478 lines
18 KiB
Python
478 lines
18 KiB
Python
# Copyright (C) 2014-2016 Andrey Antukh <niwi@niwi.nz>
|
|
# Copyright (C) 2014-2016 Jesús Espino <jespinog@gmail.com>
|
|
# Copyright (C) 2014-2016 David Barragán <bameda@dbarragan.com>
|
|
# Copyright (C) 2014-2016 Alejandro Alonso <alejandro.alonso@kaleidos.net>
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# The code is partially taken (and modified) from django rest framework
|
|
# that is licensed under the following terms:
|
|
#
|
|
# Copyright (c) 2011-2014, Tom Christie
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are met:
|
|
#
|
|
# Redistributions of source code must retain the above copyright notice, this
|
|
# list of conditions and the following disclaimer.
|
|
# Redistributions in binary form must reproduce the above copyright notice, this
|
|
# list of conditions and the following disclaimer in the documentation and/or
|
|
# other materials provided with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
import json
|
|
|
|
from django.conf import settings
|
|
from django.core.exceptions import PermissionDenied
|
|
from django.http import Http404, HttpResponse
|
|
from django.http.response import HttpResponseBase
|
|
from django.views.decorators.csrf import csrf_exempt
|
|
from django.views.defaults import server_error
|
|
from django.views.generic import View
|
|
from django.utils.datastructures import SortedDict
|
|
from django.utils.encoding import smart_text
|
|
from django.utils.translation import ugettext as _
|
|
|
|
from .request import Request
|
|
from .settings import api_settings
|
|
from .utils import formatting
|
|
|
|
from taiga.base import status
|
|
from taiga.base import exceptions
|
|
from taiga.base.response import Response
|
|
from taiga.base.response import Ok
|
|
from taiga.base.response import NotFound
|
|
from taiga.base.response import Forbidden
|
|
from taiga.base.utils.iterators import as_tuple
|
|
|
|
|
|
|
|
def get_view_name(view_cls, suffix=None):
|
|
"""
|
|
Given a view class, return a textual name to represent the view.
|
|
This name is used in the browsable API, and in OPTIONS responses.
|
|
|
|
This function is the default for the `VIEW_NAME_FUNCTION` setting.
|
|
"""
|
|
name = view_cls.__name__
|
|
name = formatting.remove_trailing_string(name, 'View')
|
|
name = formatting.remove_trailing_string(name, 'ViewSet')
|
|
name = formatting.camelcase_to_spaces(name)
|
|
if suffix:
|
|
name += ' ' + suffix
|
|
|
|
return name
|
|
|
|
|
|
def get_view_description(view_cls, html=False):
|
|
"""
|
|
Given a view class, return a textual description to represent the view.
|
|
This name is used in the browsable API, and in OPTIONS responses.
|
|
|
|
This function is the default for the `VIEW_DESCRIPTION_FUNCTION` setting.
|
|
"""
|
|
description = view_cls.__doc__ or ''
|
|
description = formatting.dedent(smart_text(description))
|
|
if html:
|
|
return formatting.markup_description(description)
|
|
return description
|
|
|
|
|
|
def exception_handler(exc):
|
|
"""
|
|
Returns the response that should be used for any given exception.
|
|
|
|
By default we handle the REST framework `APIException`, and also
|
|
Django's builtin `Http404` and `PermissionDenied` exceptions.
|
|
|
|
Any unhandled exceptions may return `None`, which will cause a 500 error
|
|
to be raised.
|
|
"""
|
|
if isinstance(exc, exceptions.APIException):
|
|
headers = {}
|
|
if getattr(exc, 'auth_header', None):
|
|
headers['WWW-Authenticate'] = exc.auth_header
|
|
if getattr(exc, 'wait', None):
|
|
headers['X-Throttle-Wait-Seconds'] = '%d' % exc.wait
|
|
|
|
return Response({'detail': exc.detail},
|
|
status=exc.status_code,
|
|
headers=headers)
|
|
|
|
elif isinstance(exc, Http404):
|
|
return NotFound({'detail': _('Not found')})
|
|
|
|
elif isinstance(exc, PermissionDenied):
|
|
return Forbidden({'detail': _('Permission denied')})
