Merge 9f89f05 into c92c08d

weni-ai · Jul 5, 2019 · d7ea7c4 · d7ea7c4
2 parents c92c08d + 9f89f05
commit d7ea7c4
Show file tree

Hide file tree

Showing 4 changed files with 564 additions and 19 deletions.
diff --git a/bothub/api/v2/evaluate/permissions.py b/bothub/api/v2/evaluate/permissions.py
@@ -1,29 +1,45 @@
 from rest_framework import permissions
 
+from bothub.common.models import Repository
 from .. import READ_METHODS
 from .. import WRITE_METHODS
 
 
 class RepositoryEvaluatePermission(permissions.BasePermission):
 
-    def has_object_permission(self, request, view, obj):
-        authorization = obj.repository_update. \
-            repository.get_user_authorization(request.user)
-        if request.method in READ_METHODS:
-            return authorization.can_read
-        if request.user.is_authenticated:
-            if request.method in WRITE_METHODS:
-                return authorization.can_write
-            return authorization.is_admin
-        return False
+    def has_permission(self, request, view):
+        try:
+            repository = Repository.objects.get(
+                uuid=request.GET.get('repository_uuid')
+            )
+            authorization = repository.get_user_authorization(request.user)
 
+            if request.method in READ_METHODS and \
+                    not request.user.is_authenticated:
+                return authorization.can_read
+
+            if request.user.is_authenticated:
+                if request.method in READ_METHODS:
+                    return authorization.can_read
+                if request.method in WRITE_METHODS:
+                    return authorization.can_write
+                return authorization.is_admin
+            return False
+        except Repository.DoesNotExist:
+            return False
 
-class RepositoryEvaluateResultPermission(permissions.BasePermission):
 
-    def has_object_permission(self, request, view, obj):
-        authorization = obj.repository_update. \
-            repository.get_user_authorization(request.user)
+class RepositoryEvaluateResultPermission(permissions.BasePermission):
 
-        if request.method in READ_METHODS:
-            return authorization.can_read
-        return authorization.can_contribute
+    def has_permission(self, request, view):
+        try:
+            repository = Repository.objects.get(
+                uuid=request.GET.get('repository_uuid')
+            )
+            authorization = repository.get_user_authorization(request.user)
+
+            if request.method in READ_METHODS:
+                return authorization.can_read
+            return authorization.can_contribute
+        except Repository.DoesNotExist:
+            return False
diff --git a/bothub/api/v2/evaluate/views.py b/bothub/api/v2/evaluate/views.py
@@ -1,6 +1,7 @@
 from rest_framework.viewsets import GenericViewSet
 from rest_framework import mixins
 from rest_framework.permissions import IsAuthenticatedOrReadOnly
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.filters import SearchFilter
 from rest_framework.filters import OrderingFilter
 
@@ -32,6 +33,7 @@ class EvaluateViewSet(
     """
     Manager evaluate (tests).
     """
+    lookup_fields = ('pk', 'repository_uuid')
     queryset = RepositoryEvaluate.objects
     serializer_class = RepositoryEvaluateSerializer
     permission_classes = [
@@ -65,9 +67,10 @@ class ResultsListViewSet(
         GenericViewSet):
 
     queryset = RepositoryEvaluateResult.objects
+    lookup_fields = ['repository_uuid']
     serializer_class = RepositoryEvaluateResultVersionsSerializer
     permission_classes = [
-        IsAuthenticatedOrReadOnly,
+        IsAuthenticated,
         RepositoryEvaluateResultPermission,
     ]
     filter_class = EvaluateResultsFilter

diff --git a/bothub/api/v2/repository/permissions.py b/bothub/api/v2/repository/permissions.py
@@ -7,9 +7,13 @@
 class RepositoryPermission(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
         authorization = obj.get_user_authorization(request.user)
-        if request.method in READ_METHODS:
+        if request.method in READ_METHODS and \
+                not request.user.is_authenticated:
             return authorization.can_read
+
         if request.user.is_authenticated:
+            if request.method in READ_METHODS:
+                return authorization.can_read
             if request.method in WRITE_METHODS:
                 return authorization.can_write
             return authorization.is_admin