Use API Key for accessing telemetry API endpoint

Signed-off-by: Alfredos-Panagiotis Damkalis <fredy@fredy.gr>
2020-01-13 23:10:32 +02:00 · 2020-01-13 23:10:32 +02:00 · 4b721a4488
parent b63487e8c4
commit 4b721a4488
4 changed files with 21 additions and 5 deletions
--- a/db/api/perms.py
+++ b/db/api/perms.py
@ -0,0 +1,16 @@
+"""SatNOGS DB API permissions, django rest framework"""
+from __future__ import absolute_import
+
+from rest_framework import permissions
+
+
+class SafeMethodsWithPermission(permissions.BasePermission):
+    """Access non-destructive methods (like GET and HEAD) with API Key"""
+
+    def has_permission(self, request, view):
+        return self.has_object_permission(request, view)
+
+    def has_object_permission(self, request, view, obj=None):
+        if request.method in permissions.SAFE_METHODS:
+            return request.user.is_authenticated
+        return True
--- a/db/api/tests.py
+++ b/db/api/tests.py
@ -95,9 +95,9 @@ class TelemetryViewApiTest(TestCase):
    def test_list(self):
        """Test the Telemetry API listing"""
        response = self.client.get('/api/telemetry/', format='json')
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_retrieve(self):
        """Test the Telemetry API retrieval"""
        response = self.client.get('/api/telemetry/{0}/'.format(self.datum.id), format='json')
-        self.assertContains(response, self.datum.observer)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
--- a/db/api/views.py
+++ b/db/api/views.py
@ -5,10 +5,10 @@ from __future__ import absolute_import, division, print_function, \
 from django.core.files.base import ContentFile
 from rest_framework import mixins, status, viewsets
 from rest_framework.parsers import FileUploadParser, FormParser
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response

 from db.api import filters, pagination, serializers
+from db.api.perms import SafeMethodsWithPermission
 from db.base.models import DemodData, Mode, Satellite, Transmitter
 from db.base.tasks import update_satellite

@ -42,7 +42,7 @@ class TelemetryView(  # pylint: disable=R0901
    queryset = DemodData.objects.all()
    serializer_class = serializers.TelemetrySerializer
    filter_class = filters.TelemetryViewFilter
-    permission_classes = (AllowAny, )
+    permission_classes = [SafeMethodsWithPermission]
    parser_classes = (FormParser, FileUploadParser)
    pagination_class = pagination.LinkedHeaderPageNumberPagination

--- a/db/templates/base.html
+++ b/db/templates/base.html
@ -56,7 +56,7 @@
                   <span class="caret"></span>
                </a>
                <ul class="dropdown-menu" role="menu">
-                  <li><a href="{% url 'users_edit' %}">Settings</a></li>
+                  <li><a href="{% url 'users_edit' %}">Settings/API Key</a></li>
                  {{ logout_block }}
                </ul>
              </li>