From 214174452001b43a130a5593ee36b8476a6fd1d6 Mon Sep 17 00:00:00 2001 From: Ma1one <1348869642@qq.com> Date: Mon, 12 Sep 2022 23:22:57 +0800 Subject: [PATCH 1/2] fix(notice, setting) fix notice system permission && move redis config to config.yaml --- .gitignore | 1 - backend/permissions.py | 17 +++++++++++++++++ backend/settings.py | 15 ++------------- config.yaml | 17 +++++++++++++++++ notice/permission.py | 30 ------------------------------ notice/views.py | 42 ++++++++++++++++++++++++++++-------------- 6 files changed, 64 insertions(+), 58 deletions(-) create mode 100644 config.yaml diff --git a/.gitignore b/.gitignore index a672a67..068d2f4 100644 --- a/.gitignore +++ b/.gitignore @@ -20,4 +20,3 @@ media/** Dockerfile.development docker-compose.yml .cloudbase/** -/config.yaml diff --git a/backend/permissions.py b/backend/permissions.py index 722b775..3b4ef56 100644 --- a/backend/permissions.py +++ b/backend/permissions.py @@ -13,6 +13,7 @@ class PerformActionPermission(BasePermission): Assume we have already granted permission from `IsManualAuthenticatedOrReadOnly` or `IsAuthenticatedOrReadOnly` """ + def is_author(self, request, view, detail=None): pass @@ -88,3 +89,19 @@ class IsManualAuthenticatedOrReadOnly(BasePermission): return obj.id == user.id return user.id == obj.author_id + + +class IsStaffAuthenticated(BasePermission): + @pass_safe_method + def has_permission(self, request, view): + if request.user.is_staff: + return True + else: + return False + + @pass_safe_method + def has_object_permission(self, request, view, obj): + if request.user.is_staff: + return True + else: + return False diff --git a/backend/settings.py b/backend/settings.py index 0270276..43073bf 100644 --- a/backend/settings.py +++ b/backend/settings.py @@ -27,7 +27,7 @@ BASE_DIR = Path(__file__).resolve().parent.parent SECRET_KEY = 'django-insecure-50d+9^(=z&^agv7zbbucn1^j67$$48v#ll@1_%k@5eow$gtki^' # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = False +DEBUG = True ALLOWED_HOSTS = ['*'] @@ -130,18 +130,7 @@ f.close() DATABASES = config['DATABASES'] # Cache -CACHES = { - 'default': { - 'BACKEND': "django_redis.cache.RedisCache", - 'LOCATION': "redis://127.0.0.1:6379", - 'OPTIONS': { - 'CLIENT_CLASS': 'django_redis.client.DefaultClient', - 'CONNECTION_POOL_KWARGS': { - 'max_connections': 20 - } - } - } -} +CACHES = config['caches'] # Neo4j Qy3fbDPjv_bcp-CjVH6HW7d6vjC8YOmVYOU8LpbCfmE neo4j+s://f954cb26.databases.neo4j.io # username neo4j password neo4j NEO4J_BOLT_URL = 'bolt://neo4j:neo4j@localhost:7687' diff --git a/config.yaml b/config.yaml new file mode 100644 index 0000000..4f18d2b --- /dev/null +++ b/config.yaml @@ -0,0 +1,17 @@ +# mysql setting +DATABASES: + default: + ENGINE: django.db.backends.mysql + NAME: local_qiusuo + USER: root + PASSWORD: !!str 123 + HOST: 127.0.0.1 + PORT: !!str 3306 +caches: + default: + BACKEND: django_redis.cache.RedisCache + LOCATION: redis://127.0.0.1:6379 + OPTIONS: + CLIENT_CLASS: django_redis.client.DefaultClient + CONNECTION_POOL_KWARGS: + max_connections: 20 diff --git a/notice/permission.py b/notice/permission.py index 2482ff9..e69de29 100644 --- a/notice/permission.py +++ b/notice/permission.py @@ -1,30 +0,0 @@ -from backend.decoraters import pass_safe_method -from backend.permissions import PerformActionPermission - - -class GlobalNoitcePermission(PerformActionPermission): - @pass_safe_method - def has_object_permission(self, request, view, obj): - if request.user.is_superuser: - return True - return False - - @pass_safe_method - def has_permission(self, request, view): - if request.user.is_superuser: - return True - return False - - -class NoticePermission(PerformActionPermission): - @pass_safe_method - def has_object_permission(self, request, view, obj): - if request.user.id == object.recipient_id: - return True - return False - - @pass_safe_method - def has_permission(self, request, view): - if request.user.id == object.recipient_id: - return True - return False diff --git a/notice/views.py b/notice/views.py index 5a8d68d..5362778 100644 --- a/notice/views.py +++ b/notice/views.py @@ -1,3 +1,5 @@ +import logging + from notifications.models import Notification from rest_framework import viewsets, status from rest_framework.generics import CreateAPIView @@ -5,14 +7,14 @@ from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response from rest_framework.views