You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2019/06/20 15:21:06 UTC
[airavata-django-portal] 02/06: AIRAVATA-3048 Only allow Admins to
use user mgmt APIs
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata-django-portal.git
commit 36ee0fcb61366998d042e120038413486bc2b72b
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Sun Jun 16 09:11:10 2019 -0400
AIRAVATA-3048 Only allow Admins to use user mgmt APIs
---
django_airavata/apps/api/view_utils.py | 9 ++++++++-
django_airavata/apps/api/views.py | 5 ++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/django_airavata/apps/api/view_utils.py b/django_airavata/apps/api/view_utils.py
index 8e932da..3ad0e34 100644
--- a/django_airavata/apps/api/view_utils.py
+++ b/django_airavata/apps/api/view_utils.py
@@ -5,7 +5,7 @@ from datetime import datetime
import pytz
from django.conf import settings
from django.http import Http404
-from rest_framework import mixins, pagination
+from rest_framework import mixins, pagination, permissions
from rest_framework.response import Response
from rest_framework.reverse import reverse
from rest_framework.utils.urls import remove_query_param, replace_query_param
@@ -194,3 +194,10 @@ def convert_utc_iso8601_to_date(iso8601_utc_string):
logger.debug("convert_utc_iso8601_to_date({})={}".format(
iso8601_utc_string, timestamp))
return timestamp
+
+
+class IsInAdminsGroupPermission(permissions.BasePermission):
+ message = "User must be member of the Admins group."
+
+ def has_permission(self, request, view):
+ return request.is_gateway_admin
diff --git a/django_airavata/apps/api/views.py b/django_airavata/apps/api/views.py
index 135f112..f22a4ea 100644
--- a/django_airavata/apps/api/views.py
+++ b/django_airavata/apps/api/views.py
@@ -37,7 +37,8 @@ from django_airavata.apps.api.view_utils import (
APIBackedViewSet,
APIResultIterator,
APIResultPagination,
- GenericAPIBackedViewSet
+ GenericAPIBackedViewSet,
+ IsInAdminsGroupPermission
)
from django_airavata.apps.auth import iam_admin_client
from django_airavata.apps.auth.models import EmailVerification
@@ -1392,6 +1393,7 @@ class IAMUserViewSet(mixins.CreateModelMixin,
GenericAPIBackedViewSet):
serializer_class = serializers.IAMUserProfile
pagination_class = APIResultPagination
+ permission_classes = (IsInAdminsGroupPermission,)
lookup_field = 'user_id'
def get_list(self):
@@ -1477,6 +1479,7 @@ class UnverifiedEmailUserViewSet(mixins.ListModelMixin,
GenericAPIBackedViewSet):
serializer_class = serializers.UnverifiedEmailUserProfile
pagination_class = APIResultPagination
+ permission_classes = (IsInAdminsGroupPermission,)
lookup_field = 'user_id'
def get_list(self):