diff --git a/Website/api/migrations/0001_initial.py b/Website/api/migrations/0001_initial.py index 4d13567..37f2d7e 100644 --- a/Website/api/migrations/0001_initial.py +++ b/Website/api/migrations/0001_initial.py @@ -1,4 +1,4 @@ -# Generated by Django 3.0.7 on 2020-06-12 23:18 +# Generated by Django 3.0.7 on 2020-06-13 18:15 from django.conf import settings from django.db import migrations, models diff --git a/Website/api/permissions.py b/Website/api/permissions.py index 6aab8bf..2d64429 100644 --- a/Website/api/permissions.py +++ b/Website/api/permissions.py @@ -13,7 +13,7 @@ class IsOwnerOrReadOnly(permissions.BasePermission): return True # Write permissions are only allowed to the owner of the snippet. - return obj.owner == request.user + return obj.owner == request.user or request.user.is_superuser class isTeacher(permissions.BasePermission): #only teachers can make classes and assignmenst @@ -22,4 +22,4 @@ class isTeacher(permissions.BasePermission): return True # Write permissions are only allowed to the owner of the snippet. - return obj.user.groups.filter(name__in=['teachers']).exists() + return request.user.groups.filter(name__in=['teachers']).exists() or request.user.is_superuser diff --git a/Website/api/serializers.py b/Website/api/serializers.py index 97a9383..2b4bb54 100644 --- a/Website/api/serializers.py +++ b/Website/api/serializers.py @@ -2,15 +2,15 @@ from django.contrib.auth.models import User, Group from .models import Student, Teacher, Classes, Assignment, DefFiles from rest_framework import serializers, permissions from django.contrib.auth.models import User +from .permissions import IsOwnerOrReadOnly,isTeacher class UserSerializer(serializers.HyperlinkedModelSerializer): students = serializers.PrimaryKeyRelatedField(many=True, queryset=Student.objects.all()) - owner = serializers.ReadOnlyField(source='owner.username') - permission_classes = [permissions.IsAuthenticatedOrReadOnly] + teachers = serializers.PrimaryKeyRelatedField(many=True, queryset=Teacher.objects.all()) class Meta: model = User - fields = ['id', 'username', 'students'] + fields = ['id', 'username', 'students','teachers'] # class DefFilesSerializer(serializers.HyperlinkedModelSerializer): # class Meta: @@ -20,37 +20,36 @@ class UserSerializer(serializers.HyperlinkedModelSerializer): class AssignmentSerializer(serializers.HyperlinkedModelSerializer): #permissions_classes = [permissions.IsAuthenticatedOrReadOnly] # files = DefFilesSerializer(many=True, read_only=True,allow_null=True) - permission_classes = [permissions.IsAuthenticatedOrReadOnly] owner = serializers.ReadOnlyField(source='owner.username') - permission_classes = [permissions.IsAuthenticatedOrReadOnly] class Meta: model = Assignment - fields = ['url','name', 'due_date', 'path' , "classes","teacher",'owner'] + # fields = ['url','name', 'due_date', 'path' , "classes","teacher",'owner'] + fields = ['name', 'due_date', 'path' , "classes","teacher",'owner'] class ClassesSerializer(serializers.HyperlinkedModelSerializer): # assignments = AssignmentSerializer(many=True, read_only=True,allow_null=True) # default_file=DefFilesSerializer(many=True, read_only=True,allow_null=True) owner = serializers.ReadOnlyField(source='owner.username') - permission_classes = [permissions.IsAuthenticatedOrReadOnly] class Meta: model = Classes - fields = ['url', 'name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner'] + # fields = ['url','name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner'] + fields = ['name', 'repo','path', "teacher",'assignments',"default_file", 'confirmed', 'unconfirmed','owner'] class StudentSerializer(serializers.HyperlinkedModelSerializer): # classes = ClassesSerializer(many=True, read_only=True,allow_null=True) owner = serializers.ReadOnlyField(source='owner.username') - permission_classes = [permissions.IsAuthenticatedOrReadOnly] class Meta: model = Student - fields = ['url', 'first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner'] + # fields = ['url','first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner'] + fields = ['first_name', 'last_name', 'grade','email','student_id', 'git','ion_user','classes','added_to','completed', 'repo','owner'] class TeacherSerializer(serializers.ModelSerializer): # classes = ClassesSerializer(many=True, read_only=True,allow_null=True) owner = serializers.ReadOnlyField(source='owner.username') - permission_classes = [permissions.IsAuthenticatedOrReadOnly] class Meta: model = Teacher - fields = ['url', 'first_name', 'last_name','git','ion_user', 'email','classes','owner'] + # fields = ['url','first_name', 'last_name','git','ion_user', 'email','classes','owner'] + fields = ['first_name', 'last_name','git','ion_user', 'email','classes','owner'] diff --git a/Website/api/urls.py b/Website/api/urls.py index e69de29..f130d15 100644 --- a/Website/api/urls.py +++ b/Website/api/urls.py @@ -0,0 +1,16 @@ +from django.urls import path +from rest_framework.urlpatterns import format_suffix_patterns +from . import views + +urlpatterns = [ + path('students/', views.StudentList.as_view()), + path('students//', views.StudentDetail.as_view()), + path('teachers/', views.TeacherList.as_view()), + path('teachers//', views.TeacherDetail.as_view()), + path('assignments/', views.AssignmentList.as_view()), + path('assignments//', views.AssignmentDetail.as_view()), + path('classes/', views.ClassesList.as_view()), + path('classes//', views.ClassesDetail.as_view()), +] + +urlpatterns = format_suffix_patterns(urlpatterns) \ No newline at end of file diff --git a/Website/api/views-back.py b/Website/api/views-back.py index 5c936f9..011d81a 100644 --- a/Website/api/views-back.py +++ b/Website/api/views-back.py @@ -1,131 +1,89 @@ -# class StudentList(APIView): -# """ -# List all snippets, or create a new snippet. -# """ -# def get(self, request, format=None): -# snippets = Student.objects.all() -# serializer = StudentSerializer(snippets, many=True) -# return response.Response(serializer.data) +from .models import Student, Teacher, Classes, Assignment, DefFiles +from .serializers import StudentSerializer, TeacherSerializer, ClassesSerializer, AssignmentSerializer, UserSerializer +from rest_framework import generics, viewsets, permissions, response, status +from django.http import Http404 +from rest_framework.views import APIView +from django.contrib.auth.models import User +from .permissions import isTeacher, IsOwnerOrReadOnly +from django.shortcuts import render, redirect +from rest_framework.parsers import JSONParser +from django.http.response import JsonResponse +from rest_framework.response import Response +from rest_framework import mixins -# def post(self, request, format=None): -# serializer = StudentSerializer(data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data, status=status.HTTP_201_CREATED) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) -# class StudentDetail(APIView): -# """ -# Retrieve, update or delete a snippet instance. -# """ -# def get_object(self, pk): -# try: -# return Student.objects.get(pk=pk) -# except Student.DoesNotExist: -# raise Http404 +class StudentList(generics.ListCreateAPIView): + queryset = Student.objects.all() + serializer_class = StudentSerializer + def perform_create(self, serializer): + serializer.save(owner=self.request.user) -# def get(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = StudentSerializer(snippet) -# return response.Response(serializer.data) +class StudentDetail(generics.RetrieveAPIView): + queryset = Student.objects.all() + serializer_class = StudentSerializer + permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] -# def put(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = StudentSerializer(snippet, data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) +class TeacherList(generics.ListCreateAPIView): + queryset = Teacher.objects.all() + serializer_class = TeacherSerializer + def perform_create(self, serializer): + if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser): + serializer.save(owner=self.request.user) + else: + print("UNAUTHORIZED POST") + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) -# def delete(self, request, pk, format=None): -# snippet = self.get_object(pk) -# snippet.delete() -# return response.Response(status=status.HTTP_204_NO_CONTENT) +class TeacherDetail(generics.RetrieveAPIView): + queryset = Teacher.objects.all() + serializer_class = TeacherSerializer + permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] -# class TeacherList(APIView): -# """ -# List all snippets, or create a new snippet. -# """ -# def get(self, request, format=None): -# snippets = Teacher.objects.all() -# serializer = TeacherSerializer(snippets, many=True) -# return response.Response(serializer.data) - -# def post(self, request, format=None): -# serializer = TeacherSerializer(data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data, status=status.HTTP_201_CREATED) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - -# class TeacherDetail(APIView): -# """ -# Retrieve, update or delete a snippet instance. -# """ -# def get_object(self, pk): -# try: -# return Teacher.objects.get(pk=pk) -# except Teacher.DoesNotExist: -# raise Http404 - -# def get(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = TeacherSerializer(snippet) -# return response.Response(serializer.data) - -# def put(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = TeacherSerializer(snippet, data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - -# def delete(self, request, pk, format=None): -# snippet = self.get_object(pk) -# snippet.delete() -# return response.Response(status=status.HTTP_204_NO_CONTENT) -# class ClassesList(APIView): -# """ -# List all snippets, or create a new snippet. -# """ -# def get(self, request, format=None): -# snippets = Classes.objects.all() -# serializer = ClassesSerializer(snippets, many=True) -# return response.Response(serializer.data) +class ClassesList(generics.ListCreateAPIView): + queryset = Classes.objects.all() + serializer_class = ClassesSerializer + #permissions_classes = [isTeacher] + def perform_create(self, serializer): + if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser): + serializer.save(owner=self.request.user) + else: + print("UNAUTHORIZED POST") + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) -# def post(self, request, format=None): -# serializer = ClassesSerializer(data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data, status=status.HTTP_201_CREATED) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) +# class