freemindcore
diff --git a/‎.dcignore‎
Lines changed: 0 additions & 1547 deletions b/‎.dcignore‎
Lines changed: 0 additions & 1547 deletions
diff --git a/‎.dockerignore‎
Lines changed: 0 additions & 10 deletions b/‎.dockerignore‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎.editorconfig‎
Lines changed: 0 additions & 27 deletions b/‎.editorconfig‎
Lines changed: 0 additions & 27 deletions
diff --git a/‎.gitattributes‎
Lines changed: 0 additions & 1 deletion b/‎.gitattributes‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎easy/controller/admin_auto_api.py‎
Lines changed: 10 additions & 5 deletions b/‎easy/controller/admin_auto_api.py‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎easy/permissions/adminsite.py‎
Lines changed: 23 additions & 62 deletions b/‎easy/permissions/adminsite.py‎
Lines changed: 23 additions & 62 deletions
diff --git a/‎tests/conftest.py‎
Lines changed: 16 additions & 0 deletions b/‎tests/conftest.py‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎tests/test_async_api_permissions.py‎
Lines changed: 26 additions & 2 deletions b/‎tests/test_async_api_permissions.py‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎tests/test_async_auto_crud_apis.py‎
Lines changed: 4 additions & 0 deletions b/‎tests/test_async_auto_crud_apis.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎tests/test_auto_api_creation.py‎
Lines changed: 7 additions & 4 deletions b/‎tests/test_auto_api_creation.py‎
Lines changed: 7 additions & 4 deletions
@@ -7,10 +7,15 @@
 
 from easy.controller.base import CrudAPIController
 from easy.controller.meta_conf import (
+    GENERATE_CRUD_ATTR,
     GENERATE_CRUD_ATTR_DEFAULT,
+    MODEL_FIELDS_ATTR,
     MODEL_FIELDS_ATTR_DEFAULT,
+    MODEL_JOIN_ATTR,
     MODEL_JOIN_ATTR_DEFAULT,
+    MODEL_RECURSIVE_ATTR,
     MODEL_RECURSIVE_ATTR_DEFAULT,
+    SENSITIVE_FIELDS_ATTR,
     SENSITIVE_FIELDS_ATTR_DEFAULT,
 )
 from easy.permissions import AdminSitePermission, BaseApiPermission
@@ -31,11 +36,11 @@ def create_api_controller(
         (object,),
         {
             "model": model,
-            "generate_crud": GENERATE_CRUD_ATTR_DEFAULT,
-            "model_fields": MODEL_FIELDS_ATTR_DEFAULT,
-            "model_recursive": MODEL_RECURSIVE_ATTR_DEFAULT,
-            "model_join": MODEL_JOIN_ATTR_DEFAULT,
-            "sensitive_fields": SENSITIVE_FIELDS_ATTR_DEFAULT,
+            GENERATE_CRUD_ATTR: GENERATE_CRUD_ATTR_DEFAULT,
+            MODEL_FIELDS_ATTR: MODEL_FIELDS_ATTR_DEFAULT,
+            MODEL_RECURSIVE_ATTR: MODEL_RECURSIVE_ATTR_DEFAULT,
+            MODEL_JOIN_ATTR: MODEL_JOIN_ATTR_DEFAULT,
+            SENSITIVE_FIELDS_ATTR: SENSITIVE_FIELDS_ATTR_DEFAULT,
         },
     )
 
 
@@ -1,5 +1,6 @@
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, cast
 
+from django.db import models
 from django.http import HttpRequest
 from ninja_extra.permissions import IsAdminUser
 
