permissions

Website/api/migrations/0001_initial.py

@@ -1,4 +1,4 @@
-# Generated by Django 3.0.7 on 2020-06-12 23:18
+# Generated by Django 3.0.7 on 2020-06-13 18:15
 
 from django.conf import settings
 from django.db import migrations, models

Website/api/permissions.py

@@ -13,7 +13,7 @@ class IsOwnerOrReadOnly(permissions.BasePermission):
             return True
 
         # Write permissions are only allowed to the owner of the snippet.
-        return obj.owner == request.user
+        return obj.owner == request.user or request.user.is_superuser
 
 class isTeacher(permissions.BasePermission):
     #only teachers can make classes and assignmenst
@@ -22,4 +22,4 @@ class isTeacher(permissions.BasePermission):
             return True
 
         # Write permissions are only allowed to the owner of the snippet.
-        return obj.user.groups.filter(name__in=['teachers']).exists()
+        return request.user.groups.filter(name__in=['teachers']).exists() or request.user.is_superuser

Website/api/serializers.py

@@ -2,15 +2,15 @@ from django.contrib.auth.models import User, Group
 from .models import Student, Teacher, Classes, Assignment, DefFiles
 from rest_framework import serializers, permissions
 from django.contrib.auth.models import User
+from .permissions import IsOwnerOrReadOnly,isTeacher
 
 class UserSerializer(serializers.HyperlinkedModelSerializer):
     students = serializers.PrimaryKeyRelatedField(many=True, queryset=Student.objects.all())
-    owner = serializers.ReadOnlyField(source='owner.username')
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
+    teachers = serializers.PrimaryKeyRelatedField(many=True, queryset=Teacher.objects.all())
 
     class Meta:
         model = User
-        fields = ['id', 'username', 'students']
+        fields = ['id', 'username', 'students','teachers']
 
 # class DefFilesSerializer(serializers.HyperlinkedModelSerializer):
 #     class Meta:
@@ -20,37 +20,36 @@ class UserSerializer(serializers.HyperlinkedModelSerializer):
 class AssignmentSerializer(serializers.HyperlinkedModelSerializer):
     #permissions_classes = [permissions.IsAuthenticatedOrReadOnly]
     # files = DefFilesSerializer(many=True, read_only=True,allow_null=True)
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
     owner = serializers.ReadOnlyField(source='owner.username')
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
 
     class Meta:
         model = Assignment
-        fields = ['url','name', 'due_date', 'path' , "classes","teacher",'owner']
+        # fields = ['url','name', 'due_date', 'path' , "classes","teacher",'owner']
+        fields = ['name', 'due_date', 'path' , "classes","teacher",'owner']
 
 class ClassesSerializer(serializers.HyperlinkedModelSerializer):
     # assignments = AssignmentSerializer(many=True, read_only=True,allow_null=True)
     # default_file=DefFilesSerializer(many=True, read_only=True,allow_null=True)
     owner = serializers.ReadOnlyField(source='owner.username')
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
     class Meta:
         model = Classes
-        fields = ['url', 'name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner']
+        # fields = ['url','name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner']
+        fields = ['name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner']
 
 class StudentSerializer(serializers.HyperlinkedModelSerializer):
     # classes = ClassesSerializer(many=True, read_only=True,allow_null=True)
     owner = serializers.ReadOnlyField(source='owner.username')
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
     class Meta:
         model = Student
-        fields = ['url', 'first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner']
+        # fields = ['url','first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner']
+        fields = ['first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner']
 
 class TeacherSerializer(serializers.ModelSerializer):
     # classes = ClassesSerializer(many=True, read_only=True,allow_null=True)
     owner = serializers.ReadOnlyField(source='owner.username')
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
     class Meta:
         model = Teacher
-        fields = ['url', 'first_name', 'last_name','git','ion_user', 'email','classes','owner']
+        # fields = ['url','first_name', 'last_name','git','ion_user', 'email','classes','owner']
+        fields = ['first_name', 'last_name','git','ion_user', 'email','classes','owner']
 
 

Website/api/urls.py

@@ -0,0 +1,16 @@
+from django.urls import path
+from rest_framework.urlpatterns import format_suffix_patterns
+from . import views
+
+urlpatterns = [
+    path('students/', views.StudentList.as_view()),
+    path('students/<str:pk>/', views.StudentDetail.as_view()),
+    path('teachers/', views.TeacherList.as_view()),
+    path('teachers/<str:pk>/', views.TeacherDetail.as_view()),
+    path('assignments/', views.AssignmentList.as_view()),
+    path('assignments/<str:pk>/', views.AssignmentDetail.as_view()),
+    path('classes/', views.ClassesList.as_view()),
+    path('classes/<str:pk>/', views.ClassesDetail.as_view()),
+]
+
+urlpatterns = format_suffix_patterns(urlpatterns)

