feat: added authorization middleware

Real-Dev-Squad · Sep 15, 2023 · b22b7df · b22b7df
1 parent 837b0c4
commit b22b7df
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 9 deletions.
diff --git a/apps/base/constants.py b/apps/base/constants.py
@@ -0,0 +1,2 @@
+SUPER_USER_ROLE = "super_user"
+MEMBER_ROLE = "member"
diff --git a/apps/base/permissions.py b/apps/base/permissions.py
@@ -1,6 +1,19 @@
 from rest_framework import permissions
+from apps.base.constants import SUPER_USER_ROLE, MEMBER_ROLE
 
 
-class IsSuperUserPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        return False
+def AuthorizationPermissions(roles=[]):
+    class AuthorizationPermission:
+        def has_permission(self, request, view):
+            if not request.user.is_authenticated:
+                return False
+
+            user_roles = request.user.roles
+            for role in roles:
+                if user_roles.get(role, False) is False:
+                    return False
+                else:
+                    continue
+            return True
+
+    return AuthorizationPermission
diff --git a/apps/base/tests.py b/apps/base/tests.py
diff --git a/apps/goals/views.py b/apps/goals/views.py
@@ -1,7 +1,10 @@
+from rest_framework.permissions import IsAuthenticated
+
 from apps.base.base_views import ModelBaseViewSet
 from apps.goals.models import Goal
 from apps.goals.serializers import GoalSerializer
-from rest_framework.permissions import IsAuthenticated
+from apps.base.permissions import AuthorizationPermissions
+from apps.base.constants import MEMBER_ROLE
 
 
 class GoalViewSet(ModelBaseViewSet):

diff --git a/apps/user/tests/test_drf_views.py b/apps/user/tests/test_drf_views.py
@@ -4,6 +4,7 @@
 from django.conf import LazySettings
 
 from apps.conftest import get_user_token
+from apps.base.constants import SUPER_USER_ROLE
 
 settings = LazySettings()
 
@@ -61,3 +62,20 @@ def test_get_user(self, client, user_t1):
                      **_response_data["attributes"]}
 
         assert user_data["rds_id"] == user_t1.rds_id
+
+    def test_list_users(self, client, user_t1, user_t2):
+        self.client.credentials(HTTP_AUTHORIZATION=get_user_token(user_t1))
+
+        _response = self.client.get(
+            f"/api/v1/user/",  format="vnd.api+json")
+
+        assert _response.status_code == status.HTTP_403_FORBIDDEN
+
+        # giving a role to authorize
+        user_t1.roles[SUPER_USER_ROLE] = True
+        user_t1.save()
+
+        _response = self.client.get(
+            f"/api/v1/user/",  format="vnd.api+json")
+
+        assert _response.status_code == status.HTTP_200_OK
diff --git a/apps/user/v1/views.py b/apps/user/v1/views.py
@@ -6,7 +6,7 @@
 from apps.user.models import User
 from apps.user.v1.serializer import UserSerializer, CreateUserSerializer
 from apps.user.permission import RestKeyPermission
-from apps.base.permissions import IsSuperUserPermission
+from apps.base.permissions import AuthorizationPermissions, SUPER_USER_ROLE
 
 
 class UserViewSet(ModelBaseViewSet):
@@ -18,7 +18,8 @@ def get_permissions(self):
         if self.action in ["create"]:
             self.permission_classes = [RestKeyPermission]
         elif self.action in ["list"]:
-            self.permission_classes = [IsSuperUserPermission]
+            self.permission_classes = [
+                AuthorizationPermissions([SUPER_USER_ROLE])]
         else:
             self.permission_classes = [IsAuthenticated]
         return [permission() for permission in self.permission_classes]