import APIView from rest_framework.viewsets import ViewSet - -from notice.permission import GlobalNoitcePermission, NoticePermission +from django.core.exceptions import ObjectDoesNotExist +from backend.permissions import IsStaffAuthenticated from notice.serializers import NotificationSerializer, SendToAllUserSerializer class UnreadNotificationsList(ViewSet): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def list(self, request, *args, **kwargs): queryset = Notification.objects.filter(recipient_id=request.user.id, unread=True) @@ -21,7 +23,7 @@ class UnreadNotificationsList(ViewSet): class MarkAllAsRead(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def get(self, request, *args, **kwargs): queryset = Notification.objects.filter(recipient_id=request.user.id, unread=True) @@ -31,11 +33,16 @@ class MarkAllAsRead(APIView): class MarkAsRead(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def get(self, request, *args, **kwargs): notification_id = kwargs.get('notification_id') - notification_obj = Notification.objects.get(id=notification_id) + try: + notification_obj = Notification.objects.get(id=notification_id) + except ObjectDoesNotExist: + return Response(status=status.HTTP_404_NOT_FOUND) + if notification_obj.recipient_id != request.user.id: + return Response(status=status.HTTP_403_FORBIDDEN) notification_obj.unread = False notification_obj.save() return Response(status=status.HTTP_200_OK) @@ -43,10 +50,14 @@ class MarkAsRead(APIView): class MarkAsUnread(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] + def get(self, request, *args, **kwargs): notification_id = kwargs.get('notification_id') - notification_obj = Notification.objects.get(id=notification_id) + try: + notification_obj = Notification.objects.get(id=notification_id) + except ObjectDoesNotExist: + return Response(status=status.HTTP_404_NOT_FOUND) notification_obj.unread = True notification_obj.save() return Response(status=status.HTTP_200_OK) @@ -54,18 +65,21 @@ class MarkAsUnread(APIView): class Delete(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def delete(self, request, *args, **kwargs): notification_id = kwargs.get('notification_id') - notification_obj = Notification.objects.get(id=notification_id) + try: + notification_obj = Notification.objects.get(id=notification_id) + except ObjectDoesNotExist: + return Response(status=status.HTTP_404_NOT_FOUND) notification_obj.delete() return Response(status=status.HTTP_200_OK) class AddNotification(CreateAPIView): serializer_class = NotificationSerializer - permission_classes = [IsAuthenticated, ] + permission_classes = [IsAuthenticated] def create(self, request, *args, **kwargs): response = super(AddNotification, self).create(request, *args, **kwargs) @@ -83,7 +97,7 @@ class AllNotification(ViewSet): class UnreadNotificationCount(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def get(self, request, *args, **kwargs): queryset = Notification.objects.filter(recipient_id=request.user.id, unread=True) @@ -96,7 +110,7 @@ class UnreadNotificationCount(APIView): class AllNotificationCount(APIView): serializer_class = NotificationSerializer - permission_classes = [NoticePermission] + permission_classes = [IsAuthenticated] def get(self, request, *args, **kwargs): queryset = Notification.objects.filter(recipient_id=request.user.id) @@ -114,7 +128,7 @@ class NotificationViewSet(viewsets.ModelViewSet): class NotificationForAllViewSet(CreateAPIView): serializer_class = SendToAllUserSerializer - permission_classes = [GlobalNoitcePermission] + permission_classes = [IsStaffAuthenticated] def create(self, request, *args, **kwargs): super(NotificationForAllViewSet, self).create(request, *args, **kwargs) -- Gitee From 6fefe655c050b78231c750325171484eede6b805 Mon Sep 17 00:00:00 2001 From: Ma1one <1348869642@qq.com> Date: Mon, 12 Sep 2022 23:27:26 +0800 Subject: [PATCH 2/2] fix(notice, setting) fix notice system permission && move redis config to config.yaml --- backend/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/settings.py b/backend/settings.py index 43073bf..4ba518e 100644 --- a/backend/settings.py +++ b/backend/settings.py @@ -27,7 +27,7 @@ BASE_DIR = Path(__file__).resolve().parent.parent SECRET_KEY = 'django-insecure-50d+9^(=z&^agv7zbbucn1^j67$$48v#ll@1_%k@5eow$gtki^' # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +DEBUG = False ALLOWED_HOSTS = ['*'] -- Gitee