danielholmstrom/views.py

## views.py
"""

AuthUser views
~~~~~~~~~~~~~~

"""

from pluto.views import (
    InvalidDataError,
    client_data_schema,
)

from pluto.modules.auth.models import (
    AuthUser,
)

from .schemas import (
    Create,
    Update,
)


@client_data_schema(schema=Create)
def create(request):
    """Create a user"""

    data = request.validated_data

    if not request.has_permission('create', AuthUser):
        request.response.status = 403
        return {'message': 'Forbidden'}

    user = AuthUser(**data)

    if not request.has_permission('create', user):
        request.response.status = 403
        return {'message': 'Forbidden'}

    sess = request.db_session
    sess.add(user)

    # TODO: Try/except because of unique username constraint.
    # Unique contraints should not be tested for in code
    sess.commit()

    request.response.status = 201
    request.response.location = request.route_url('auth.user.read', id=user.id)

    return user


def read(request):

    user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

    if not user:
        request.response.status = 404
        return {'message': 'NotFound'}

    if not request.has_permission('read', user):
        request.response.status = 403
        return {'message': 'Forbidden'}
    else:
        return user


@client_data_schema(schema=Update)
def update(request):

    # Are we at all allowed to do this at all?
    if not request.has_permission('update', AuthUser):
        request.response.status = 403
        return {'message': 'Forbidden'}

    user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

    # Ok, because the user has the basic permissions to update a user,
    # no sniffing can occur
    if not user:
        request.response.status = 404
        return {'message': 'NotFound'}

    # Are we allowed to update this user?
    if not request.has_permission('update', user):
        request.response.status = 403
        return {'message': 'Forbidden'}

    sess = request.db_session
    user.fromdict(request.validated_data)

    # Did the data change the user to something we're not allowed to update?
    if not request.has_permission('update', user):
        request.response.status = 403
        return {'message': 'Forbidden'}

    sess.add(user)
    sess.commit()

    request.response.status = 201
    request.response.location = request.route_url('auth.user.read', id=user.id)

    return user


def delete(request):

    if not request.has_permission('delete', AuthUser):
        request.response.status = 403
        return {'message': 'Forbidden'}

    user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

    if not user:
        request.response.status = 404
        return {'message': 'NotFound'}

    if not request.has_permission('delete', user):
        request.response.status = 403
        return {'message': 'Forbidden'}

    sess = request.db_session
    sess.delete(user)
    sess.commit()

    request.response.status = 200

    return {'message': 'Ok'}


def includeme(config):

    config.add_view(view=create,
                    route_name='auth.user.create',
                    request_method='POST',
                    renderer='json',
                    content_type='application/json')

    config.add_route('auth.user.create',
                     request_method='POST',
                     pattern='/')

    config.add_view(view=read,
                    route_name='auth.user.read',
                    request_method='GET',
                    renderer='json',
                    content_type='application/json')

    config.add_route('auth.user.read',
                     request_method='GET',
                     pattern='/{id:\d+}')

    config.add_view(view=update,
                    route_name='auth.user.update',
                    request_method='PUT',
                    renderer='json',
                    content_type='application/json')

    config.add_route('auth.user.update',
                     request_method='PUT',
                     pattern='/{id:\d+}')

    config.add_view(view=delete,
                    route_name='auth.user.delete',
                    request_method='DELETE',
                    renderer='json',
                    content_type='application/json')

    config.add_route('auth.user.delete',
                     request_method='DELETE',
                     pattern='/{id:\d+}')
	"""

	AuthUser views
	~~~~~~~~~~~~~~

	"""

	from pluto.views import (
	InvalidDataError,
	client_data_schema,
	)

	from pluto.modules.auth.models import (
	AuthUser,
	)

	from .schemas import (
	Create,
	Update,
	)


	@client_data_schema(schema=Create)
	def create(request):
	"""Create a user"""

	data = request.validated_data

	if not request.has_permission('create', AuthUser):
	request.response.status = 403
	return {'message': 'Forbidden'}

	user = AuthUser(**data)

	if not request.has_permission('create', user):
	request.response.status = 403
	return {'message': 'Forbidden'}

	sess = request.db_session
	sess.add(user)

	# TODO: Try/except because of unique username constraint.
	# Unique contraints should not be tested for in code
	sess.commit()

	request.response.status = 201
	request.response.location = request.route_url('auth.user.read', id=user.id)

	return user


	def read(request):

	user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

	if not user:
	request.response.status = 404
	return {'message': 'NotFound'}

	if not request.has_permission('read', user):
	request.response.status = 403
	return {'message': 'Forbidden'}
	else:
	return user


	@client_data_schema(schema=Update)
	def update(request):

	# Are we at all allowed to do this at all?
	if not request.has_permission('update', AuthUser):
	request.response.status = 403
	return {'message': 'Forbidden'}

	user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

	# Ok, because the user has the basic permissions to update a user,
	# no sniffing can occur
	if not user:
	request.response.status = 404
	return {'message': 'NotFound'}

	# Are we allowed to update this user?
	if not request.has_permission('update', user):
	request.response.status = 403
	return {'message': 'Forbidden'}

	sess = request.db_session
	user.fromdict(request.validated_data)

	# Did the data change the user to something we're not allowed to update?
	if not request.has_permission('update', user):
	request.response.status = 403
	return {'message': 'Forbidden'}

	sess.add(user)
	sess.commit()

	request.response.status = 201
	request.response.location = request.route_url('auth.user.read', id=user.id)

	return user


	def delete(request):

	if not request.has_permission('delete', AuthUser):
	request.response.status = 403
	return {'message': 'Forbidden'}

	user = request.db_session.query(AuthUser).get(int(request.matchdict['id']))

	if not user:
	request.response.status = 404
	return {'message': 'NotFound'}

	if not request.has_permission('delete', user):
	request.response.status = 403
	return {'message': 'Forbidden'}

	sess = request.db_session
	sess.delete(user)
	sess.commit()

	request.response.status = 200

	return {'message': 'Ok'}


	def includeme(config):

	config.add_view(view=create,
	route_name='auth.user.create',
	request_method='POST',
	renderer='json',
	content_type='application/json')

	config.add_route('auth.user.create',
	request_method='POST',
	pattern='/')

	config.add_view(view=read,
	route_name='auth.user.read',
	request_method='GET',
	renderer='json',
	content_type='application/json')

	config.add_route('auth.user.read',
	request_method='GET',
	pattern='/{id:\d+}')

	config.add_view(view=update,
	route_name='auth.user.update',
	request_method='PUT',
	renderer='json',
	content_type='application/json')

	config.add_route('auth.user.update',
	request_method='PUT',
	pattern='/{id:\d+}')

	config.add_view(view=delete,
	route_name='auth.user.delete',
	request_method='DELETE',
	renderer='json',
	content_type='application/json')

	config.add_route('auth.user.delete',
	request_method='DELETE',
	pattern='/{id:\d+}')