Merge branch 'devel'

Author: b-angelov

izpitnik/accounts/api/permissions.py

@@ -0,0 +1,48 @@
+from rest_framework import permissions
+
+
+class IsOwnerPermission(permissions.BasePermission):
+
+    def has_permission(self, request, view):
+        return request.user and request.user.is_authenticated
+
+    def has_object_permission(self, request, view, obj):
+
+        return (
+                request.user.is_superuser or
+                request.user.has_perm("accounts.view_user") or
+                obj.pk == request.user.pk
+        )
+
+def add_or_change_permission_decorator(func):
+    def wrapper(self, request, *args, **kwargs):
+        user_id = kwargs.get('user_id')
+        user_id = str(request.user.pk) if user_id == 'my' else user_id
+        if request.method in ['POST', 'PUT', 'PATCH']:
+            if not (
+                    request.user.is_superuser or
+                    (request.user.has_perm("accounts.change_user") and request.user.has_perm("accounts.add_user")) or
+                    str(request.user.pk) == user_id
+            ):
+                return self.permission_denied(
+                    request,
+                    message="You do not have permission to perform this action."
+                )
+        return func(self, request, *args, **kwargs)
+    return wrapper
+
+def delete_permission_decorator(func):
+    def wrapper(self, request, *args, **kwargs):
+        user_id = kwargs.get('user_id')
+        user_id = str(request.user.pk) if user_id == 'my' else user_id
+        if not  (
+                request.user.is_superuser or
+                request.user.has_perm("accounts.delete_user") or
+                str(request.user.pk) == user_id
+        ):
+            return self.permission_denied(
+                request,
+                message="You do not have permission to perform this action."
+            )
+        return func(self, request, *args, **kwargs)
+    return wrapper

izpitnik/accounts/api/views.py

@@ -1,30 +1,28 @@
 # views.py
 from typing import Literal
 
+from django.contrib.auth.mixins import UserPassesTestMixin
+from django.contrib.auth.models import update_last_login
 from rest_framework import status
 from rest_framework.exceptions import AuthenticationFailed
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.generics import RetrieveUpdateDestroyAPIView
+from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.views import APIView
 from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
 from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
 from rest_framework_simplejwt.tokens import RefreshToken
 from rest_framework.response import Response
 from django.conf import settings
 
+from izpitnik.accounts.api.permissions import IsOwnerPermission, add_or_change_permission_decorator, \
+    delete_permission_decorator
+from izpitnik.accounts.mixins import GenerateTokenMixin
+from izpitnik.accounts.serializers import CustomTokenObtainPairSerializer, UserProfileSerializer
+from izpitnik.articles.api.permissions import IsAuthorOnAllMethodsPermission
 from izpitnik.settings import ENV
 
 
-class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
 
-    @classmethod
-    def get_token(cls, user):
-        token = super().get_token(user)
-
-        token['is_admin'] = user.is_staff
-        token['roles'] = [role.name for role in user.groups.all()]
-        token['is_superuser'] = user.is_superuser
-
-        return token
 
 class CustomTokenObtainPairView(TokenObtainPairView):
 
@@ -33,25 +31,7 @@ class CustomTokenObtainPairView(TokenObtainPairView):
     def post(self, request, *args, **kwargs):
         response = super().post(request, *args, **kwargs)
         refresh = response.data.pop('refresh', None)
-
-        secure = False
-        samesite = False
-
-        if ENV == "production":
-            secure = True
-            samesite = 'Strict'
-
-        if refresh:
-            response.set_cookie(
-                key='refresh_token',
-                value=refresh,
-                httponly=True,
-                secure=secure,
-                samesite=samesite,
-                max_age=7 * 24 * 60 * 60,  # 7 days
-                path='/api/token',
-                domain=request.build_absolute_uri('/')[:-1].replace("http://","").replace("https://","").split(":")[0]
-            )
+        response = GenerateTokenMixin(response=response, refresh=refresh).issue_token(request)
         return response
 
 # views.py
@@ -77,28 +57,72 @@ class ApiLogoutView(APIView):
 
     def post(self, request):
 
-        secure = False
-        samesite = False
-
-        if ENV == "production":
-            secure = True
-            samesite = "Strict"
-
         try:
-            print(request.COOKIES.get("refresh_token"))
             refresh_token = request.COOKIES.get("refresh_token")
             token = RefreshToken(refresh_token)
             token.blacklist()
         except Exception as e:
             return Response({"error": str(e)}, status=400)
 
-        response = Response({"detail": "Logout successful."}, status=200)
-        response.delete_cookie(
-            key='refresh_token',
-            samesite=samesite,
-            path='/api/token',
-            domain=request.build_absolute_uri('/')[:-1].replace("http://", "").replace("https://", "").split(":")[0]
-        )
+        return GenerateTokenMixin().unset_cookie(request)
+
+class ApiSignUpVew(UserPassesTestMixin,APIView):
+
+    permission_classes = [AllowAny]
+
+    def test_func(self):
+        return not self.request.user.is_authenticated
+
+    def post(self, request):
+
+        from izpitnik.accounts.forms import MainUserCreationForm
+
+        data = request.data
+
+        form = MainUserCreationForm(data)
+
+        if form.is_valid():
+            user = form.save()
+            token = CustomTokenObtainPairSerializer.get_token(user)
+            return GenerateTokenMixin(refresh=str(token), access=str(token.access_token)).issue_token(request)
+
+        else:
+            return Response(form.errors, status=400)
+
+class GetUpdateDeleteProfileAPIView(RetrieveUpdateDestroyAPIView):
+    permission_classes = [IsOwnerPermission]
+    lookup_url_kwarg = "user_id"
+    serializer_class = UserProfileSerializer
+
+    def get_queryset(self):
+        from izpitnik.accounts.models import User
+        user_id = self.rectify_kwarg(self.request, self.kwargs).get(self.lookup_url_kwarg)
+        return User.objects.filter(pk=user_id).prefetch_related("profile")
+
+    def get(self, request, *args, **kwargs):
+        kwargs = self.rectify_kwarg(request, kwargs)
+        response = super().get(request,*args, **kwargs)
         return response
 
+    def rectify_kwarg(self, request, kwargs):
+        user_id = kwargs.get(self.lookup_url_kwarg)
+        if user_id == 'my':
+            kwargs[self.lookup_url_kwarg] = str(request.user.pk)
+        return kwargs
+
+
+    @add_or_change_permission_decorator
+    def put(self, request, *args, **kwargs):
+        kwargs = self.rectify_kwarg(request, kwargs)
+        return super().put(request, *args, **kwargs)
+
+    @add_or_change_permission_decorator
+    def patch(self, request, *args, **kwargs):
+        kwargs = self.rectify_kwarg(request, kwargs)
+        return super().patch(request, *args, **kwargs)
+
+    @delete_permission_decorator
+    def delete(self, request, *args, **kwargs):
+        kwargs = self.rectify_kwarg(request, kwargs)
+        return super().delete(request, *args, **kwargs)
 

izpitnik/accounts/mixins.py

@@ -0,0 +1,42 @@
+from rest_framework.response import Response
+from izpitnik.settings import ENV
+
+
+class GenerateTokenMixin():
+
+    def __init__(self, *args, **kwargs):
+        self.response = kwargs.get('response', args[0] if args else None)
+        self.refresh = kwargs.get('refresh', args[1] if len(args) > 1 else None)
+        self.access = kwargs.get('access', args[2] if len(args) > 2 else None)
+        self.secure = True if ENV == "production" else False
+        self.same_site = 'Strict' if ENV == "production" else False
+
+    def issue_token(self, request):
+        response = self.response or Response({"access":self.access},status=201)
+        if self.refresh:
+            response.set_cookie(
+                key='refresh_token',
+                value=self.refresh,
+                httponly=True,
+                secure=self.secure,
+                samesite=self.same_site,
+                max_age=7 * 24 * 60 * 60,  # 7 days
+                path='/api/token',
+                domain=self.build_domain(request)
+            )
+        return response
+
+    def unset_cookie(self, request):
+
+        response = Response({"detail": "Logout successful."}, status=200)
+        response.delete_cookie(
+            key='refresh_token',
+            samesite=self.same_site,
+            path='/api/token',
+            domain=self.build_domain(request)
+        )
+        return response
+
+    @staticmethod
+    def build_domain(request):
+        return request.build_absolute_uri('/')[:-1].replace("http://", "").replace("https://", "").split(":")[0]

izpitnik/accounts/serializers.py

@@ -0,0 +1,46 @@
+from rest_framework import serializers
+from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
+
+from izpitnik.accounts.models import User, Profile
+
+
+class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
+
+    @classmethod
+    def get_token(cls, user):
+        token = super().get_token(user)
+
+        token['is_admin'] = user.is_staff
+        token['roles'] = [role.name for role in user.groups.all()]
+        token['is_superuser'] = user.is_superuser
+
+        return token
+
+class ProfileSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Profile
+        fields = ['description', 'image', 'birth_date']
+
+class UserProfileSerializer(serializers.ModelSerializer):
+
+    profile = ProfileSerializer(required=False)
+
+    class Meta:
+        model = User
+        depth = 1
+        fields = ['id', 'username', 'email', 'first_name', 'last_name', 'date_joined', 'profile']
+
+    def update(self, instance, validated_data):
+        profile_data = validated_data.pop('profile', {})
+        profile = instance.profile
+
+        for attr, value in validated_data.items():
+            setattr(instance, attr, value)
+        instance.save()
+
+        if profile_data is not None:
+            for attr, value in profile_data.items():
+                setattr(profile, attr, value)
+            profile.save()
+
+        return instance

izpitnik/settings.py

@@ -98,6 +98,7 @@
     'SLIDING_TOKEN_LIFETIME': timedelta(days=30),
     'SLIDING_TOKEN_REFRESH_LIFETIME_LATE_USER': timedelta(days=1),
     'SLIDING_TOKEN_LIFETIME_LATE_USER': timedelta(days=30),
+    'UPDATE_LAST_LOGIN': True,
 }
 
 SPECTACULAR_SETTINGS = {

izpitnik/urls.py

@@ -24,14 +24,17 @@
 from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
 
 from izpitnik import settings
-from izpitnik.accounts.api.views import CustomTokenObtainPairView, CookieTokenRefreshView, ApiLogoutView
+from izpitnik.accounts.api.views import CustomTokenObtainPairView, CookieTokenRefreshView, ApiLogoutView, ApiSignUpVew, \
+    GetUpdateDeleteProfileAPIView
 from izpitnik.articles.api.views import ArtilceAPIView, CreateArticleAPIView, GetUpdateDeleteArticleAPIView
 
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('', include('izpitnik.common.urls')),
     path('api/', include([
         path('token/', CustomTokenObtainPairView.as_view(), name='token_obtain_pair'),
+        path( 'register/', ApiSignUpVew.as_view(), name='api_register'),
+        path( 'profile/<slug:user_id>/', GetUpdateDeleteProfileAPIView.as_view(), name='api_profile'),
         path('token/refresh/', CookieTokenRefreshView.as_view(), name='token_refresh'),
         path('token/logout/', ApiLogoutView.as_view(), name='logout-api'),
         path('articles/', ArtilceAPIView.as_view(), name='articles-api'),