core/api.py

from django.core.exceptions import ObjectDoesNotExist
from tastypie import fields
from tastypie.authorization import DjangoAuthorization
from tastypie.constants import ALL, ALL_WITH_RELATIONS
from tastypie.exceptions import Unauthorized
from tastypie.resources import ModelResource
from django_images.models import Thumbnail

from .models import Pin, Image
from users.models import User


class PinryAuthorization(DjangoAuthorization):
    """
    Pinry-specific Authorization backend with object-level permission checking.
    """
    def update_detail(self, object_list, bundle):
        klass = self.base_checks(bundle.request, bundle.obj.__class__)

        if klass is False:
            raise Unauthorized("You are not allowed to access that resource.")

        permission = '%s.change_%s' % (klass._meta.app_label, klass._meta.model_name)

        if not bundle.request.user.has_perm(permission, bundle.obj):
            raise Unauthorized("You are not allowed to access that resource.")

        return True

    def delete_detail(self, object_list, bundle):
        klass = self.base_checks(bundle.request, bundle.obj.__class__)

        if klass is False:
            raise Unauthorized("You are not allowed to access that resource.")

        permission = '%s.delete_%s' % (klass._meta.app_label, klass._meta.model_name)

        if not bundle.request.user.has_perm(permission, bundle.obj):
            raise Unauthorized("You are not allowed to access that resource.")

        return True


class UserResource(ModelResource):
    gravatar = fields.CharField(readonly=True)

    def dehydrate_gravatar(self, bundle):
        return bundle.obj.gravatar

    class Meta:
        list_allowed_methods = ['get']
        filtering = {
            'username': ALL
        }
        queryset = User.objects.all()
        resource_name = 'user'
        fields = ['username']
        include_resource_uri = False


def filter_generator_for(size):
    def wrapped_func(bundle, **kwargs):
        if hasattr(bundle.obj, '_prefetched_objects_cache') and 'thumbnail' in bundle.obj._prefetched_objects_cache:
            for thumbnail in bundle.obj._prefetched_objects_cache['thumbnail']:
                if thumbnail.size == size:
                    return thumbnail
            raise ObjectDoesNotExist()
        else:
            return bundle.obj.get_by_size(size)
    return wrapped_func


class ThumbnailResource(ModelResource):
    class Meta:
        list_allowed_methods = ['get']
        fields = ['image', 'width', 'height']
        queryset = Thumbnail.objects.all()
        resource_name = 'thumbnail'
        include_resource_uri = False


class ImageResource(ModelResource):
    standard = fields.ToOneField(ThumbnailResource, full=True,
                                 attribute=lambda bundle: filter_generator_for('standard')(bundle))
    thumbnail = fields.ToOneField(ThumbnailResource, full=True,
                                  attribute=lambda bundle: filter_generator_for('thumbnail')(bundle))
    square = fields.ToOneField(ThumbnailResource, full=True,
                               attribute=lambda bundle: filter_generator_for('square')(bundle))

    class Meta:
        fields = ['image', 'width', 'height']
        include_resource_uri = False
        resource_name = 'image'
        queryset = Image.objects.all()
        authorization = DjangoAuthorization()


class PinResource(ModelResource):
    submitter = fields.ToOneField(UserResource, 'submitter', full=True)
    image = fields.ToOneField(ImageResource, 'image', full=True)
    tags = fields.ListField()

    def hydrate_image(self, bundle):
        url = bundle.data.get('url', None)
        if url:
            image = Image.objects.create_for_url(url)
            bundle.data['image'] = '/api/v1/image/{}/'.format(image.pk)
        return bundle

    def hydrate(self, bundle):
        """Run some early/generic processing

        Make sure that user is authorized to create Pins first, before
        we hydrate the Image resource, creating the Image object in process
        """
        submitter = bundle.data.get('submitter', None)
        if not submitter:
            bundle.data['submitter'] = '/api/v1/user/{}/'.format(bundle.request.user.pk)
        else:
            if not '/api/v1/user/{}/'.format(bundle.request.user.pk) == submitter:
                raise Unauthorized("You are not authorized to create Pins for other users")
        return bundle

    def dehydrate_tags(self, bundle):
        return map(str, bundle.obj.tags.all())

    def build_filters(self, filters=None):
        orm_filters = super(PinResource, self).build_filters(filters)
        if filters and 'tag' in filters:
            orm_filters['tags__name__in'] = filters['tag'].split(',')
        return orm_filters

    def save_m2m(self, bundle):
        tags = bundle.data.get('tags', None)
        if tags:
            bundle.obj.tags.set(*tags)
        return super(PinResource, self).save_m2m(bundle)

