From b32ca6c0f5968f5e9f59847db5012e3ef7f98631 Mon Sep 17 00:00:00 2001 From: Cédric Bonhomme Date: Wed, 2 Mar 2016 08:25:52 +0100 Subject: Code update. Some problems with CSRF token on Chromium... --- src/web/views/api/__init__.py | 28 ------ src/web/views/api/article.py | 63 +++++-------- src/web/views/api/category.py | 20 ++-- src/web/views/api/common.py | 210 ++++++++++++++++++------------------------ src/web/views/api/feed.py | 60 ++++-------- 5 files changed, 144 insertions(+), 237 deletions(-) (limited to 'src/web/views/api') diff --git a/src/web/views/api/__init__.py b/src/web/views/api/__init__.py index 90e1ab0f..458e031b 100644 --- a/src/web/views/api/__init__.py +++ b/src/web/views/api/__init__.py @@ -1,31 +1,3 @@ -#! /usr/bin/env python -# -*- coding: utf-8 -*- - -# jarr - A Web based news aggregator. -# Copyright (C) 2010-2016 Cédric Bonhomme - http://JARR-aggregator.org/ -# -# For more information : https://github.com/JARR-aggregator/JARR/ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -__author__ = "Cedric Bonhomme" -__version__ = "$Revision: 0.2 $" -__date__ = "$Date: 2014/06/18 $" -__revision__ = "$Date: 2014/07/05 $" -__copyright__ = "Copyright (c) Cedric Bonhomme" -__license__ = "AGPLv3" - from web.views.api import article, feed, category __all__ = ['article', 'feed', 'category'] diff --git a/src/web/views/api/article.py b/src/web/views/api/article.py index 23c5c495..5971f47d 100644 --- a/src/web/views/api/article.py +++ b/src/web/views/api/article.py @@ -1,66 +1,53 @@ -#! /usr/bin/env python -# -*- coding: utf-8 - - -from flask import g +from conf import API_ROOT import dateutil.parser +from datetime import datetime +from flask import current_app +from flask.ext.restful import Api +from web.views.common import api_permission from web.controllers import ArticleController -from web.views.api.common import PyAggAbstractResource,\ - PyAggResourceNew, \ - PyAggResourceExisting, \ - PyAggResourceMulti - - -ARTICLE_ATTRS = {'user_id': {'type': int}, - 'feed_id': {'type': int}, - 'category_id': {'type': int}, - 'entry_id': {'type': str}, - 'link': {'type': str}, - 'title': {'type': str}, - 'readed': {'type': bool}, - 'like': {'type': bool}, - 'content': {'type': str}, - 'date': {'type': str}, - 'retrieved_date': {'type': str}} +from web.views.api.common import (PyAggAbstractResource, + PyAggResourceNew, PyAggResourceExisting, PyAggResourceMulti) class ArticleNewAPI(PyAggResourceNew): controller_cls = ArticleController - attrs = ARTICLE_ATTRS - to_date = ['date', 'retrieved_date'] class ArticleAPI(PyAggResourceExisting): controller_cls = ArticleController - attrs = ARTICLE_ATTRS - to_date = ['date', 'retrieved_date'] class ArticlesAPI(PyAggResourceMulti): controller_cls = ArticleController - attrs = ARTICLE_ATTRS - to_date = ['date', 'retrieved_date'] class ArticlesChallenge(PyAggAbstractResource): controller_cls = ArticleController attrs = {'ids': {'type': list, 'default': []}} - to_date = ['date', 'retrieved_date'] + @api_permission.require(http_exception=403) def get(self): - parsed_args = self.reqparse_args() + parsed_args = self.reqparse_args(right='read') + # collecting all attrs for casting purpose + attrs = self.controller_cls._get_attrs_desc('admin') for id_dict in parsed_args['ids']: - for key in self.to_date: - if key in id_dict: + keys_to_ignore = [] + for key in id_dict: + if key not in attrs: + keys_to_ignore.append(key) + if issubclass(attrs[key]['type'], datetime): id_dict[key] = dateutil.parser.parse(id_dict[key]) + for key in keys_to_ignore: + del id_dict[key] - result = list(self.wider_controller.challenge(parsed_args['ids'])) + result = list(self.controller.challenge(parsed_args['ids'])) return result or None, 200 if result else 204 +api = Api(current_app, prefix=API_ROOT) -g.api.add_resource(ArticleNewAPI, '/article', endpoint='article_new.json') -g.api.add_resource(ArticleAPI, '/article/', - endpoint='article.json') -g.api.add_resource(ArticlesAPI, '/articles', endpoint='articles.json') -g.api.add_resource(ArticlesChallenge, '/articles/challenge', - endpoint='articles_challenge.json') +api.add_resource(ArticleNewAPI, '/article', endpoint='article_new.json') +api.add_resource(ArticleAPI, '/article/', endpoint='article.json') +api.add_resource(ArticlesAPI, '/articles', endpoint='articles.json') +api.add_resource(ArticlesChallenge, '/articles/challenge', + endpoint='articles_challenge.json') diff --git a/src/web/views/api/category.py b/src/web/views/api/category.py index 7923279a..eecfa785 100644 --- a/src/web/views/api/category.py +++ b/src/web/views/api/category.py @@ -1,4 +1,6 @@ -from flask import g +from conf import