From d557d571081bb062c44e1da906d0d0b2b70e7982 Mon Sep 17 00:00:00 2001 From: David Newswanger Date: Tue, 12 Feb 2019 11:15:51 -0500 Subject: [PATCH 1/2] Raise forbidden error if un authenticated users load email api. --- galaxy/api/views/email.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/galaxy/api/views/email.py b/galaxy/api/views/email.py index 442dc90cc..2daeb8535 100644 --- a/galaxy/api/views/email.py +++ b/galaxy/api/views/email.py @@ -24,6 +24,11 @@ User = get_user_model() +def deny_anonymous_users(user): + if user.is_anonymous: + raise PermissionDenied() + + class UserEmailList(base_views.SubListAPIView): model = EmailAddress serializer_class = serializers.EmailSerializer @@ -31,6 +36,8 @@ class UserEmailList(base_views.SubListAPIView): relationship = 'emailaddress_set' def get_queryset(self): + deny_anonymous_users(self.request.user) + user_id = self.kwargs.get(self.lookup_field) if not self.request.user.is_staff: if self.request.user.id != int(user_id): @@ -44,6 +51,8 @@ class EmailList(base_views.ListCreateAPIView): serializer_class = serializers.EmailSerializer def get_queryset(self): + deny_anonymous_users(self.request.user) + qs = super(EmailList, self).get_queryset() if not self.request.user.is_staff: qs = qs.filter(user=self.request.user) @@ -55,6 +64,8 @@ class EmailDetail(base_views.RetrieveUpdateDestroyAPIView): serializer_class = serializers.EmailSerializer def get_object(self, qs=None): + deny_anonymous_users(self.request.user) + obj = super(EmailDetail, self).get_object() if not self.request.user.is_staff: if obj.user != self.request.user: From 6dbaa0abfc15e7e1e005b09a961c4b1447a5aafe Mon Sep 17 00:00:00 2001 From: David Newswanger Date: Wed, 13 Feb 2019 13:05:39 -0500 Subject: [PATCH 2/2] Switch to using permission classes. --- galaxy/api/views/email.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/galaxy/api/views/email.py b/galaxy/api/views/email.py index 2daeb8535..e8019ce84 100644 --- a/galaxy/api/views/email.py +++ b/galaxy/api/views/email.py @@ -12,6 +12,8 @@ from rest_framework.response import Response +from rest_framework.permissions import IsAuthenticated + __all__ = [ 'UserEmailList', 'EmailList', @@ -24,20 +26,14 @@ User = get_user_model() -def deny_anonymous_users(user): - if user.is_anonymous: - raise PermissionDenied() - - class UserEmailList(base_views.SubListAPIView): model = EmailAddress serializer_class = serializers.EmailSerializer parent_model = User relationship = 'emailaddress_set' + permission_classes = (IsAuthenticated,) def get_queryset(self): - deny_anonymous_users(self.request.user) - user_id = self.kwargs.get(self.lookup_field) if not self.request.user.is_staff: if self.request.user.id != int(user_id): @@ -49,10 +45,9 @@ def get_queryset(self): class EmailList(base_views.ListCreateAPIView): model = EmailAddress serializer_class = serializers.EmailSerializer + permission_classes = (IsAuthenticated,) def get_queryset(self): - deny_anonymous_users(self.request.user) - qs = super(EmailList, self).get_queryset() if not self.request.user.is_staff: qs = qs.filter(user=self.request.user) @@ -62,10 +57,9 @@ def get_queryset(self): class EmailDetail(base_views.RetrieveUpdateDestroyAPIView): model = EmailAddress serializer_class = serializers.EmailSerializer + permission_classes = (IsAuthenticated,) def get_object(self, qs=None): - deny_anonymous_users(self.request.user) - obj = super(EmailDetail, self).get_object() if not self.request.user.is_staff: if obj.user != self.request.user: