return permission denied when anonymous user tries to use REST
diff --git a/planetstack/core/xoslib/methods/sliceplus.py b/planetstack/core/xoslib/methods/sliceplus.py
index 0a8852a..c71b57d 100644
--- a/planetstack/core/xoslib/methods/sliceplus.py
+++ b/planetstack/core/xoslib/methods/sliceplus.py
@@ -7,6 +7,7 @@
from django.forms import widgets
from core.xoslib.objects.sliceplus import SlicePlus
from plus import PlusSerializerMixin, PlusRetrieveUpdateDestroyAPIView, PlusListCreateAPIView
+from django.core.exceptions import PermissionDenied
if hasattr(serializers, "ReadOnlyField"):
# rest_framework 3.x
@@ -79,6 +80,9 @@
def get_queryset(self):
current_user_can_see = self.request.QUERY_PARAMS.get('current_user_can_see', False)
+ if (not self.request.user.is_authenticated()):
+ raise PermissionDenied("You must be authenticated in order to use this API")
+
slices = SlicePlus.select_by_user(self.request.user)
# If current_user_can_see is set, then filter the queryset to return
@@ -102,6 +106,8 @@
method_name = "slicesplus"
def get_queryset(self):
+ if (not self.request.user.is_authenticated()):
+ raise PermissionDenied("You must be authenticated in order to use this API")
return SlicePlus.select_by_user(self.request.user)
def update(self, request, *args, **kwargs):
diff --git a/planetstack/core/xoslib/methods/tenantview.py b/planetstack/core/xoslib/methods/tenantview.py
index 44db514..5694374 100644
--- a/planetstack/core/xoslib/methods/tenantview.py
+++ b/planetstack/core/xoslib/methods/tenantview.py
@@ -7,6 +7,7 @@
from core.models import *
from django.forms import widgets
from syndicate_storage.models import Volume
+from django.core.exceptions import PermissionDenied
# This REST API endpoint contains a bunch of misc information that the
# tenant view needs to display
@@ -92,6 +93,8 @@
method_name = "tenantview"
def get(self, request, format=None):
+ if (not request.user.is_authenticated()):
+ raise PermissionDenied("You must be authenticated in order to use this API")
return Response( getTenantViewDict(request.user) )
class TenantDetail(APIView):
@@ -99,5 +102,7 @@
method_name = "tenantview"
def get(self, request, format=None, pk=0):
+ if (not request.user.is_authenticated()):
+ raise PermissionDenied("You must be authenticated in order to use this API")
return Response( [getTenantViewDict(request.user)] )