API_ROOT +from flask import current_app +from flask.ext.restful import Api from web.controllers.category import CategoryController from web.views.api.common import (PyAggResourceNew, @@ -6,26 +8,20 @@ from web.views.api.common import (PyAggResourceNew, PyAggResourceMulti) -CAT_ATTRS = {'name': {'type': str}, - 'user_id': {'type': int}} - - class CategoryNewAPI(PyAggResourceNew): controller_cls = CategoryController - attrs = CAT_ATTRS class CategoryAPI(PyAggResourceExisting): controller_cls = CategoryController - attrs = CAT_ATTRS class CategoriesAPI(PyAggResourceMulti): controller_cls = CategoryController - attrs = CAT_ATTRS -g.api.add_resource(CategoryNewAPI, '/category', endpoint='category_new.json') -g.api.add_resource(CategoryAPI, '/category/', - endpoint='category.json') -g.api.add_resource(CategoriesAPI, '/categories', endpoint='categories.json') +api = Api(current_app, prefix=API_ROOT) +api.add_resource(CategoryNewAPI, '/category', endpoint='category_new.json') +api.add_resource(CategoryAPI, '/category/', + endpoint='category.json') +api.add_resource(CategoriesAPI, '/categories', endpoint='categories.json') diff --git a/src/web/views/api/common.py b/src/web/views/api/common.py index 91a9bfff..ace6ba3a 100644 --- a/src/web/views/api/common.py +++ b/src/web/views/api/common.py @@ -1,6 +1,3 @@ -#! /usr/bin/env python -# -*- coding: utf-8 - - """For a given resources, classes in the module intend to create the following routes : GET resource/ @@ -21,82 +18,53 @@ routes : DELETE resources -> to delete several """ -import ast -import json import logging -import dateutil.parser from functools import wraps -from werkzeug.exceptions import Unauthorized, BadRequest -from flask import request, g, session, Response +from werkzeug.exceptions import Unauthorized, BadRequest, Forbidden, NotFound +from flask import request from flask.ext.restful import Resource, reqparse from flask.ext.login import current_user -from web.lib.utils import default_handler -from web.models import User +from web.views.common import admin_permission, api_permission, \ + login_user_bundle, jsonify +from web.controllers import UserController logger = logging.getLogger(__name__) def authenticate(func): - """ - Decorator for the authentication to the web services. - """ @wraps(func) def wrapper(*args, **kwargs): - logged_in = False - if not getattr(func, 'authenticated', True): - logged_in = True - # authentication based on the session (already logged on the site) - elif 'email' in session or current_user.is_authenticated: - logged_in = True - else: - # authentication via HTTP only - auth = request.authorization - if auth is not None: - user = User.query.filter( - User.nickname == auth.username).first() - if user and user.check_password(auth.password) and user.is_active: - logged_in = True - if logged_in: + if request.authorization: + ucontr = UserController() + try: + user = ucontr.get(login=request.authorization.username) + except NotFound: + raise Forbidden("Couldn't authenticate your user") + if not ucontr.check_password(user, request.authorization.password): + raise Forbidden("Couldn't authenticate your user") + if not user.is_active: + raise Forbidden("User is desactivated") + login_user_bundle(user) + if current_user.is_authenticated: return func(*args, **kwargs) - raise Unauthorized({'WWWAuthenticate': 'Basic realm="Login Required"'}) - return wrapper - - -def to_response(func): - """Will cast results of func as a result, and try to extract - a status_code for the Response object""" - def wrapper(*args, **kwargs): - status_code = 200 - result = func(*args, **kwargs) - if isinstance(result, Response): - return result - elif isinstance(result, tuple): - result, status_code = result - return Response(json.dumps(result, default=default_handler), - status=status_code) + raise Unauthorized() return wrapper class PyAggAbstractResource(Resource): - method_decorators = [authenticate, to_response] - attrs = {} - to_date = [] # list of fields to cast to datetime - - def __init__(self, *args, **kwargs): - super(PyAggAbstractResource, self).