    class Meta:
        fields = ['id', 'url', 'origin', 'description']
        ordering = ['id']
        filtering = {
            'submitter': ALL_WITH_RELATIONS
        }
        queryset = Pin.objects.all().select_related('submitter', 'image'). \
            prefetch_related('image__thumbnail_set', 'tags')
        resource_name = 'pin'
        include_resource_uri = False
        always_return_data = True
        authorization = PinryAuthorization()
Loanding pins does no N+1 queries anymore This saves another three queries per pin, bringing to total query count down to 8. See issue #85 . 2015-03-23 02:22:35 +01:00			`from django.core.exceptions import ObjectDoesNotExist`
Now using tastypie for all our API needs. 2012-05-11 02:08:46 +00:00			`from tastypie import fields`
Removing unused vendor libs, custom tiling works, new design started 2013-02-21 06:26:06 +00:00			`from tastypie.authorization import DjangoAuthorization`
Allow filtering pins over submitter.username 2013-03-03 14:50:40 -08:00			`from tastypie.constants import ALL, ALL_WITH_RELATIONS`
Add a very simplistic Pin access control for the API As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend. 2013-03-02 17:00:58 -08:00			`from tastypie.exceptions import Unauthorized`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`from tastypie.resources import ModelResource`
			`from django_images.models import Thumbnail`
Started implementation of user auth. 2012-07-06 20:01:33 +00:00
A general project refactor Removed pins django app, and moved code to the core. Moved user related code out of core to the users app. 2013-03-03 04:47:34 -08:00			`from .models import Pin, Image`
Refactor apps to be in repo folder 2018-02-08 21:57:49 -05:00			`from users.models import User`
Now using tastypie for all our API needs. 2012-05-11 02:08:46 +00:00

Add a very simplistic Pin access control for the API As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend. 2013-03-02 17:00:58 -08:00			`class PinryAuthorization(DjangoAuthorization):`
			`"""`
			`Pinry-specific Authorization backend with object-level permission checking.`
			`"""`
			`def update_detail(self, object_list, bundle):`
			`klass = self.base_checks(bundle.request, bundle.obj.__class__)`

			`if klass is False:`
			`raise Unauthorized("You are not allowed to access that resource.")`

Fix bug in API now allowing delete or edit of pins 2016-02-04 01:34:19 +00:00			`permission = '%s.change_%s' % (klass._meta.app_label, klass._meta.model_name)`
Add a very simplistic Pin access control for the API As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend. 2013-03-02 17:00:58 -08:00
			`if not bundle.request.user.has_perm(permission, bundle.obj):`
			`raise Unauthorized("You are not allowed to access that resource.")`

			`return True`

			`def delete_detail(self, object_list, bundle):`
			`klass = self.base_checks(bundle.request, bundle.obj.__class__)`

			`if klass is False:`
			`raise Unauthorized("You are not allowed to access that resource.")`

Fix bug in API now allowing delete or edit of pins 2016-02-04 01:34:19 +00:00			`permission = '%s.delete_%s' % (klass._meta.app_label, klass._meta.model_name)`
Add a very simplistic Pin access control for the API As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend. 2013-03-02 17:00:58 -08:00
			`if not bundle.request.user.has_perm(permission, bundle.obj):`
			`raise Unauthorized("You are not allowed to access that resource.")`

			`return True`


Rewrite the display of recent pins without the use of third-party js libs 2013-02-20 07:59:45 +00:00			`class UserResource(ModelResource):`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`gravatar = fields.CharField(readonly=True)`
Expose a gravatar hash for account via the Rest API 2013-02-22 01:28:56 +01:00
			`def dehydrate_gravatar(self, bundle):`
			`return bundle.obj.gravatar`

Rewrite the display of recent pins without the use of third-party js libs 2013-02-20 07:59:45 +00:00			`class Meta:`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`list_allowed_methods = ['get']`
Allow filtering pins over submitter.username 2013-03-03 14:50:40 -08:00			`filtering = {`
			`'username': ALL`
			`}`
Rewrite the display of recent pins without the use of third-party js libs 2013-02-20 07:59:45 +00:00			`queryset = User.objects.all()`
			`resource_name = 'user'`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`fields = ['username']`
Rewrite the display of recent pins without the use of third-party js libs 2013-02-20 07:59:45 +00:00			`include_resource_uri = False`


A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`def filter_generator_for(size):`
			`def wrapped_func(bundle, **kwargs):`
Only use prefetched thumbnails if there are there The optimization broke image uploading, this fixes it again. 2015-03-23 03:30:13 +01:00			`if hasattr(bundle.obj, '_prefetched_objects_cache') and 'thumbnail' in bundle.obj._prefetched_objects_cache:`
			`for thumbnail in bundle.obj._prefetched_objects_cache['thumbnail']:`
			`if thumbnail.size == size:`
			`return thumbnail`
			`raise ObjectDoesNotExist()`
			`else:`
			`return bundle.obj.get_by_size(size)`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`return wrapped_func`

Add image dimensions to the API and the third image size There has been some refactoring going on in the pinry.pins.models module. The upload_to code has been refactored into its own function, images have been moved to their own models - otherwise the number of fields in the Pin model would skyrocket. Also ModelManagers have been written to move image fetching and generating outside of models. 2013-02-23 20:33:10 +01:00
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`class ThumbnailResource(ModelResource):`
Now using tastypie for all our API needs. 2012-05-11 02:08:46 +00:00			`class Meta:`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`list_allowed_methods = ['get']`
			`fields = ['image', 'width', 'height']`
			`queryset = Thumbnail.objects.all()`
			`resource_name = 'thumbnail'`
Now using tastypie for all our API needs. 2012-05-11 02:08:46 +00:00			`include_resource_uri = False`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00

