From 4b721a44885935fab9e7baf0c3b22c63195b9188 Mon Sep 17 00:00:00 2001
From: Alfredos-Panagiotis Damkalis <fredy@fredy.gr>
Date: Mon, 13 Jan 2020 23:10:32 +0200
Subject: [PATCH] Use API Key for accessing telemetry API endpoint

Signed-off-by: Alfredos-Panagiotis Damkalis <fredy@fredy.gr>
---
 db/api/perms.py        | 16 ++++++++++++++++
 db/api/tests.py        |  4 ++--
 db/api/views.py        |  4 ++--
 db/templates/base.html |  2 +-
 4 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 db/api/perms.py

diff --git a/db/api/perms.py b/db/api/perms.py
new file mode 100644
index 0000000..4a6f4d4
--- /dev/null
+++ b/db/api/perms.py
@@ -0,0 +1,16 @@
+"""SatNOGS DB API permissions, django rest framework"""
+from __future__ import absolute_import
+
+from rest_framework import permissions
+
+
+class SafeMethodsWithPermission(permissions.BasePermission):
+    """Access non-destructive methods (like GET and HEAD) with API Key"""
+
+    def has_permission(self, request, view):
+        return self.has_object_permission(request, view)
+
+    def has_object_permission(self, request, view, obj=None):
+        if request.method in permissions.SAFE_METHODS:
+            return request.user.is_authenticated
+        return True
diff --git a/db/api/tests.py b/db/api/tests.py
index ed1be26..e7ba3e1 100644
--- a/db/api/tests.py
+++ b/db/api/tests.py
@@ -95,9 +95,9 @@ class TelemetryViewApiTest(TestCase):
     def test_list(self):
         """Test the Telemetry API listing"""
         response = self.client.get('/api/telemetry/', format='json')
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
 
     def test_retrieve(self):
         """Test the Telemetry API retrieval"""
         response = self.client.get('/api/telemetry/{0}/'.format(self.datum.id), format='json')
-        self.assertContains(response, self.datum.observer)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
diff --git a/db/api/views.py b/db/api/views.py
index 8d0af39..3f1b2c6 100644
--- a/db/api/views.py
+++ b/db/api/views.py
@@ -5,10 +5,10 @@ from __future__ import absolute_import, division, print_function, \
 from django.core.files.base import ContentFile
 from rest_framework import mixins, status, viewsets
 from rest_framework.parsers import FileUploadParser, FormParser
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
 from db.api import filters, pagination, serializers
+from db.api.perms import SafeMethodsWithPermission
 from db.base.models import DemodData, Mode, Satellite, Transmitter
 from db.base.tasks import update_satellite
 
@@ -42,7 +42,7 @@ class TelemetryView(  # pylint: disable=R0901
     queryset = DemodData.objects.all()
     serializer_class = serializers.TelemetrySerializer
     filter_class = filters.TelemetryViewFilter
-    permission_classes = (AllowAny, )
+    permission_classes = [SafeMethodsWithPermission]
     parser_classes = (FormParser, FileUploadParser)
     pagination_class = pagination.LinkedHeaderPageNumberPagination
 
diff --git a/db/templates/base.html b/db/templates/base.html
index 5bb5477..c70a84e 100644
--- a/db/templates/base.html
+++ b/db/templates/base.html
@@ -56,7 +56,7 @@
                    <span class="caret"></span>
                 </a>
                 <ul class="dropdown-menu" role="menu">
-                  <li><a href="{% url 'users_edit' %}">Settings</a></li>
+                  <li><a href="{% url 'users_edit' %}">Settings/API Key</a></li>
                   {{ logout_block }}
                 </ul>
               </li>