__init__(*args, **kwargs) + method_decorators = [authenticate, jsonify] + controller_cls = None + attrs = None @property def controller(self): - return self.controller_cls(getattr(current_user, 'id', None)) - - @property - def wider_controller(self): - if current_user.is_admin: + if admin_permission.can(): return self.controller_cls() - return self.controller_cls(getattr(current_user, 'id', None)) + return self.controller_cls(current_user.id) - def reqparse_args(self, req=None, strict=False, default=True, args=None): + def reqparse_args(self, right, req=None, strict=False, default=True, + allow_empty=False): """ strict: bool if True will throw 400 error if args are defined and not in request @@ -105,31 +73,39 @@ class PyAggAbstractResource(Resource): args: dict the args to parse, if None, self.attrs will be used """ + try: + in_values = req.json if req else (request.json or {}) + if not in_values and allow_empty: + return {} + except BadRequest: + if allow_empty: + return {} + raise parser = reqparse.RequestParser() - for attr_name, attrs in (args or self.attrs).items(): - if attrs.pop('force_default', False): - parser.add_argument(attr_name, location='json', **attrs) - elif not default and (not request.json - or request.json and attr_name not in request.json): + if self.attrs is not None: + attrs = self.attrs + elif admin_permission.can(): + attrs = self.controller_cls._get_attrs_desc('admin') + elif api_permission.can(): + attrs = self.controller_cls._get_attrs_desc('api', right) + else: + attrs = self.controller_cls._get_attrs_desc('base', right) + assert attrs, "No defined attrs for %s" % self.__class__.__name__ + + for attr_name, attr in attrs.items(): + if not default and attr_name not in in_values: continue else: - parser.add_argument(attr_name, location='json', **attrs) - parsed = parser.parse_args(strict=strict) if req is None \ - else parser.parse_args(req, strict=strict) - for field in self.to_date: - if parsed.get(field): - try: - parsed[field] = dateutil.parser.parse(parsed[field]) - except Exception: - logger.exception('failed to parse %r', parsed[field]) - return parsed + parser.add_argument(attr_name, location='json', **attr) + return parser.parse_args(req=req, strict=strict) class PyAggResourceNew(PyAggAbstractResource): + @api_permission.require(http_exception=403) def post(self): """Create a single new object""" - return self.controller.create(**self.reqparse_args()), 201 + return self.controller.create(**self.reqparse_args(right='write')), 201 class PyAggResourceExisting(PyAggAbstractResource): @@ -140,14 +116,10 @@ class PyAggResourceExisting(PyAggAbstractResource): def put(self, obj_id=None): """update an object, new attrs should be passed in the payload""" - args = self.reqparse_args(default=False) - new_values = {key: args[key] for key in - set(args).intersection(self.attrs)} - if 'user_id' in new_values and current_user.is_admin: - controller = self.wider_controller - else: - controller = self.controller - return controller.update({'id': obj_id}, new_values), 200 + args = self.reqparse_args(right='write', default=False) + if not args: + raise BadRequest() + return self.controller.update({'id': obj_id}, args), 200 def delete(self, obj_id=None): """delete a object""" @@ -164,73 +136,75 @@ class PyAggResourceMulti(PyAggAbstractResource): try: limit = request.json.pop('limit', 10) order_by = request.json.pop('order_by', None) - query = self.controller.read(**request.json) - except: - args = {} - for k, v in request.args.items(): - if k in self.attrs.keys(): - if self.attrs[k]['type'] in [bool, int]: - args[k] = ast.literal_eval(v) - else: - args[k] = v - limit = request.args.get('limit', 10) - order_by = request.args.get('order_by', None) - query = self.controller.read(**args) + args = self.reqparse_args(right='read', default=False) + except BadRequest: + limit, order_by, args = 10, None, {} + query = self.controller.read(**args) if order_by: query = query.order_by(order_by) if limit: query = query.limit(limit) return [res for res in query] + @api_permission.require(http_exception=403) def post(self): - """creating several objects. payload should be a list of dict. + """creating several objects. payload should be: + >>> payload + [{attr1: val1, attr2: val2}, {attr1: val1, attr2: val2}] """ - if 'application/json' not in request.headers.get('Content-Type'): - raise BadRequest("Content-Type must be application/json") - status = 201 - results = [] + assert 'application/json' in request.headers.get('Content-Type') + status, fail_count, results = 200, 0, [] + + class Proxy: + pass for attrs in request.json: try: - results.append(self.controller.create(**attrs).id) + Proxy.json = attrs + args = self.reqparse_args('write', req=Proxy, default=False) + obj = self.controller.create(**args) + results.append(obj) except Exception as error: - status = 206 + fail_count += 1 results.append(str(error)) - # if no operation succeded, it's not partial anymore, returning err 500 - if status == 206 and results.count('ok') == 0: + if fail_count == len(results): # all failed => 500 status = 500 + elif fail_count: # some failed => 206 + status = 206 return results, status def put(self): - """creating