Website/api/views-back.py

@@ -1,131 +1,89 @@
-# class StudentList(APIView):
-#     """
-#     List all snippets, or create a new snippet.
-#     """
-#     def get(self, request, format=None):
-#         snippets = Student.objects.all()
-#         serializer = StudentSerializer(snippets, many=True)
-#         return response.Response(serializer.data)
+from .models import Student, Teacher, Classes, Assignment, DefFiles
+from .serializers import StudentSerializer, TeacherSerializer, ClassesSerializer, AssignmentSerializer, UserSerializer
+from rest_framework import generics, viewsets, permissions, response, status
+from django.http import Http404
+from rest_framework.views import APIView
+from django.contrib.auth.models import User
+from .permissions import isTeacher, IsOwnerOrReadOnly
+from django.shortcuts import render, redirect
+from rest_framework.parsers import JSONParser 
+from django.http.response import JsonResponse
+from rest_framework.response import Response
+from rest_framework import mixins
 
-#     def post(self, request, format=None):
-#         serializer = StudentSerializer(data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data, status=status.HTTP_201_CREATED)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-# class StudentDetail(APIView):
-#     """
-#     Retrieve, update or delete a snippet instance.
-#     """
-#     def get_object(self, pk):
-#         try:
-#             return Student.objects.get(pk=pk)
-#         except Student.DoesNotExist:
-#             raise Http404
+class StudentList(generics.ListCreateAPIView):
+    queryset = Student.objects.all()
+    serializer_class = StudentSerializer
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
 
-#     def get(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = StudentSerializer(snippet)
-#         return response.Response(serializer.data)
+class StudentDetail(generics.RetrieveAPIView):
+    queryset = Student.objects.all()
+    serializer_class = StudentSerializer
+    permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
 
-#     def put(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = StudentSerializer(snippet, data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+class TeacherList(generics.ListCreateAPIView):
+    queryset = Teacher.objects.all()
+    serializer_class = TeacherSerializer
+    def perform_create(self, serializer):
+        if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser):
+            serializer.save(owner=self.request.user)
+        else:
+            print("UNAUTHORIZED POST")
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-#     def delete(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         snippet.delete()
-#         return response.Response(status=status.HTTP_204_NO_CONTENT)
+class TeacherDetail(generics.RetrieveAPIView):
+    queryset = Teacher.objects.all()
+    serializer_class = TeacherSerializer
+    permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
 
-# class TeacherList(APIView):
-#     """
-#     List all snippets, or create a new snippet.
-#     """
-#     def get(self, request, format=None):
-#         snippets = Teacher.objects.all()
-#         serializer = TeacherSerializer(snippets, many=True)
-#         return response.Response(serializer.data)
     
-#     def post(self, request, format=None):
-#         serializer = TeacherSerializer(data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data, status=status.HTTP_201_CREATED)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+class ClassesList(generics.ListCreateAPIView):
+    queryset = Classes.objects.all()
+    serializer_class = ClassesSerializer
+    #permissions_classes = [isTeacher]
+    def perform_create(self, serializer):
+        if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser):
+            serializer.save(owner=self.request.user)
+        else:
+            print("UNAUTHORIZED POST")
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-# class TeacherDetail(APIView):
-#     """
-#     Retrieve, update or delete a snippet instance.
-#     """
-#     def get_object(self, pk):
-#         try:
-#             return Teacher.objects.get(pk=pk)
-#         except Teacher.DoesNotExist:
-#             raise Http404
+# class ClassesDetail(generics.RetrieveAPIView):
+#     queryset = Classes.objects.all()
+#     serializer_class = ClassesSerializer
+#     # permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
 
-#     def get(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = TeacherSerializer(snippet)
-#         return response.Response(serializer.data)
+class ClassesDetail(mixins.RetrieveModelMixin,
+                    mixins.UpdateModelMixin,
+                    mixins.DestroyModelMixin,
+                    generics.GenericAPIView):
+    queryset = Classes.objects.all()
+    serializer_class = ClassesSerializer
 
-#     def put(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = TeacherSerializer(snippet, data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+    def get(self, request, *args, **kwargs):
+        return self.retrieve(request, *args, **kwargs)
 
-#     def delete(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         snippet.delete()
-#         return response.Response(status=status.HTTP_204_NO_CONTENT)
+    def put(self, request, *args, **kwargs):
+        print(self.owner)
+        if(request.user == self.owner):
+            return self.update(request, *args, **kwargs)
 
