Test preprocessors with Flask-Restless.

3 files changed, 28 insertions, 0 deletions

diff --git a/src/web/views/api/v3/__init__.py b/src/web/views/api/v3/__init__.py
index e69de29b..76aa1f19 100644
--- a/src/web/views/api/v3/__init__.py
+++ b/src/web/views/api/v3/__init__.py
@@ -0,0 +1,3 @@
+from web.views.api.v3 import article
+
+__all__ = ['article']
diff --git a/src/web/views/api/v3/article.py b/src/web/views/api/v3/article.py
new file mode 100644
index 00000000..2f276170
--- /dev/null
+++ b/src/web/views/api/v3/article.py
@@ -0,0 +1,9 @@
+from web import models
+from bootstrap import application, manager
+from web.views.api.v3.common import check_auth
+
+
+blueprint_article = manager.create_api_blueprint(models.Article,
+                        methods=['GET', 'POST', 'PUT', 'DELETE'],
+                        preprocessors=dict(GET_SINGLE=[check_auth]))
+application.register_blueprint(blueprint_article)
diff --git a/src/web/views/api/v3/common.py b/src/web/views/api/v3/common.py
new file mode 100644
index 00000000..f5bd2dea
--- /dev/null
+++ b/src/web/views/api/v3/common.py
@@ -0,0 +1,16 @@
+from flask.ext.login import current_user
+from web.controllers import ArticleController
+
+
+def is_authorized_to_modify(user, obj):
+    return user.id == obj.user_id
+
+
+def check_auth(instance_id=None, **kw):
+    # Check if the user is authorized to modify the specified
+    # instance of the model.
+    contr = ArticleController(current_user.id)
+    article = contr.get(id=instance_id)
+    if not is_authorized_to_modify(current_user, article):
+        raise ProcessingException(description='Not Authorized',
+                                  code=401)