add apijson head support and example; make the request setting check more strict

zhangchunlin · zhangchunlin · commit 7228135bb0af · 2018-12-29T10:41:49.000+08:00
diff --git a/demo/apps/apijson_demo/settings.ini b/demo/apps/apijson_demo/settings.ini
@@ -6,14 +6,16 @@ moment = 'apijson_demo.models.Moment'
 [APIJSON_MODELS]
 moment = {
     "user_id_field" : "user_id",
-    "GET" : { "roles" : ["OWNER"] },
+    "GET" : { "roles" : ["OWNER","LOGIN"] },
+    "HEAD" : { "roles" : ["OWNER","LOGIN"] },
     "POST" : { "roles" : ["OWNER"] },
     "PUT" : { "roles" : ["OWNER"] },
     "DELETE" : { "roles" : ["OWNER"] },
 }
 comment = {
     "user_id_field" : "user_id",
-    "GET" : { "roles" : ["OWNER"] },
+    "GET" : { "roles" : ["OWNER","LOGIN"] },
+    "HEAD" : { "roles" : ["OWNER","LOGIN"] },
     "POST" : { "roles" : ["OWNER"] },
     "PUT" : { "roles" : ["OWNER"] },
     "DELETE" : { "roles" : ["OWNER"] },
diff --git a/demo/apps/apijson_demo/templates/index.html b/demo/apps/apijson_demo/templates/index.html
@@ -7,6 +7,7 @@
 <div id="app">
     <tabs v-model:value="tab_current" type="card" :animated="false">
         <tab-pane label="apijson get" name="tab_get"></tab-pane>
+        <tab-pane label="apijson head" name="tab_head"></tab-pane>
         <tab-pane label="apijson post" name="tab_post"></tab-pane>
         <tab-pane label="apijson put" name="tab_put"></tab-pane>
         <tab-pane label="apijson delete" name="tab_delete"></tab-pane>
@@ -33,6 +34,20 @@
         </i-col>
     </Row>
 
+    <Row v-if="tab_current==='tab_head'">
+        <i-col span="3"><div align="center">HTTP HEAD URL</div></i-col>
+        <i-col span="8"><i-input value="/apijson/head" readonly/></i-col>
+    </Row>
+    <Row v-if="tab_current==='tab_head'">
+        <i-col span="3"><div align="center"><strong>apijson head</strong> request examples</div></i-col>
+        <i-col span="8">
+            <i-select v-model="request_data">
+                <i-option v-for="item in request_head" :value="item.value" :key="item.value">{ item.label }</i-option>
+            </i-select>
+        </i-col>
+    </Row>
+
+
     <Row v-if="tab_current==='tab_post'">
             <i-col span="3"><div align="center">POST URL</div></i-col>
             <i-col span="8"><i-input value="/apijson/post" readonly/></i-col>
@@ -88,6 +103,7 @@
     delimiters: ['{', '}'],
     data: {
         request_get : {{=request_get_json}},
+        request_head : {{=request_head_json}},
         request_post : {{=request_post_json}},
         request_put : {{=request_put_json}},
         request_delete : {{=request_delete_json}},
@@ -97,6 +113,7 @@
         tab_current : "tab_get",
         tab2url : {
             "tab_get":"{{=url_for('uliweb_apijson.apijson.views.ApiJson.get')}}",
+            "tab_head":"{{=url_for('uliweb_apijson.apijson.views.ApiJson.head')}}",
             "tab_post":"{{=url_for('uliweb_apijson.apijson.views.ApiJson.post')}}",
             "tab_put":"{{=url_for('uliweb_apijson.apijson.views.ApiJson.put')}}",
             "tab_delete":"{{=url_for('uliweb_apijson.apijson.views.ApiJson.delete')}}"
@@ -130,6 +147,9 @@
             if (n=="tab_get") {
                 vm.request_data = vm.request_get[0].value
             }
+            else if (n=="tab_head") {
+                vm.request_data = vm.request_head[0].value
+            }
             else if (n=="tab_post") {
                 vm.request_data = vm.request_post[0].value
             }
diff --git a/demo/apps/apijson_demo/views.py b/demo/apps/apijson_demo/views.py
@@ -8,6 +8,7 @@ def index():
         user_info = "login as user '%s(%s)'"%(request.user.username,request.user)
     else:
         user_info = "not login, you can login with username 'admin/usera/userb/userc', and password '123'"
+
     request_get = [
         {
             "label":"Single record query: no parameter",
@@ -59,6 +60,17 @@ def index():
         },
     ]
 
+    request_head = [
+        {
+            "label":"query number of moments for one user",
+            "value":'''{
+    "moment": {
+        "user_id": 1
+    }
+}''',
+        },
+    ]
+
     request_post = [
         {
             "label":"Add new moment",
@@ -112,6 +124,7 @@ def index():
     return {
         "user_info":user_info,
         "request_get_json":dumps(request_get),
+        "request_head_json":dumps(request_head),
         "request_post_json":dumps(request_post),
         "request_put_json":dumps(request_put),
         "request_delete_json":dumps(request_delete),
diff --git a/uliweb_apijson/apijson/settings.ini b/uliweb_apijson/apijson/settings.ini
@@ -11,6 +11,7 @@ user = {
     "user_id_field" : "id",
     "secret_fields" : ["password"],
     "GET" : { "roles" : ["ADMIN","OWNER"] },
+    "HEAD" : { "roles" : ["ADMIN","OWNER"] },
     "POST" : { "roles" : ["ADMIN","OWNER"] },
     "PUT" : { "roles" : ["ADMIN","OWNER"] },
     "DELETE" : { "roles" : ["ADMIN","OWNER"] },
diff --git a/uliweb_apijson/apijson/views.py b/uliweb_apijson/apijson/views.py
@@ -33,6 +33,7 @@ def get(self):
     def _get_one(self,key):
         modelname = key
         params = self.request_data[key]
+        params_role = params.get("@role")
 
         try:
             model = getattr(models,modelname)
@@ -43,14 +44,12 @@ def _get_one(self,key):
         model_column_set = None
         q = model.all()
 
-        #rbac check begin
         GET = model_setting.get("GET",{})
         if not GET:
-            return json({"code":401,"msg":"'%s' not accessible by apijson"%(modelname)})
+            return json({"code":401,"msg":"'%s' not accessible"%(modelname)})
 
         roles = GET.get("roles")
         perms = GET.get("perms")
-        params_role = params.get("@role")
         permission_check_ok = False
         user_role = None
         if params_role:
@@ -76,7 +75,6 @@ def _get_one(self,key):
 
         if not permission_check_ok:
             return json({"code":401,"msg":"no permission"})
-        #rbac check end
 
         filtered = False
 
@@ -252,6 +250,64 @@ def _filter_owner(self,model,model_setting,q):
                 owner_filtered = True
         return owner_filtered,q
 
+    def head(self):
+        for key in self.request_data:
+            rsp = self._head(key)
+            if rsp: return rsp
+        
+        return json(self.rdict)
+
+    def _head(self,key):
+        modelname = key
+        params = self.request_data[key]
+        params_role = params.get("@role")
+
+        try:
+            model = getattr(models,modelname)
+            model_setting = settings.APIJSON_MODELS.get(modelname,{})
+        except ModelNotFound as e:
+            log.error("try to find model '%s' but not found: '%s'"%(modelname,e))
+            return json({"code":400,"msg":"model '%s' not found"%(modelname)})
+
+        q = model.all()
+
+        HEAD = model_setting.get("HEAD",{})
+        if not HEAD:
+            return json({"code":401,"msg":"'%s' not accessible"%(modelname)})
+        
+        roles = HEAD.get("roles")
+        permission_check_ok = False
+        if not params_role:
+            if request.user:
+                params_role = "LOGIN"
+            else:
+                params_role = "UNKNOWN"
+        if params_role not in roles:
+            return json({"code":401,"msg":"'%s' not accessible by role '%s'"%(modelname,params_role)})
+        if functions.has_role(request.user,params_role):
+            permission_check_ok = True
+        else:
+            return json({"code":401,"msg":"user doesn't have role '%s'"%(params_role)})
+        if params_role=="OWNER":
+            owner_filtered,q = self._filter_owner(model,model_setting,q)
+            if not owner_filtered:
+                return  json({"code":400,"msg":"'%s' cannot filter with owner"%(modelname)})
+        for n in params:
+            if n[0]=="@":
+                pass
+            else:
+                param = params[n]
+                if not hasattr(model.c,n):
+                    return  json({"code":400,"msg":"'%s' don't have field '%s'"%(modelname,n)})
+                q = model.filter(getattr(model.c,n)==param)
+        rdict = {
+            "code":200,
+            "msg":"success",
+            "count":q.count(),
+        }
+
+        self.rdict[key] = rdict
+
     def post(self):
         tag = self.request_data.get("@tag")
         if not tag:
@@ -274,15 +330,17 @@ def _post_one(self,key,tag):
         try:
             model = getattr(models,modelname)
             model_setting = settings.APIJSON_MODELS.get(modelname,{})
-            request_setting_tag = settings.APIJSON_REQUESTS.get(tag,{})
             user_id_field = model_setting.get("user_id_field")
         except ModelNotFound as e:
             log.error("try to find model '%s' but not found: '%s'"%(modelname,e))
             return json({"code":400,"msg":"model '%s' not found"%(modelname)})
 