several objects. payload should be: + """updating several objects. payload should be: >>> payload [[obj_id1, {attr1: val1, attr2: val2}] [obj_id2, {attr1: val1, attr2: val2}]] """ - if 'application/json' not in request.headers.get('Content-Type'): - raise BadRequest("Content-Type must be application/json") - status = 200 - results = [] + assert 'application/json' in request.headers.get('Content-Type') + status, results = 200, [] + + class Proxy: + pass for obj_id, attrs in request.json: try: - new_values = {key: attrs[key] for key in - set(attrs).intersection(self.attrs)} - self.controller.update({'id': obj_id}, new_values) - results.append('ok') + Proxy.json = attrs + args = self.reqparse_args('write', req=Proxy, default=False) + result = self.controller.update({'id': obj_id}, args) + if result: + results.append('ok') + else: + results.append('nok') except Exception as error: - status = 206 results.append(str(error)) - # if no operation succeded, it's not partial anymore, returning err 500 - if status == 206 and results.count('ok') == 0: + if results.count('ok') == 0: # all failed => 500 status = 500 + elif results.count('ok') != len(results): # some failed => 206 + status = 206 return results, status def delete(self): """will delete several objects, a list of their ids should be in the payload""" - if 'application/json' not in request.headers.get('Content-Type'): - raise BadRequest("Content-Type must be application/json") - status = 204 - results = [] + assert 'application/json' in request.headers.get('Content-Type') + status, results = 204, [] for obj_id in request.json: try: self.controller.delete(obj_id) diff --git a/src/web/views/api/feed.py b/src/web/views/api/feed.py index 604620b4..774bff5f 100644 --- a/src/web/views/api/feed.py +++ b/src/web/views/api/feed.py @@ -1,8 +1,8 @@ -#! /usr/bin/env python -# -*- coding: utf-8 - - -from flask import g +from conf import API_ROOT +from flask import current_app +from flask.ext.restful import Api +from web.views.common import api_permission from web.controllers.feed import (FeedController, DEFAULT_MAX_ERROR, DEFAULT_LIMIT, @@ -13,59 +13,37 @@ from web.views.api.common import PyAggAbstractResource, \ PyAggResourceExisting, \ PyAggResourceMulti -FEED_ATTRS = {'title': {'type': str}, - 'description': {'type': str}, - 'link': {'type': str}, - 'user_id': {'type': int}, - 'category_id': {'type': int}, - 'site_link': {'type': str}, - 'enabled': {'type': bool, 'default': True}, - 'etag': {'type': str, 'default': ''}, - 'icon_url': {'type': str, 'default': ''}, - 'filters': {'type': list}, - 'last_modified': {'type': str}, - 'last_retrieved': {'type': str}, - 'last_error': {'type': str}, - 'error_count': {'type': int, 'default': 0}} class FeedNewAPI(PyAggResourceNew): controller_cls = FeedController - attrs = FEED_ATTRS - to_date = ['date', 'last_retrieved'] + class FeedAPI(PyAggResourceExisting): controller_cls = FeedController - attrs = FEED_ATTRS - to_date = ['date', 'last_retrieved'] + class FeedsAPI(PyAggResourceMulti): controller_cls = FeedController - attrs = FEED_ATTRS - to_date = ['date', 'last_retrieved'] + class FetchableFeedAPI(PyAggAbstractResource): controller_cls = FeedController - to_date = ['date', 'last_retrieved'] attrs = {'max_error': {'type': int, 'default': DEFAULT_MAX_ERROR}, 'limit': {'type': int, 'default': DEFAULT_LIMIT}, - 'refresh_rate': {'type': int, 'default': DEFAULT_REFRESH_RATE}, - 'retreive_all': {'type': bool, 'default': False}} + 'refresh_rate': {'type': int, 'default': DEFAULT_REFRESH_RATE}} + @api_permission.require(http_exception=403) def get(self): - args = self.reqparse_args() - if g.user.refresh_rate: - args['refresh_rate'] = g.user.refresh_rate - - if args.pop('retreive_all', False): - contr = self.wider_controller - else: - contr = self.controller - result = [feed for feed in contr.list_fetchable(**args)] + args = self.reqparse_args(right='read', allow_empty=True) + result = [feed for feed + in self.controller.list_fetchable(**args)] return result or None, 200 if result else 204 -g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json') -g.api.add_resource(FeedAPI, '/feed/', endpoint='feed.json') -g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json') -g.api.add_resource(FetchableFeedAPI, '/feeds/fetchable', - endpoint='fetchable_feed.json') +api = Api(current_app, prefix=API_ROOT) + +api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json') +api.add_resource(FeedAPI, '/feed/', endpoint='feed.json') +api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json') +api.add_resource(FetchableFeedAPI, '/feeds/fetchable', + endpoint='fetchable_feed.json') -- cgit