ClassesDetail(generics.RetrieveAPIView): +# queryset = Classes.objects.all() +# serializer_class = ClassesSerializer +# # permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] -# class ClassesDetail(APIView): -# """ -# Retrieve, update or delete a snippet instance. -# """ -# def get_object(self, pk): -# try: -# return Classes.objects.get(pk=pk) -# except Classes.DoesNotExist: -# raise Http404 +class ClassesDetail(mixins.RetrieveModelMixin, + mixins.UpdateModelMixin, + mixins.DestroyModelMixin, + generics.GenericAPIView): + queryset = Classes.objects.all() + serializer_class = ClassesSerializer -# def get(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = ClassesSerializer(snippet) -# return response.Response(serializer.data) + def get(self, request, *args, **kwargs): + return self.retrieve(request, *args, **kwargs) -# def put(self, request, pk, format=None): -# snippet = self.get_object(pk) -# serializer = ClassesSerializer(snippet, data=request.data) -# if serializer.is_valid(): -# serializer.save() -# return response.Response(serializer.data) -# return response.Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + def put(self, request, *args, **kwargs): + print(self.owner) + if(request.user == self.owner): + return self.update(request, *args, **kwargs) -# def delete(self, request, pk, format=None): -# snippet = self.get_object(pk) -# snippet.delete() -# return response.Response(status=status.HTTP_204_NO_CONTENT) \ No newline at end of file + def delete(self, request, *args, **kwargs): + return self.destroy(request, *args, **kwargs) + +class AssignmentList(generics.ListCreateAPIView): + queryset = Assignment.objects.all() + serializer_class = AssignmentSerializer + def perform_create(self, serializer): + if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser): + serializer.save(owner=self.request.user) + else: + print("UNAUTHORIZED POST") + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + +class AssignmentDetail(generics.RetrieveAPIView): + queryset = Assignment.objects.all() + serializer_class = AssignmentSerializer + permissions_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] diff --git a/Website/api/views.py b/Website/api/views.py index a8bdb83..3876c0a 100644 --- a/Website/api/views.py +++ b/Website/api/views.py @@ -4,10 +4,17 @@ from rest_framework import generics, viewsets, permissions, response, status from django.http import Http404 from rest_framework.views import APIView from django.contrib.auth.models import User +from .permissions import isTeacher, IsOwnerOrReadOnly +from django.shortcuts import render, redirect +from rest_framework.parsers import JSONParser +from rest_framework.response import Response + + class UserViewSet(viewsets.ModelViewSet): queryset = User.objects.all() serializer_class = UserSerializer + permission_classes = [permissions.IsAuthenticated] class StudentViewSet(viewsets.ModelViewSet): @@ -16,8 +23,10 @@ class StudentViewSet(viewsets.ModelViewSet): """ queryset = Student.objects.all() serializer_class = StudentSerializer - permissions_classes = [permissions.IsAuthenticatedOrReadOnly] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] + def perform_create(self, serializer): + serializer.save(owner=self.request.user) class TeacherViewSet(viewsets.ModelViewSet): """ @@ -25,8 +34,10 @@ class TeacherViewSet(viewsets.ModelViewSet): """ queryset = Teacher.objects.all() serializer_class = TeacherSerializer - permissions_classes = [permissions.IsAuthenticatedOrReadOnly] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] + def perform_create(self, serializer): + serializer.save(owner=self.request.user) class ClassesViewSet(viewsets.ModelViewSet): """ @@ -34,7 +45,14 @@ class ClassesViewSet(viewsets.ModelViewSet): """ queryset = Classes.objects.all() serializer_class = ClassesSerializer - permissions_classes = [permissions.IsAuthenticatedOrReadOnly] + permission_classes = [permissions.IsAuthenticated, IsOwnerOrReadOnly] + + def perform_create(self, serializer): + if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser): + serializer.save(owner=self.request.user) + else: + print("UNAUTHORIZED POST") + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) class AssignmentViewSet(viewsets.ModelViewSet): @@ -43,7 +61,14 @@ class AssignmentViewSet(viewsets.ModelViewSet): """ queryset = Assignment.objects.all() serializer_class = AssignmentSerializer - permissions_classes = [permissions.IsAuthenticatedOrReadOnly] + permission_classes = [permissions.IsAuthenticated, isTeacher, IsOwnerOrReadOnly] + + def perform_create(self, serializer): + if(self.request.user.groups.filter(name__in=['teachers']).exists() or self.request.user.is_superuser): + serializer.save(owner=self.request.user) + else: + print("UNAUTHORIZED POST") + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) # class DefFilesViewSet(viewsets.ModelViewSet): # """ diff --git a/Website/skoolos/urls.py b/Website/skoolos/urls.py index 5f53e18..97259c1 100644 --- a/Website/skoolos/urls.py +++ b/Website/skoolos/urls.py @@ -1,7 +1,7 @@ from django.urls import path -from . import views + urlpatterns = [ - path('', views.home, name='home'), + ]