|
|
|
|
# Note: Unhandled exceptions will raise a 500 error.
|
|
return None
|
|
|
|
|
|
class APIView(View):
|
|
# The following policies may be set at either globally, or per-view.
|
|
renderer_classes = api_settings.DEFAULT_RENDERER_CLASSES
|
|
parser_classes = api_settings.DEFAULT_PARSER_CLASSES
|
|
authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES
|
|
throttle_classes = api_settings.DEFAULT_THROTTLE_CLASSES
|
|
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
|
|
content_negotiation_class = api_settings.DEFAULT_CONTENT_NEGOTIATION_CLASS
|
|
|
|
# Allow dependancy injection of other settings to make testing easier.
|
|
settings = api_settings
|
|
|
|
@classmethod
|
|
def as_view(cls, **initkwargs):
|
|
"""
|
|
Store the original class on the view function.
|
|
|
|
This allows us to discover information about the view when we do URL
|
|
reverse lookups. Used for breadcrumb generation.
|
|
"""
|
|
view = super(APIView, cls).as_view(**initkwargs)
|
|
view.cls = cls
|
|
return view
|
|
|
|
@property
|
|
def allowed_methods(self):
|
|
"""
|
|
Wrap Django's private `_allowed_methods` interface in a public property.
|
|
"""
|
|
return self._allowed_methods()
|
|
|
|
@property
|
|
def default_response_headers(self):
|
|
headers = {
|
|
'Allow': ', '.join(self.allowed_methods),
|
|
}
|
|
if len(self.renderer_classes) > 1:
|
|
headers['Vary'] = 'Accept'
|
|
return headers
|
|
|
|
def http_method_not_allowed(self, request, *args, **kwargs):
|
|
"""
|
|
If `request.method` does not correspond to a handler method,
|
|
determine what kind of exception to raise.
|
|
"""
|
|
raise exceptions.MethodNotAllowed(request.method)
|
|
|
|
def permission_denied(self, request):
|
|
"""
|
|
If request is not permitted, determine what kind of exception to raise.
|
|
"""
|
|
if not request.successful_authenticator:
|
|
raise exceptions.NotAuthenticated()
|
|
raise exceptions.PermissionDenied()
|
|
|
|
def throttled(self, request, wait):
|
|
"""
|
|
If request is throttled, determine what kind of exception to raise.
|
|
"""
|
|
raise exceptions.Throttled(wait)
|
|
|
|
def get_authenticate_header(self, request):
|
|
"""
|
|
If a request is unauthenticated, determine the WWW-Authenticate
|
|
header to use for 401 responses, if any.
|
|
"""
|
|
authenticators = self.get_authenticators()
|
|
if authenticators:
|
|
return authenticators[0].authenticate_header(request)
|
|
|
|
def get_parser_context(self, http_request):
|
|
"""
|
|
Returns a dict that is passed through to Parser.parse(),
|
|
as the `parser_context` keyword argument.
|
|
"""
|
|
# Note: Additionally `request` and `encoding` will also be added
|
|
# to the context by the Request object.
|
|
return {
|
|
'view': self,
|
|
'args': getattr(self, 'args', ()),
|
|
'kwargs': getattr(self, 'kwargs', {})
|
|
}
|
|
|
|
def get_renderer_context(self):
|
|
"""
|
|
Returns a dict that is passed through to Renderer.render(),
|
|
as the `renderer_context` keyword argument.
|
|
"""
|
|
# Note: Additionally 'response' will also be added to the context,
|
|
# by the Response object.
|
|
return {
|
|
'view': self,
|
|
'args': getattr(self, 'args', ()),
|
|
'kwargs': getattr(self, 'kwargs', {}),
|
|
'request': getattr(self, 'request', None)
|
|
}
|
|
|
|
def get_view_name(self):
|
|
"""
|
|
Return the view name, as used in OPTIONS responses and in the
|
|
browsable API.
|
|
"""
|
|
func = self.settings.VIEW_NAME_FUNCTION
|
|
return func(self.__class__, getattr(self, 'suffix', None))
|
|
|
|
def get_view_description(self, html=False):
|
|
"""
|
|
Return some descriptive text for the view, as used in OPTIONS responses
|
|
and in the browsable API.