-        request_setting_model = request_setting_tag.get(modelname,{})
-        request_setting_POST =  request_setting_model.get("POST",{})
-        ADD = request_setting_POST.get("ADD")
+        request_tag = settings.APIJSON_REQUESTS.get(tag,{})
+        request_tag_tag = request_tag.get(tag,{})
+        if not request_tag_tag:
+            return json({"code":400,"msg":"tag '%s' not found"%(tag)})
+        tag_POST =  request_tag_tag.get("POST",{})
+        ADD = tag_POST.get("ADD")
         if ADD:
             ADD_role = ADD.get("@role")
             if ADD_role and not params_role:
@@ -371,16 +429,17 @@ def _put_one(self,key,tag):
         try:
             model = getattr(models,modelname)
             model_setting = settings.APIJSON_MODELS.get(modelname,{})
-            request_setting_tag = settings.APIJSON_REQUESTS.get(tag,{})
             user_id_field = model_setting.get("user_id_field")
         except ModelNotFound as e:
             log.error("try to find model '%s' but not found: '%s'"%(modelname,e))
             return json({"code":400,"msg":"model '%s' not found"%(modelname)})
         
-        request_setting_model = request_setting_tag.get(modelname,{})
-        request_setting_PUT =  request_setting_model.get("PUT",{})
-
-        ADD = request_setting_PUT.get("ADD")
+        request_tag = settings.APIJSON_REQUESTS.get(tag,{})
+        request_tag_tag = request_tag.get(tag,{})
+        if not request_tag_tag:
+            return json({"code":400,"msg":"tag '%s' not found"%(tag)})
+        tag_PUT = request_tag_tag.get("PUT",{})
+        ADD = tag_PUT.get("ADD")
         if ADD:
             ADD_role = ADD.get("@role")
             if ADD_role and not params_role:
@@ -468,16 +527,17 @@ def _delete_one(self,key,tag):
         try:
             model = getattr(models,modelname)
             model_setting = settings.APIJSON_MODELS.get(modelname,{})
-            request_setting_tag = settings.APIJSON_REQUESTS.get(tag,{})
             user_id_field = model_setting.get("user_id_field")
         except ModelNotFound as e:
             log.error("try to find model '%s' but not found: '%s'"%(modelname,e))
             return json({"code":400,"msg":"model '%s' not found"%(modelname)})
         
-        request_setting_model = request_setting_tag.get(modelname,{})
-        request_setting_DELETE =  request_setting_model.get("DELETE",{})
-
-        ADD = request_setting_DELETE.get("ADD")
+        request_tag = settings.APIJSON_REQUESTS.get(tag,{})
+        request_tag_tag = request_tag.get(tag,{})
+        if not request_tag_tag:
+            return json({"code":400,"msg":"tag '%s' not found"%(tag)})
+        tag_DELETE =  request_tag_tag.get("DELETE",{})
+        ADD = tag_DELETE.get("ADD")
         if ADD:
             ADD_role = ADD.get("@role")
             if ADD_role and not params_role:
