From e18b8d98131e4694f73b5be29776b52f0be7d42c Mon Sep 17 00:00:00 2001 From: helllllllder Date: Fri, 13 May 2022 18:14:40 -0300 Subject: [PATCH] add ModuleHasPermission to check if the token given is from a admin user at keycloak --- bothub/api/v2/internal/organization/views.py | 2 ++ bothub/api/v2/internal/permissions.py | 15 +++------------ bothub/api/v2/internal/repository/views.py | 3 ++- bothub/api/v2/internal/user/views.py | 4 ++++ bothub/utils.py | 8 ++++++++ 5 files changed, 19 insertions(+), 13 deletions(-) diff --git a/bothub/api/v2/internal/organization/views.py b/bothub/api/v2/internal/organization/views.py index 94e7a6ce..6d54df26 100644 --- a/bothub/api/v2/internal/organization/views.py +++ b/bothub/api/v2/internal/organization/views.py @@ -19,6 +19,7 @@ OrgUpdateSerializer, ) from bothub import utils +from bothub.api.v2.internal.permissions import ModuleHasPermission class InternalOrganizationViewSet( @@ -31,6 +32,7 @@ class InternalOrganizationViewSet( ): queryset = Organization.objects.all() serializer_class = OrganizationSerializer + permission_classes = [ModuleHasPermission] lookup_field = "pk" metadata_class = Metadata diff --git a/bothub/api/v2/internal/permissions.py b/bothub/api/v2/internal/permissions.py index d4da2369..8316762e 100644 --- a/bothub/api/v2/internal/permissions.py +++ b/bothub/api/v2/internal/permissions.py @@ -1,17 +1,8 @@ from rest_framework import permissions -from .. import READ_METHODS, WRITE_METHODS +from bothub.utils import check_module_keycloak -class RepositoryEntityGroupHasPermission(permissions.BasePermission): +class ModuleHasPermission(permissions.BasePermission): def has_object_permission(self, request, view, obj): # pragma: no cover - authorization = obj.repository_version.repository.get_user_authorization( - request.user - ) - if request.method in READ_METHODS: - return authorization.can_read - if request.user.is_authenticated: - if request.method in WRITE_METHODS: - return authorization.can_write - return authorization.is_admin - return False + return check_module_keycloak(request.query_params.get("token", None)) diff --git a/bothub/api/v2/internal/repository/views.py b/bothub/api/v2/internal/repository/views.py index 136e12c4..25da73db 100644 --- a/bothub/api/v2/internal/repository/views.py +++ b/bothub/api/v2/internal/repository/views.py @@ -6,13 +6,14 @@ from bothub.common.models import Repository -# from bothub.api.v2.internal.permissions import ModulePermission from bothub.api.v2.internal.repository.serializers import InternalRepositorySerializer +from bothub.api.v2.internal.permissions import ModuleHasPermission class InternalRepositoriesViewSet(mixins.ListModelMixin, GenericViewSet): serializer_class = InternalRepositorySerializer queryset = Repository.objects + permission_classes = [ModuleHasPermission] filter_backends = [SearchFilter] search_fields = ["$name", "^name", "=name"] diff --git a/bothub/api/v2/internal/user/views.py b/bothub/api/v2/internal/user/views.py index 83cdb502..3069eb7c 100644 --- a/bothub/api/v2/internal/user/views.py +++ b/bothub/api/v2/internal/user/views.py @@ -10,10 +10,12 @@ UserLanguageSerializer, ) from bothub import utils +from bothub.api.v2.internal.permissions import ModuleHasPermission class UserPermissionViewSet(GenericViewSet): queryset = OrganizationAuthorization.objects.all() + permission_classes = [ModuleHasPermission] serializer_class = UserPermissionSerializer @action(detail=True, methods=["get"]) @@ -61,6 +63,7 @@ def _get_user_permissions(self, org: Organization, user: User) -> dict: class UserViewSet(GenericViewSet): serializer_class = UserSerializer + permission_classes = [ModuleHasPermission] queryset = User.objects @action(detail=True, methods=["get"]) @@ -75,6 +78,7 @@ def retrive(self, request, **kwargs): class UserLanguageViewSet(GenericViewSet): serializer_class = UserLanguageSerializer + permission_classes = [ModuleHasPermission] queryset = User.objects @action(detail=True, methods=["put"]) diff --git a/bothub/utils.py b/bothub/utils.py index 752d67f1..7d5e8065 100644 --- a/bothub/utils.py +++ b/bothub/utils.py @@ -473,3 +473,11 @@ def filter_has_invalid_entities(self, queryset, name, value): return filter_validate_entities(queryset, value).exclude( original_entities_count=F("entities_count") ) + + +def check_module_keycloak(token): + request = requests.get( + f"{settings.OIDC_OP_USER_ENDPOINT}", headers={"Authorization": "Bearer {token}"} + ) + response = request.json() + return response.get("is_admin", False)