|
|
"""
|
|
func = self.settings.VIEW_DESCRIPTION_FUNCTION
|
|
return func(self.__class__, html)
|
|
|
|
# API policy instantiation methods
|
|
|
|
def get_format_suffix(self, **kwargs):
|
|
"""
|
|
Determine if the request includes a '.json' style format suffix
|
|
"""
|
|
if self.settings.FORMAT_SUFFIX_KWARG:
|
|
return kwargs.get(self.settings.FORMAT_SUFFIX_KWARG)
|
|
|
|
def get_renderers(self):
|
|
"""
|
|
Instantiates and returns the list of renderers that this view can use.
|
|
"""
|
|
return [renderer() for renderer in self.renderer_classes]
|
|
|
|
def get_parsers(self):
|
|
"""
|
|
Instantiates and returns the list of parsers that this view can use.
|
|
"""
|
|
return [parser() for parser in self.parser_classes]
|
|
|
|
def get_authenticators(self):
|
|
"""
|
|
Instantiates and returns the list of authenticators that this view can use.
|
|
"""
|
|
return [auth() for auth in self.authentication_classes]
|
|
|
|
@as_tuple
|
|
def get_permissions(self):
|
|
"""
|
|
Instantiates and returns the list of permissions that this view requires.
|
|
"""
|
|
for permcls in self.permission_classes:
|
|
instance = permcls(request=self.request,
|
|
view=self)
|
|
yield instance
|
|
|
|
def get_throttles(self):
|
|
"""
|
|
Instantiates and returns the list of throttles that this view uses.
|
|
"""
|
|
return [throttle() for throttle in self.throttle_classes]
|
|
|
|
def get_content_negotiator(self):
|
|
"""
|
|
Instantiate and return the content negotiation class to use.
|
|
"""
|
|
if not getattr(self, '_negotiator', None):
|
|
self._negotiator = self.content_negotiation_class()
|
|
return self._negotiator
|
|
|
|
# API policy implementation methods
|
|
|
|
def perform_content_negotiation(self, request, force=False):
|
|
"""
|
|
Determine which renderer and media type to use render the response.
|
|
"""
|
|
renderers = self.get_renderers()
|
|
conneg = self.get_content_negotiator()
|
|
|
|
try:
|
|
return conneg.select_renderer(request, renderers, self.format_kwarg)
|
|
except Exception:
|
|
if force:
|
|
return (renderers[0], renderers[0].media_type)
|
|
raise
|
|
|
|
def perform_authentication(self, request):
|
|
"""
|
|
Perform authentication on the incoming request.
|
|
|
|
Note that if you override this and simply 'pass', then authentication
|
|
will instead be performed lazily, the first time either
|
|
`request.user` or `request.auth` is accessed.
|
|
"""
|
|
request.user
|
|
|
|
def check_permissions(self, request, action:str=None, obj=None):
|
|
if action is None:
|
|
self.permission_denied(request)
|
|
|
|
for permission in self.get_permissions():
|
|
if not permission.check_permissions(action=action, obj=obj):
|
|
self.permission_denied(request)
|
|
|
|
def check_object_permissions(self, request, obj):
|
|
self.check_permissions(request, None, obj)
|
|
|
|
def check_throttles(self, request):
|
|
"""
|
|
Check if request should be throttled.
|
|
Raises an appropriate exception if the request is throttled.
|
|
"""
|
|
for throttle in self.get_throttles():
|
|
if not throttle.allow_request(request, self):
|
|
self.throttled(request, throttle.wait())
|
|
|
|
# Dispatch methods
|
|
|
|
def initialize_request(self, request, *args, **kwargs):
|
|
"""
|
|
Returns the initial request object.
|
|
"""
|
|
parser_context = self.get_parser_context(request)
|
|
|
|
return Request(request,
|
|
parsers=self.get_parsers(),
|
|
authenticators=self.get_authenticators(),
|
|
negotiator=self.get_content_negotiator(),
|
|
parser_context=parser_context)
|
|
|
|
def initial(self, request, *args, **kwargs):
|
|
"""
|
|
Runs anything that needs to occur prior to calling the method handler.
|
|
"""
|
|
self.format_kwarg = self.get_format_suffix(**kwargs)
|
|
|
|
# Ensure that the incoming request is permitted
|
|
self.perform_authentication(request)
|
|
self.check_throttles(request)
|
|
|
|
# Perform content negotiation and store the accepted info on the request
|
|
neg = self.perform_content_negotiation(request)
|
|
request.accepted_renderer, request.accepted_media_type = neg
|
|
|
|
def finalize_response(self, request, response, *args, **kwargs):
|
|
"""
|
|
Returns the final response object.