@@ -19,64 +20,24 @@ def has_permission(
         Return `True` if permission is granted, `False` otherwise.
         """
         user = request.user or request.auth  # type: ignore
-        has_perm: bool = True
-        if request.method == "DELETE":
-            has_perm = bool(user.is_superuser)  # type: ignore
-        if request.method in ("PUT", "PATCH", "POST"):
-            has_perm = bool(user.is_staff or user.is_superuser)  # type: ignore
-        return has_perm and super().has_permission(request, controller)
-
-
-#
-# class AdminSitePermissionV2(AdminSitePermission):
-#     def has_permission(
-#         self, request: HttpRequest, controller: "ControllerBase"
-#     ) -> bool:
-#         """
-#         Return `True` if permission is granted, `False` otherwise.
-#         """
-#         user = request.user
-#         has_perm = True
-#         if hasattr(controller, "model"):
-#             model = controller.model
-#             app = model._meta.app_label
-#             has_perm = user.has_perm(f"{app}.view_{model.__name__}")
-#             if request.method in ("PUT",):
-#                 has_perm = user.has_perm(f"{app}.add_{model.__name__}")
-#             if request.method in ("PATCH", "POST"):
-#                 has_perm = user.has_perm(f"{app}.change_{model.__name__}")
-#             if request.method in ("DELETE",):
-#                 has_perm = user.has_perm(f"{app}.delete_{model.__name__}")
-#         if user.is_superuser:
-#             has_perm = True
-#         return bool(user and user.is_authenticated and user.is_active and has_perm)
-#
-#     async def has_permission(
-#         self, request: HttpRequest, controller: "ControllerBase"
-#     ) -> bool:
-#         """
-#         Return `True` if permission is granted, `False` otherwise.
-#         """
-#         user = request.user
-#         has_perm = False
-#         if hasattr(controller, "model"):
-#             model = controller.model
-#             app = model._meta.app_label
-#             has_perm = await sync_to_async(user.has_perm)(
-#                 f"{app}.view_{model.__name__}"
-#             )
-#             if request.method in ("PUT",):
-#                 has_perm = await sync_to_async(user.has_perm)(
-#                     f"{app}.add_{model.__name__}"
-#                 )
-#             if request.method in ("PATCH", "POST"):
-#                 has_perm = await sync_to_async(user.has_perm)(
-#                     f"{app}.change_{model.__name__}"
-#                 )
-#             if request.method in ("DELETE",):
-#                 has_perm = await sync_to_async(user.has_perm)(
-#                     f"{app}.delete_{model.__name__}"
-#                 )
-#         if user.is_superuser:
-#             has_perm = True
-#         return bool(user and user.is_authenticated and user.is_active and has_perm)
+        has_perm: bool = False
+        model: models.Model = cast(models.Model, getattr(controller, "model", None))
+        if model:
+            app: str = model._meta.app_label
+            if request.method in ("GET", "OPTIONS"):
+                has_perm = user.has_perm(f"{app}.view{model.__name__}")  # type: ignore
+            elif request.method in ("PUT", "POST"):
+                has_perm = user.has_perm(f"{app}.add_{model.__name__}")  # type: ignore
+            elif request.method in ("PUT", "PATCH", "POST"):
+                has_perm = user.has_perm(f"{app}.change_{model.__name__}")  # type: ignore
+            elif request.method in ("DELETE",):
+                has_perm = user.has_perm(f"{app}.delete_{model.__name__}")  # type: ignore
+        if user.is_superuser:  # type: ignore
+            has_perm = True
+        return bool(
+            user
+            and user.is_authenticated
+            and user.is_active
+            and has_perm
+            and super().has_permission(request, controller)
+        )
@@ -26,6 +26,14 @@ def user(db) -> User:
 def easy_api_client(user) -> EasyTestClient:
     orig_func = copy.deepcopy(JWTAuthAsync.__call__)
 
