commit 8974e5537e13405351f97abe1f15da9deecc2ab1
author Scott Baker <smbaker@gmail.com> Tue Feb 10 19:26:00 2015 -0800
committer Scott Baker <smbaker@gmail.com> Tue Feb 10 19:26:00 2015 -0800
tree 2bbc76f0e40322406620f854f4ca78871af63f1c
parent 864e3dc56a397efb50fad9ab329de4a287575d40

consolidate API code for core and plus, fix access/default change in sliceplus, shore up caller arguments in update

planetstack/xosapibase.py

diff --git a/planetstack/xosapibase.py b/planetstack/xosapibase.py
new file mode 100644
index 0000000..3efb1de
--- /dev/null
+++ b/planetstack/xosapibase.py
@@ -0,0 +1,110 @@
+from rest_framework.response import Response
+from rest_framework import serializers
+from rest_framework import generics
+from rest_framework import status
+from rest_framework.exceptions import PermissionDenied as RestFrameworkPermissionDenied
+from django.core.exceptions import PermissionDenied as DjangoPermissionDenied
+
+class XOSRetrieveUpdateDestroyAPIView(generics.RetrieveUpdateDestroyAPIView):
+
+    # To handle fine-grained field permissions, we have to check can_update
+    # the object has been updated but before it has been saved.
+
+    def update(self, request, *args, **kwargs):

+        partial = kwargs.pop('partial', False)

+        self.object = self.get_object_or_none()

+

+        if self.object is None:

+            raise Exception("Use the List API for creating objects")

+

+        serializer = self.get_serializer(self.object, data=request.DATA,

+                                         files=request.FILES, partial=partial)

+

+        assert(serializer.object is not None)

+

+        serializer.object.caller = request.user

+

+        if not serializer.is_valid():

+            response = {"error": "validation",

+                        "specific_error": "not serializer.is_valid()",

+                        "reasons": serializer.errors}

+            return Response(response, status=status.HTTP_400_BAD_REQUEST)

+

+        try:

+            self.pre_save(serializer.object)

+        except ValidationError as err:

+            # full_clean on model instance may be called in pre_save,

+            # so we have to handle eventual errors.

+            response = {"error": "validation",

+                         "specific_error": "ValidationError in pre_save",

+                         "reasons": err.message_dict}

+            return Response(response, status=status.HTTP_400_BAD_REQUEST)

+

+        if not serializer.object.can_update(request.user):

+            return Response(status=status.HTTP_400_BAD_REQUEST)

+

+        self.object = serializer.save(force_update=True)

+        self.post_save(self.object, created=False)

+        return Response(serializer.data, status=status.HTTP_200_OK)
+
+    def destroy(self, request, *args, **kwargs):
+        obj = self.get_object()
+        if obj.can_update(request.user):
+            return super(XOSRetrieveUpdateDestroyAPIView, self).destroy(request, *args, **kwargs)
+        else:
+            return Response(status=status.HTTP_400_BAD_REQUEST)
+
+    def handle_exception(self, exc):
+        # REST API drops the string attached to Django's PermissionDenied
+        # exception, and replaces it with a generic "Permission Denied"
+        if isinstance(exc, DjangoPermissionDenied):
+            response=Response({'detail': str(exc)}, status=status.HTTP_403_FORBIDDEN)
+            response.exception=True
+            return response
+        else:
+            return super(XOSRetrieveUpdateDestroyAPIView, self).handle_exception(exc)
+
+class XOSListCreateAPIView(generics.ListCreateAPIView):
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.DATA, files=request.FILES)
+        if not (serializer.is_valid()):
+            response = {"error": "validation",
+                        "specific_error": "not serializer.is_valid()",

+                        "reasons": serializer.errors}

+            return Response(response, status=status.HTTP_400_BAD_REQUEST)
+
+        # now do XOS can_update permission checking
+
+        obj = serializer.object
+        obj.caller = request.user
+        if not obj.can_update(request.user):
+            response = {"error": "validation",
+                        "specific_error": "failed can_update",

+                        "reasons": []}

+            return Response(response, status=status.HTTP_400_BAD_REQUEST)
+
+        # stuff below is from generics.ListCreateAPIView
+
+        if (hasattr(self, "pre_save")):
+            # rest_framework 2.x
+            self.pre_save(serializer.object)
+            self.object = serializer.save(force_insert=True)
+            self.post_save(self.object, created=True)
+        else:
+            # rest_framework 3.x
+            self.perform_create(serializer)
+
+        headers = self.get_success_headers(serializer.data)
+        return Response(serializer.data, status=status.HTTP_201_CREATED,

+                        headers=headers)
+
+    def handle_exception(self, exc):
+        # REST API drops the string attached to Django's PermissionDenied
+        # exception, and replaces it with a generic "Permission Denied"
+        if isinstance(exc, DjangoPermissionDenied):
+            response=Response({'detail': str(exc)}, status=status.HTTP_403_FORBIDDEN)
+            response.exception=True
+            return response
+        else:
+            return super(XOSListCreateAPIView, self).handle_exception(exc)
+