object()
try: try:
setup_intent = uncloud_stripe.get_setup_intent( setup_intent = uncloud_stripe.get_setup_intent(
@ -165,9 +163,10 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
return Response({'error': error}) return Response({'error': error})
@action(detail=True, methods=['post'], url_path='set-as-primary') @action(detail=True, methods=['post'], url_path='set-as-primary')
def set_as_primary(self, request, pk=None): def set_as_primary(self, request, pk=None, user_pk=None):
user = get_user_model().objects.get(user_pk)
payment_method = self.get_object() payment_method = self.get_object()
payment_method.set_as_primary_for(request.user) payment_method.set_as_primary_for(user)
serializer = self.get_serializer(payment_method) serializer = self.get_serializer(payment_method)
return Response(serializer.data) return Response(serializer.data)
@ -177,28 +176,24 @@ class PaymentMethodViewSet(viewsets.ModelViewSet):
class BillViewSet(viewsets.ReadOnlyModelViewSet): class BillViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = BillSerializer serializer_class = BillSerializer
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_queryset(self): def get_queryset(self):
return Bill.objects.filter(owner=self.request.user) return Bill.objects.filter(owner__username=self.kwargs['user_pk'])
def unpaid(self, request):
return Bill.objects.filter(owner=self.request.user, paid=False)
class OrderViewSet(viewsets.ReadOnlyModelViewSet): class OrderViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = OrderSerializer serializer_class = OrderSerializer
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_queryset(self): def get_queryset(self):
return Order.objects.filter(owner=self.request.user) return Order.objects.filter(owner__username=self.kwargs['user_pk'])
class BillingAddressViewSet(mixins.CreateModelMixin, class BillingAddressViewSet(mixins.CreateModelMixin,
mixins.RetrieveModelMixin, mixins.RetrieveModelMixin,
mixins.UpdateModelMixin, mixins.UpdateModelMixin,
mixins.ListModelMixin, mixins.ListModelMixin,
viewsets.GenericViewSet): viewsets.GenericViewSet):
permission_classes = [permissions.IsAuthenticated] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_serializer_class(self): def get_serializer_class(self):
if self.action == 'update': if self.action == 'update':
@ -207,16 +202,17 @@ class BillingAddressViewSet(mixins.CreateModelMixin,
return BillingAddressSerializer return BillingAddressSerializer
def get_queryset(self): def get_queryset(self):
return self.request.user.billingaddress_set.all() return BillingAddress.objects.filter(owner__username=self.kwargs['user_pk'])
def create(self, request, user_pk):
user = get_user_model().objects.get(username=user_pk)
def create(self, request):
serializer = self.get_serializer(data=request.data) serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
# Validate VAT numbers. # Validate VAT numbers.
country = serializer.validated_data["country"] country = serializer.validated_data["country"]
vat_number = serializer.validated_data["vat_number"] vat_number = serializer.validated_data["vat_number"]
# We ignore empty VAT numbers. # We ignore empty VAT numbers.
if vat_number != "": if vat_number != "":
if not validate_vat(country, vat_number): if not validate_vat(country, vat_number):
@ -238,7 +234,7 @@ class BillingAddressViewSet(mixins.CreateModelMixin,
status=status.HTTP_500_INTERNAL_SERVER_ERROR) status=status.HTTP_500_INTERNAL_SERVER_ERROR)
serializer.save(owner=request.user) serializer.save(owner=user)
return Response(serializer.data) return Response(serializer.data)
### ###