+    orig_has_perm_fuc = copy.deepcopy(user.has_perm)
+
+    def mock_has_perm_true(*args, **kwargs):
+        return True
+
+    def mock_has_perm_false(*args, **kwargs):
+        return False
+
     async def mock_func(self, request):
         setattr(request, "user", user)
         return True
@@ -36,11 +44,19 @@ def create_client(
         api: CrudAPIController,
         is_staff: bool = False,
         is_superuser: bool = False,
+        has_perm: bool = False,
     ):
         setattr(user, "is_staff", is_staff)
         setattr(user, "is_superuser", is_superuser)
+        if is_superuser:
+            setattr(user, "is_staff", True)
+        if has_perm:
+            setattr(user, "has_perm", mock_has_perm_true)
+        else:
+            setattr(user, "has_perm", mock_has_perm_false)
         client = EasyTestClient(api, auth=jwt_auth_async)
         return client
 
     yield create_client
     setattr(JWTAuthAsync, "__call__", orig_func)
+    setattr(user, "has_perm", orig_has_perm_fuc)
@@ -9,7 +9,7 @@
     AutoGenCrudAPIController,
     PermissionAPIController,
 )
-from .easy_app.models import Client, Event
+from .easy_app.models import Client, Event, Type
 from .test_async_other_apis import dummy_data
 
 
@@ -98,11 +98,15 @@ async def test_perm_admin_site(self, transactional_db, easy_api_client):
         }
 
         # Staff users
-        client = easy_api_client(PermissionAPIController, is_staff=True)
+        client = easy_api_client(PermissionAPIController, is_staff=True, has_perm=True)
         response = await client.get("/test_perm_admin_site/", query=dict(word="staff"))
         assert response.status_code == 200
         assert response.json()["data"]["says"] == "staff"
 
+
+@pytest.mark.skipif(django.VERSION < (3, 1), reason="requires django 3.1 or higher")
+@pytest.mark.django_db
+class TestAdminSitePermissionController:
     async def test_perm_auto_apis_delete(self, transactional_db, easy_api_client):
         client = easy_api_client(AdminSitePermissionAPIController)
         # Test delete
@@ -201,3 +205,23 @@ async def test_perm_auto_apis_patch(self, transactional_db, easy_api_client):
         assert response.json().get("data")["end_date"] == str(
             (datetime.now() + timedelta(days=20)).date()
         )
+
+    async def test_perm_auto_apis_add(self, transactional_db, easy_api_client):
+        client = easy_api_client(AdminSitePermissionAPIController)
+        type = await sync_to_async(Type.objects.create)(name="TypeForCreating")
+
+        object_data = dummy_data.copy()
+        object_data.update(title=f"{object_data['title']}_create")
+        object_data.update(type_id=type.id)
+
+        response = await client.put(
+            "/", json=object_data, content_type="application/json"
+        )
+        assert response.status_code == 403
+
+        client = easy_api_client(AdminSitePermissionAPIController, is_superuser=True)
+
+        response = await client.put(
+            "/", json=object_data, content_type="application/json"
+        )
+        assert response.status_code == 200
@@ -151,6 +151,10 @@ async def test_crud_default_get_delete(self, transactional_db, easy_api_client):
         assert response.status_code == 200
         assert response.json().get("code") == 404
 
+        response = await client.delete("/20000")
+        assert response.status_code == 200
+        assert response.json().get("data") == "Not Found."
+
     async def test_crud_default_create(self, transactional_db, easy_api_client):
         client = easy_api_client(AutoGenCrudAPIController)
 
 
@@ -36,14 +36,17 @@ async def test_auto_apis(transactional_db, easy_api_client):
     for controller_class in controllers:
         if not str(controller_class).endswith("ClientAdminAPIController"):
             continue
+
         client = easy_api_client(controller_class)
         response = await client.get("/")
-        assert response.status_code == 200
-        assert response.json()["data"] == []
+        # TODO: figure out why user.is_authenticated is False in auto created API
+
+        assert response.status_code == 403
+        # assert response.json()["data"] == []
 
         response = await client.delete("/20000")
-        assert response.status_code == 200
-        assert response.json()["code"] == 404
+        assert response.status_code == 403
+        # assert response.json()["code"] == 404
 
 
 async def test_auto_generation_settings(settings):