add ModuleHasPermission to check if the token given is from a admin u…

…ser at keycloak
weni-ai · May 13, 2022 · e18b8d9 · e18b8d9
1 parent 809a891
commit e18b8d9
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 13 deletions.
diff --git a/bothub/api/v2/internal/organization/views.py b/bothub/api/v2/internal/organization/views.py
@@ -19,6 +19,7 @@
     OrgUpdateSerializer,
 )
 from bothub import utils
+from bothub.api.v2.internal.permissions import ModuleHasPermission
 
 
 class InternalOrganizationViewSet(
@@ -31,6 +32,7 @@ class InternalOrganizationViewSet(
 ):
     queryset = Organization.objects.all()
     serializer_class = OrganizationSerializer
+    permission_classes = [ModuleHasPermission]
     lookup_field = "pk"
     metadata_class = Metadata
 

diff --git a/bothub/api/v2/internal/permissions.py b/bothub/api/v2/internal/permissions.py
@@ -1,17 +1,8 @@
 from rest_framework import permissions
 
-from .. import READ_METHODS, WRITE_METHODS
+from bothub.utils import check_module_keycloak
 
 
-class RepositoryEntityGroupHasPermission(permissions.BasePermission):
+class ModuleHasPermission(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):  # pragma: no cover
-        authorization = obj.repository_version.repository.get_user_authorization(
-            request.user
-        )
-        if request.method in READ_METHODS:
-            return authorization.can_read
-        if request.user.is_authenticated:
-            if request.method in WRITE_METHODS:
-                return authorization.can_write
-            return authorization.is_admin
-        return False
+        return check_module_keycloak(request.query_params.get("token", None))
diff --git a/bothub/api/v2/internal/repository/views.py b/bothub/api/v2/internal/repository/views.py
@@ -6,13 +6,14 @@
 
 from bothub.common.models import Repository
 
-# from bothub.api.v2.internal.permissions import ModulePermission
 from bothub.api.v2.internal.repository.serializers import InternalRepositorySerializer
+from bothub.api.v2.internal.permissions import ModuleHasPermission
 
 
 class InternalRepositoriesViewSet(mixins.ListModelMixin, GenericViewSet):
     serializer_class = InternalRepositorySerializer
     queryset = Repository.objects
+    permission_classes = [ModuleHasPermission]
     filter_backends = [SearchFilter]
     search_fields = ["$name", "^name", "=name"]
 

diff --git a/bothub/api/v2/internal/user/views.py b/bothub/api/v2/internal/user/views.py
@@ -10,10 +10,12 @@
     UserLanguageSerializer,
 )
 from bothub import utils
+from bothub.api.v2.internal.permissions import ModuleHasPermission
 
 
 class UserPermissionViewSet(GenericViewSet):
     queryset = OrganizationAuthorization.objects.all()
+    permission_classes = [ModuleHasPermission]
     serializer_class = UserPermissionSerializer
 
     @action(detail=True, methods=["get"])
@@ -61,6 +63,7 @@ def _get_user_permissions(self, org: Organization, user: User) -> dict:
 
 class UserViewSet(GenericViewSet):
     serializer_class = UserSerializer
+    permission_classes = [ModuleHasPermission]
     queryset = User.objects
 
     @action(detail=True, methods=["get"])
@@ -75,6 +78,7 @@ def retrive(self, request, **kwargs):
 
 class UserLanguageViewSet(GenericViewSet):
     serializer_class = UserLanguageSerializer
+    permission_classes = [ModuleHasPermission]
     queryset = User.objects
 
     @action(detail=True, methods=["put"])

diff --git a/bothub/utils.py b/bothub/utils.py
@@ -473,3 +473,11 @@ def filter_has_invalid_entities(self, queryset, name, value):
         return filter_validate_entities(queryset, value).exclude(
             original_entities_count=F("entities_count")
         )
+
+
+def check_module_keycloak(token):
+    request = requests.get(
+        f"{settings.OIDC_OP_USER_ENDPOINT}", headers={"Authorization": "Bearer {token}"}
+    )
+    response = request.json()
+    return response.get("is_admin", False)