|
|
"""
|
|
# Make the error obvious if a proper response is not returned
|
|
assert isinstance(response, HttpResponseBase), ('Expected a `Response`, `HttpResponse` or '
|
|
'`HttpStreamingResponse` to be returned from the view, '
|
|
'but received a `%s`' % type(response))
|
|
|
|
if isinstance(response, Response):
|
|
if not getattr(request, 'accepted_renderer', None):
|
|
neg = self.perform_content_negotiation(request, force=True)
|
|
request.accepted_renderer, request.accepted_media_type = neg
|
|
|
|
response.accepted_renderer = request.accepted_renderer
|
|
response.accepted_media_type = request.accepted_media_type
|
|
response.renderer_context = self.get_renderer_context()
|
|
|
|
for key, value in self.headers.items():
|
|
response[key] = value
|
|
|
|
return response
|
|
|
|
def handle_exception(self, exc):
|
|
"""
|
|
Handle any exception that occurs, by returning an appropriate response,
|
|
or re-raising the error.
|
|
"""
|
|
if isinstance(exc, (exceptions.NotAuthenticated,
|
|
exceptions.AuthenticationFailed)):
|
|
# WWW-Authenticate header for 401 responses, else coerce to 403
|
|
auth_header = self.get_authenticate_header(self.request)
|
|
|
|
if auth_header:
|
|
exc.auth_header = auth_header
|
|
else:
|
|
exc.status_code = status.HTTP_403_FORBIDDEN
|
|
|
|
response = self.settings.EXCEPTION_HANDLER(exc)
|
|
|
|
if response is None:
|
|
raise
|
|
|
|
response.exception = True
|
|
return response
|
|
|
|
# Note: session based authentication is explicitly CSRF validated,
|
|
# all other authentication is CSRF exempt.
|
|
@csrf_exempt
|
|
def dispatch(self, request, *args, **kwargs):
|
|
"""
|
|
`.dispatch()` is pretty much the same as Django's regular dispatch,
|
|
but with extra hooks for startup, finalize, and exception handling.
|
|
"""
|
|
self.args = args
|
|
self.kwargs = kwargs
|
|
request = self.initialize_request(request, *args, **kwargs)
|
|
self.request = request
|
|
self.headers = self.default_response_headers
|
|
|
|
try:
|
|
self.initial(request, *args, **kwargs)
|
|
|
|
# Get the appropriate handler method
|
|
if request.method.lower() in self.http_method_names:
|
|
handler = getattr(self, request.method.lower(),
|
|
self.http_method_not_allowed)
|
|
else:
|
|
handler = self.http_method_not_allowed
|
|
|
|
response = handler(request, *args, **kwargs)
|
|
|
|
except Exception as exc:
|
|
response = self.handle_exception(exc)
|
|
|
|
self.response = self.finalize_response(request, response, *args, **kwargs)
|
|
return self.response
|
|
|
|
def options(self, request, *args, **kwargs):
|
|
"""
|
|
Handler method for HTTP 'OPTIONS' request.
|
|
We may as well implement this as Django will otherwise provide
|
|
a less useful default implementation.
|
|
"""
|
|
return Ok(self.metadata(request))
|
|
|
|
def metadata(self, request):
|
|
"""
|
|
Return a dictionary of metadata about the view.
|
|
Used to return responses for OPTIONS requests.
|
|
"""
|
|
# By default we can't provide any form-like information, however the
|
|
# generic views override this implementation and add additional
|
|
# information for POST and PUT methods, based on the serializer.
|
|
ret = SortedDict()
|
|
ret['name'] = self.get_view_name()
|
|
ret['description'] = self.get_view_description()
|
|
ret['renders'] = [renderer.media_type for renderer in self.renderer_classes]
|
|
ret['parses'] = [parser.media_type for parser in self.parser_classes]
|
|
return ret
|
|
|
|
|
|
def api_server_error(request, *args, **kwargs):
|
|
if settings.DEBUG is False and request.META.get('CONTENT_TYPE', None) == "application/json":
|
|
return HttpResponse(json.dumps({"error": _("Server application error")}),
|
|
status=status.HTTP_500_INTERNAL_SERVER_ERROR)
|
|
return server_error(request, *args, **kwargs)
|