			`class ImageResource(ModelResource):`
			`standard = fields.ToOneField(ThumbnailResource, full=True,`
			`attribute=lambda bundle: filter_generator_for('standard')(bundle))`
			`thumbnail = fields.ToOneField(ThumbnailResource, full=True,`
			`attribute=lambda bundle: filter_generator_for('thumbnail')(bundle))`
Add a small (125x125px) square thumbnail This is going to be used by a "similar images" feature #74 2013-03-02 11:55:02 -08:00			`square = fields.ToOneField(ThumbnailResource, full=True,`
			`attribute=lambda bundle: filter_generator_for('square')(bundle))`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00
			`class Meta:`
			`fields = ['image', 'width', 'height']`
			`include_resource_uri = False`
			`resource_name = 'image'`
			`queryset = Image.objects.all()`
Removing unused vendor libs, custom tiling works, new design started 2013-02-21 06:26:06 +00:00			`authorization = DjangoAuthorization()`
Now using tastypie for all our API needs. 2012-05-11 02:08:46 +00:00
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00
			`class PinResource(ModelResource):`
			`submitter = fields.ToOneField(UserResource, 'submitter', full=True)`
			`image = fields.ToOneField(ImageResource, 'image', full=True)`
			`tags = fields.ListField()`

			`def hydrate_image(self, bundle):`
			`url = bundle.data.get('url', None)`
			`if url:`
			`image = Image.objects.create_for_url(url)`
			`bundle.data['image'] = '/api/v1/image/{}/'.format(image.pk)`
			`return bundle`

Make sure that users can't impersonate each other when creating pins We weren't checking if the Pin submitter is the logged user which made it possible to pass any submitter to the Pin resource create call. Fix it, and make the submitter optional. 2013-04-05 19:34:31 +02:00			`def hydrate(self, bundle):`
			`"""Run some early/generic processing`

			`Make sure that user is authorized to create Pins first, before`
			`we hydrate the Image resource, creating the Image object in process`
			`"""`
			`submitter = bundle.data.get('submitter', None)`
			`if not submitter:`
			`bundle.data['submitter'] = '/api/v1/user/{}/'.format(bundle.request.user.pk)`
			`else:`
			`if not '/api/v1/user/{}/'.format(bundle.request.user.pk) == submitter:`
			`raise Unauthorized("You are not authorized to create Pins for other users")`
			`return bundle`

A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`def dehydrate_tags(self, bundle):`
			`return map(str, bundle.obj.tags.all())`

Taggit implemented. 2012-09-28 04:42:13 +00:00			`def build_filters(self, filters=None):`
			`orm_filters = super(PinResource, self).build_filters(filters)`
Clean-up PinResource.build_filters method 2013-03-03 09:11:26 -08:00			`if filters and 'tag' in filters:`
Taggit implemented. 2012-09-28 04:42:13 +00:00			`orm_filters['tags__name__in'] = filters['tag'].split(',')`
			`return orm_filters`

			`def save_m2m(self, bundle):`
In PinResource.save_m2m do nothing when no tags 2013-03-03 06:20:50 -08:00			`tags = bundle.data.get('tags', None)`
			`if tags:`
			`bundle.obj.tags.set(*tags)`
Taggit implemented. 2012-09-28 04:42:13 +00:00			`return super(PinResource, self).save_m2m(bundle)`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00
			`class Meta:`
Add "origin" field to the Pin model "origin" is an optional field that stores the URI for the site that the image has been saved from, it's going to be used only from bookmarklet. Fixes #63 2013-03-03 08:24:26 -08:00			`fields = ['id', 'url', 'origin', 'description']`
Make PinResource orderable by id Update JavaScript so it orders pins, Fixes #69 2013-02-26 01:21:57 -08:00			`ordering = ['id']`
Allow filtering pins over submitter.username 2013-03-03 14:50:40 -08:00			`filtering = {`
			`'submitter': ALL_WITH_RELATIONS`
			`}`
image can be loaded with a join as well (saves another query) 2015-03-23 02:30:54 +01:00			`queryset = Pin.objects.all().select_related('submitter', 'image'). \`
Loanding pins does no N+1 queries anymore This saves another three queries per pin, bringing to total query count down to 8. See issue #85 . 2015-03-23 02:22:35 +01:00			`prefetch_related('image__thumbnail_set', 'tags')`
A major RESTful API rewrite Rewritten API to handle creating pins for both urls and previously-uploaded images. Added some tests for it. 2013-02-25 15:10:15 -08:00			`resource_name = 'pin'`
			`include_resource_uri = False`
In the API, return Pin resource upon creation Fixes #68 2013-02-26 02:10:08 -08:00			`always_return_data = True`
Add a very simplistic Pin access control for the API As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend. 2013-03-02 17:00:58 -08:00			`authorization = PinryAuthorization()`