-# class ClassesList(APIView):
-#     """
-#     List all snippets, or create a new snippet.
-#     """
-#     def get(self, request, format=None):
-#         snippets = Classes.objects.all()
-#         serializer = ClassesSerializer(snippets, many=True)
-#         return response.Response(serializer.data)
+    def delete(self, request, *args, **kwargs):
+        return self.destroy(request, *args, **kwargs)
 
-#     def post(self, request, format=None):
-#         serializer = ClassesSerializer(data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data, status=status.HTTP_201_CREATED)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+class AssignmentList(generics.ListCreateAPIView):
+    queryset = Assignment.objects.all()
+    serializer_class = AssignmentSerializer
+    def perform_create(self, serializer):
+        if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser):
+            serializer.save(owner=self.request.user)
+        else:
+            print("UNAUTHORIZED POST")
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-# class ClassesDetail(APIView):
-#     """
-#     Retrieve, update or delete a snippet instance.
-#     """
-#     def get_object(self, pk):
-#         try:
-#             return Classes.objects.get(pk=pk)
-#         except Classes.DoesNotExist:
-#             raise Http404
-
-#     def get(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = ClassesSerializer(snippet)
-#         return response.Response(serializer.data)
-
-#     def put(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         serializer = ClassesSerializer(snippet, data=request.data)
-#         if serializer.is_valid():
-#             serializer.save()
-#             return response.Response(serializer.data)
-#         return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
-#     def delete(self, request, pk, format=None):
-#         snippet = self.get_object(pk)
-#         snippet.delete()
-#         return response.Response(status=status.HTTP_204_NO_CONTENT)
+class AssignmentDetail(generics.RetrieveAPIView):
+    queryset = Assignment.objects.all()
+    serializer_class = AssignmentSerializer
+    permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]

Website/api/views.py

@@ -4,10 +4,17 @@ from rest_framework import generics, viewsets, permissions, response, status
 from django.http import Http404
 from rest_framework.views import APIView
 from django.contrib.auth.models import User
+from .permissions import isTeacher, IsOwnerOrReadOnly
+from django.shortcuts import render, redirect
+from rest_framework.parsers import JSONParser 
+from rest_framework.response import Response
+
+
 
 class UserViewSet(viewsets.ModelViewSet):
     queryset = User.objects.all()
     serializer_class = UserSerializer
+    permission_classes = [permissions.IsAuthenticated]
 
 
 class StudentViewSet(viewsets.ModelViewSet):
@@ -16,8 +23,10 @@ class StudentViewSet(viewsets.ModelViewSet):
     """
     queryset = Student.objects.all()
     serializer_class = StudentSerializer
-    permissions_classes = [permissions.IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
 
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
 
 class TeacherViewSet(viewsets.ModelViewSet):
     """
@@ -25,8 +34,10 @@ class TeacherViewSet(viewsets.ModelViewSet):
     """
     queryset = Teacher.objects.all()
     serializer_class = TeacherSerializer
-    permissions_classes = [permissions.IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
 
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
 
 class ClassesViewSet(viewsets.ModelViewSet):
     """
@@ -34,7 +45,14 @@ class ClassesViewSet(viewsets.ModelViewSet):
     """
     queryset = Classes.objects.all()
     serializer_class = ClassesSerializer
-    permissions_classes = [permissions.IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly]
+
+    def perform_create(self, serializer):
+        if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser):
+            serializer.save(owner=self.request.user)
+        else:
+            print("UNAUTHORIZED POST")
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
 
 class AssignmentViewSet(viewsets.ModelViewSet):
@@ -43,7 +61,14 @@ class AssignmentViewSet(viewsets.ModelViewSet):
     """
     queryset = Assignment.objects.all()
     serializer_class = AssignmentSerializer
-    permissions_classes = [permissions.IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsAuthenticated, isTeacher, IsOwnerOrReadOnly]
+
+    def perform_create(self, serializer):
+        if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser):
+            serializer.save(owner=self.request.user)
+        else:
+            print("UNAUTHORIZED POST")
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
 # class DefFilesViewSet(viewsets.ModelViewSet):
 #     """

Website/skoolos/urls.py

@@ -1,6 +1,7 @@
 from django.urls import path
 from rest_framework import routers
 from api import views as api_views
+from users import views as user_views
 from django.contrib import admin
 from django.conf.urls import include
 from django.contrib.auth import views as auth_views
@@ -16,6 +17,7 @@ router.register(r'users', api_views.UserViewSet)
 # Wire up our API using automatic URL routing.
 # Additionally, we include login URLs for the browsable API.
 urlpatterns = [
+    # path('api/', include('api.urls')),
     path('api/', include(router.urls)),
     path('api-auth/', include('rest_framework.urls')),
     path('admin/', admin.site.urls),