Merge pull request #95 from silverlogic/BA-1338-drf-nested

sundayguru · web-flow · commit ab7656167071 · 2024-04-02T23:06:39.000+02:00
BA-1338: Add drf nested router and implement permission management route
diff --git a/baseapp-auth/baseapp_auth/rest_framework/routers/account.py b/baseapp-auth/baseapp_auth/rest_framework/routers/account.py
@@ -24,5 +24,13 @@
 from baseapp_auth.rest_framework.change_email.views import (
     ChangeEmailViewSet,
 )  # noqa
+from baseapp_auth.rest_framework.users.views import PermissionsViewSet, UsersViewSet  # noqa
+from rest_framework_nested.routers import NestedSimpleRouter  # noqa
 
 account_router.register(r"change-email", ChangeEmailViewSet, basename="change-email")
+
+
+account_router.register(r"users", UsersViewSet, basename="users")
+
+users_router_nested = NestedSimpleRouter(account_router, r"users", lookup="user")
+users_router_nested.register(r"permissions", PermissionsViewSet, basename="user-permissions")
diff --git a/baseapp-auth/baseapp_auth/rest_framework/users/serializers.py b/baseapp-auth/baseapp_auth/rest_framework/users/serializers.py
@@ -5,6 +5,8 @@
 from baseapp_core.rest_framework.serializers import ModelSerializer
 from baseapp_referrals.utils import get_referral_code, get_user_from_referral_code
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
@@ -141,3 +143,46 @@ def update(self, instance, validated_data):
 
 class UserPermissionSerializer(serializers.Serializer):
     perm = serializers.CharField(required=True)
+
+
+class UserContentTypeSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ContentType
+        fields = ["app_label", "model"]
+
+
+class UserManagePermissionSerializer(serializers.ModelSerializer):
+    content_type = UserContentTypeSerializer(read_only=True)
+    permissions = serializers.ListField(
+        child=serializers.CharField(), write_only=True, required=False
+    )
+
+    class Meta:
+        model = Permission
+        fields = ["id", "codename", "content_type", "permissions"]
+        extra_kwargs = {
+            "codename": {"required": False},
+        }
+
+    def create(self, validated_data):
+        user = self.context["user"]
+        if not user:
+            raise serializers.ValidationError({"user": "User does not exist."})
+        if not self.context["request"].user.has_perm("users.change_user"):
+            raise serializers.ValidationError(
+                {"detail": "You do not have permission to perform this action."}
+            )
+        perms = validated_data.pop("permissions", [])
+        if len(perms) > 0:
+            permissions = Permission.objects.filter(codename__in=perms)
+            user.user_permissions.set(permissions)
+
+        if validated_data.get("codename"):
+            permission = Permission.objects.filter(codename=validated_data["codename"]).first()
+            if not permission:
+                raise serializers.ValidationError(
+                    {"codename": "Permission with this codename does not exist."}
+                )
+            user.user_permissions.add(permission)
+            return permission
+        return validated_data
diff --git a/baseapp-auth/baseapp_auth/rest_framework/users/views.py b/baseapp-auth/baseapp_auth/rest_framework/users/views.py
@@ -1,6 +1,8 @@
 from baseapp_core.rest_framework.decorators import action
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.http import Http404
+from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext_lazy as _
 from rest_framework import (
     filters,
@@ -11,13 +13,15 @@
     status,
     viewsets,
 )
+from rest_framework_nested.viewsets import NestedViewSetMixin
 
 User = get_user_model()
 
 from .parsers import SafeJSONParser
 from .serializers import (
     ChangePasswordSerializer,
     ConfirmEmailSerializer,
+    UserManagePermissionSerializer,
     UserPermissionSerializer,
     UserSerializer,
 )
@@ -112,3 +116,31 @@ def permissions(self, request):
         serializer.is_valid(raise_exception=True)
 
         return response.Response({"has_perm": user.has_perm(serializer.data["perm"])})
+
+
+class PermissionsViewSet(
+    NestedViewSetMixin, viewsets.GenericViewSet, mixins.ListModelMixin, mixins.CreateModelMixin
+):
+    pagination_class = None
+    serializer_class = UserManagePermissionSerializer
+    permission_classes = [
+        permissions.IsAuthenticated,
+    ]
+    parent_lookup_kwargs = {"user_pk": "user__id"}
+
+    def get_user(self):
+        user_pk = self.kwargs.get("user_pk", None)
+        return get_object_or_404(User, pk=user_pk) if user_pk else None
+
+    def get_queryset(self):
+        user = self.get_user()
+        if user:
+            if not self.request.user.has_perm("users.change_user"):
+                raise serializers.ValidationError(
+                    {"detail": "You do not have permission to perform this action."}
+                )
+            return user.user_permissions.all().select_related("content_type")
+        return Permission.objects.all().select_related("content_type")
+
+    def get_serializer_context(self):
+        return {**super().get_serializer_context(), "user": self.get_user()}
diff --git a/baseapp-auth/baseapp_auth/tests/integration/test_users.py b/baseapp-auth/baseapp_auth/tests/integration/test_users.py
@@ -3,8 +3,6 @@
 import baseapp_auth.tests.helpers as h
 import pytest
 from avatar.models import Avatar
-from baseapp_auth.rest_framework.routers.account import account_router
-from baseapp_auth.rest_framework.users.views import UsersViewSet
 from baseapp_auth.tests.factories import PasswordValidationFactory
 from baseapp_auth.tests.mixins import ApiMixin
 from baseapp_auth.tokens import ConfirmEmailTokenGenerator
@@ -13,6 +11,7 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.utils import timezone
 
 User = get_user_model()
@@ -26,10 +25,6 @@
 
 UserReferral = get_user_referral_model()
 
-account_router.register(
-    r"users", UsersViewSet, basename="users"
-)  # We expect the main app to register the viewset
-
 
 class TestUsersRetrieve(ApiMixin):
     view_name = "users-detail"
@@ -321,3 +316,65 @@ def test_user_get_false_without_permission(self, user_client):
         r = user_client.post(self.reverse(), {"perm": "admin.test_perm"})
         h.responseOk(r)
         assert not r.data["has_perm"]
+
+
+class TestUserPermissionList(ApiMixin):
+    view_name = "user-permissions-list"
+
+    def test_guest_cannot_get_user_permissions(self, client):
+        content_type = ContentType.objects.all().first()
+        perm = Permission.objects.filter(content_type_id=content_type).first()
+        user = UserFactory()
+        user.user_permissions.add(perm)
+        r = client.get(self.reverse(kwargs={"user_pk": user.pk}))
+        h.responseUnauthorized(r)
+
+    def test_user_without_perm_cannot_get_user_permissions(self, user_client):
+        content_type = ContentType.objects.all().first()
+        perm = Permission.objects.filter(content_type_id=content_type).first()
+        user = UserFactory()
+        user.user_permissions.add(perm)
+        r = user_client.get(self.reverse(kwargs={"user_pk": user.pk}))
+        h.responseBadRequest(r)
+        assert "You do not have permission to perform this action." == r.data["detail"]
+
+    def test_user_with_perm_can_get_user_permissions(self, user_client):
+        content_type = ContentType.objects.all().first()
+        perm = Permission.objects.filter(content_type_id=content_type).first()
+        user = UserFactory()
+        user.user_permissions.add(perm)
+        p = Permission.objects.get(codename="change_user")
+        p.content_type.app_label = "users"
+        p.content_type.save()
+        user_client.user.user_permissions.add(p)
+        user_client.user.refresh_from_db()
+        r = user_client.get(self.reverse(kwargs={"user_pk": user.pk}))
+        h.responseOk(r)
+
+    def test_user_with_perm_can_up_user_permissions(self, user_client):
+        content_type = ContentType.objects.all().first()
+        perm = Permission.objects.filter(content_type_id=content_type).first()
+        user = UserFactory()
+        user.user_permissions.add(perm)
+        p = Permission.objects.get(codename="change_user")
+        p.content_type.app_label = "users"
+        p.content_type.save()
+        user_client.user.user_permissions.add(p)
+        r = user_client.post(
+            self.reverse(kwargs={"user_pk": user.pk}), data={"codename": "delete_user"}
+        )
+        h.responseCreated(r)
+        assert user.user_permissions.count() == 2
+
+    def test_user_with_perm_can_set_user_permissions(self, user_client):
+        user = UserFactory()
+        p = Permission.objects.get(codename="change_user")
+        p.content_type.app_label = "users"
+        p.content_type.save()
+        user_client.user.user_permissions.add(p)
+        r = user_client.post(
+            self.reverse(kwargs={"user_pk": user.pk}),
+            data={"permissions": ["change_user", "delete_user"]},
+        )
+        h.responseCreated(r)
+        assert user.user_permissions.count() == 2
diff --git a/baseapp-auth/testproject/urls.py b/baseapp-auth/testproject/urls.py
@@ -3,7 +3,10 @@
 import baseapp_auth.rest_framework.urls.auth_mfa as auth_mfa_urls
 import baseapp_auth.rest_framework.urls.auth_mfa_jwt as auth_mfa_jwt_urls
 import baseapp_auth.rest_framework.urls.pre_auth as pre_auth_urls
-from baseapp_auth.rest_framework.routers.account import account_router
+from baseapp_auth.rest_framework.routers.account import (
+    account_router,
+    users_router_nested,
+)
 from baseapp_core.graphql import GraphQLView
 from django.contrib import admin
 from django.urls import include, re_path
@@ -14,6 +17,7 @@
 
 v1_urlpatterns = [
     re_path(r"", include(account_router.urls)),
+    re_path(r"", include(users_router_nested.urls)),
     re_path(r"auth/authtoken/", include(auth_authtoken_urls)),
     re_path(r"auth/jwt/", include(auth_jwt_urls)),
     re_path(r"auth/mfa/", include(auth_mfa_urls)),
diff --git a/baseapp-core/setup.cfg b/baseapp-core/setup.cfg
@@ -22,6 +22,7 @@ install_requires =
     swapper >= 1.3
     django-model-utils >= 4.3
     djangorestframework >= 3.14
+    drf-nested-routers >= 0.93.5
     djangorestframework-expander >= 0.2
     drf-extra-fields >= 3.5
     psycopg2-binary >= 2.9
diff --git a/baseapp-core/testproject/requirements.txt b/baseapp-core/testproject/requirements.txt
@@ -2,6 +2,7 @@
 -e ./baseapp-core
 
 djangorestframework-simplejwt[crypto]>=5.2.2
+drf-nested-routers==0.93.5
 
 # test
 freezegun==1.2.1
diff --git a/baseapp-e2e/baseapp_e2e/tests/integration/api/test_e2e_endpoints.py b/baseapp-e2e/baseapp_e2e/tests/integration/api/test_e2e_endpoints.py
@@ -42,7 +42,6 @@ def data(self):
     def test_load_data(self, data, client):
         assert User.objects.count() == 0
         r = client.post(self.endpoint_url, data=json.dumps(data), content_type="application/json")
-        print(r.data)
         h.responseOk(r)
 
         assert User.objects.count() == len(data["objects"])
