You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2019/06/20 15:21:06 UTC

[airavata-django-portal] 02/06: AIRAVATA-3048 Only allow Admins to use user mgmt APIs

This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata-django-portal.git

commit 36ee0fcb61366998d042e120038413486bc2b72b
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Sun Jun 16 09:11:10 2019 -0400

    AIRAVATA-3048 Only allow Admins to use user mgmt APIs
---
 django_airavata/apps/api/view_utils.py | 9 ++++++++-
 django_airavata/apps/api/views.py      | 5 ++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/django_airavata/apps/api/view_utils.py b/django_airavata/apps/api/view_utils.py
index 8e932da..3ad0e34 100644
--- a/django_airavata/apps/api/view_utils.py
+++ b/django_airavata/apps/api/view_utils.py
@@ -5,7 +5,7 @@ from datetime import datetime
 import pytz
 from django.conf import settings
 from django.http import Http404
-from rest_framework import mixins, pagination
+from rest_framework import mixins, pagination, permissions
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
 from rest_framework.utils.urls import remove_query_param, replace_query_param
@@ -194,3 +194,10 @@ def convert_utc_iso8601_to_date(iso8601_utc_string):
     logger.debug("convert_utc_iso8601_to_date({})={}".format(
         iso8601_utc_string, timestamp))
     return timestamp
+
+
+class IsInAdminsGroupPermission(permissions.BasePermission):
+    message = "User must be member of the Admins group."
+
+    def has_permission(self, request, view):
+        return request.is_gateway_admin
diff --git a/django_airavata/apps/api/views.py b/django_airavata/apps/api/views.py
index 135f112..f22a4ea 100644
--- a/django_airavata/apps/api/views.py
+++ b/django_airavata/apps/api/views.py
@@ -37,7 +37,8 @@ from django_airavata.apps.api.view_utils import (
     APIBackedViewSet,
     APIResultIterator,
     APIResultPagination,
-    GenericAPIBackedViewSet
+    GenericAPIBackedViewSet,
+    IsInAdminsGroupPermission
 )
 from django_airavata.apps.auth import iam_admin_client
 from django_airavata.apps.auth.models import EmailVerification
@@ -1392,6 +1393,7 @@ class IAMUserViewSet(mixins.CreateModelMixin,
                      GenericAPIBackedViewSet):
     serializer_class = serializers.IAMUserProfile
     pagination_class = APIResultPagination
+    permission_classes = (IsInAdminsGroupPermission,)
     lookup_field = 'user_id'
 
     def get_list(self):
@@ -1477,6 +1479,7 @@ class UnverifiedEmailUserViewSet(mixins.ListModelMixin,
                                  GenericAPIBackedViewSet):
     serializer_class = serializers.UnverifiedEmailUserProfile
     pagination_class = APIResultPagination
+    permission_classes = (IsInAdminsGroupPermission,)
     lookup_field = 'user_id'
 
     def get_list(self):