users.py 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. from django.contrib.auth import get_user_model
  2. from django.core.exceptions import PermissionDenied
  3. from django.shortcuts import get_object_or_404
  4. from django.utils.translation import ugettext as _
  5. from rest_framework import status, viewsets
  6. from rest_framework.decorators import detail_route
  7. from rest_framework.parsers import JSONParser, MultiPartParser
  8. from rest_framework.response import Response
  9. from misago.acl import add_acl
  10. from misago.users.rest_permissions import (BasePermission,
  11. IsAuthenticatedOrReadOnly, UnbannedAnonOnly)
  12. from misago.users.forms.options import ForumOptionsForm
  13. from misago.users.serializers import UserSerializer, UserProfileSerializer
  14. from misago.users.api.userendpoints.avatar import avatar_endpoint
  15. from misago.users.api.userendpoints.create import create_endpoint
  16. from misago.users.api.userendpoints.signature import signature_endpoint
  17. from misago.users.api.userendpoints.username import username_endpoint
  18. from misago.users.api.userendpoints.changeemail import change_email_endpoint
  19. from misago.users.api.userendpoints.changepassword import change_password_endpoint
  20. class UserViewSetPermission(BasePermission):
  21. def has_permission(self, request, view):
  22. if view.action == 'create':
  23. policy = UnbannedAnonOnly()
  24. else:
  25. policy = IsAuthenticatedOrReadOnly()
  26. return policy.has_permission(request, view)
  27. def allow_self_only(user, pk, message):
  28. if user.is_anonymous():
  29. raise PermissionDenied(
  30. _("You have to sign in to perform this action."))
  31. if user.pk != int(pk):
  32. raise PermissionDenied(message)
  33. class UserViewSet(viewsets.GenericViewSet):
  34. permission_classes = (UserViewSetPermission,)
  35. parser_classes=(JSONParser, MultiPartParser)
  36. serializer_class = UserSerializer
  37. queryset = get_user_model().objects
  38. def get_queryset(self):
  39. relations = ('rank', 'online_tracker', 'ban_cache')
  40. return self.queryset.select_related(*relations)
  41. def list(self, request):
  42. pass
  43. def retrieve(self, request, pk=None):
  44. qs = self.get_queryset()
  45. profile = get_object_or_404(self.get_queryset(), id=pk)
  46. add_acl(request.user, profile)
  47. serializer = UserProfileSerializer(
  48. profile, context={'user': request.user})
  49. return Response(serializer.data)
  50. def create(self, request):
  51. return create_endpoint(request)
  52. @detail_route(methods=['get', 'post'])
  53. def avatar(self, request, pk=None):
  54. allow_self_only(
  55. request.user, pk, _("You can't change other users avatars."))
  56. return avatar_endpoint(request)
  57. @detail_route(methods=['post'])
  58. def forum_options(self, request, pk=None):
  59. allow_self_only(
  60. request.user, pk, _("You can't change other users options."))
  61. form = ForumOptionsForm(request.data, instance=request.user)
  62. if form.is_valid():
  63. form.save()
  64. return Response({
  65. 'detail': _("Your forum options have been changed.")
  66. })
  67. else:
  68. return Response(form.errors, status=status.HTTP_400_BAD_REQUEST)
  69. @detail_route(methods=['get', 'post'])
  70. def username(self, request, pk=None):
  71. allow_self_only(
  72. request.user, pk, _("You can't change other users names."))
  73. return username_endpoint(request)
  74. @detail_route(methods=['get', 'post'])
  75. def signature(self, request, pk=None):
  76. allow_self_only(
  77. request.user, pk, _("You can't change other users signatures."))
  78. return signature_endpoint(request)
  79. @detail_route(methods=['post'])
  80. def change_password(self, request, pk=None):
  81. allow_self_only(
  82. request.user, pk, _("You can't change other users passwords."))
  83. return change_password_endpoint(request)
  84. @detail_route(methods=['post'])
  85. def change_email(self, request, pk=None):
  86. allow_self_only(request.user, pk,
  87. _("You can't change other users e-mail addresses."))
  88. return change_email_endpoint(request)