Token based API auth for Data PATCH

SatNOGS/api/perms.py

@@ -0,0 +1,22 @@
+from rest_framework import permissions
+
+
+class SafeMethodsOnlyPermission(permissions.BasePermission):
+    """Anyone can access non-destructive methods (like GET and HEAD)"""
+    def has_permission(self, request, view):
+        return self.has_object_permission(request, view)
+
+    def has_object_permission(self, request, view, obj=None):
+        return request.method in permissions.SAFE_METHODS
+
+
+class StationOwnerCanEditPermission(SafeMethodsOnlyPermission):
+    """Only the owner can push new data"""
+    def has_object_permission(self, request, view, obj=None):
+        if obj is None:
+            can_edit = True
+        else:
+            can_edit = request.user == obj.observation.author
+        return (can_edit or
+                super(StationOwnerCanEditPermission,
+                      self).has_object_permission(request, view, obj))

SatNOGS/api/serializers.py

@@ -48,4 +48,4 @@ class ObservationSerializer(serializers.ModelSerializer):
 class DataSerializer(serializers.ModelSerializer):
     class Meta:
         model = Data
-        fields = ('start', 'end', 'observation', 'ground_station', 'payload')
+        fields = ('id', 'start', 'end', 'observation', 'ground_station', 'payload')

SatNOGS/api/views.py

@@ -1,5 +1,6 @@
-from rest_framework import viewsets
+from rest_framework import viewsets, mixins
 
+from api.perms import StationOwnerCanEditPermission
 from api import serializers
 from base.models import (Antenna, Data, Observation, Satellite, Station,
                          Transponder)
@@ -30,6 +31,10 @@ class ObservationView(viewsets.ModelViewSet):
     serializer_class = serializers.ObservationSerializer
 
 
-class DataView(viewsets.ModelViewSet):
+class DataView(viewsets.ReadOnlyModelViewSet,
+               mixins.UpdateModelMixin):
     queryset = Data.objects.all()
     serializer_class = serializers.DataSerializer
+    permission_classes = [
+        StationOwnerCanEditPermission
+    ]

SatNOGS/templates/rest_framework/api.html

@@ -3,11 +3,7 @@
 {% block title %}SatNOGS Network API{% endblock %}
 
 {% block branding %}
-    <a class='brand' rel="nofollow" href='#'>
-        SatNOGS Network API <span class="version">1.0</span>
-    </a>
-{% endblock %}
-
-{% block footer %}
-	<p>2014 - The SatNOGS devs</p>
+  <a class="navbar-brand" rel="nofollow" href="#">
+    SatNOGS Network API <span class="version"></span>
+  </a>
 {% endblock %}

SatNOGS/users/models.py

@@ -7,9 +7,10 @@ from django.db.models.signals import post_save
 
 
 def gen_token(sender, instance, created, **kwargs):
-    token = Token.objects.get(user=instance)
-    if not token:
-        Token.objects.crete(user=instance)
+    try:
+        Token.objects.get(user=instance)
+    except:
+        Token.objects.create(user=instance)
 
 
 class User(AbstractUser):

SatNOGS/users/views.py

@@ -56,7 +56,10 @@ def view_user(request, username):
     user = User.objects.get(username=username)
     observations = Observation.objects.filter(author=user)[0:10]
     stations = Station.objects.filter(owner=user)
-    token = Token.objects.get(user=user)
+    try:
+        token = Token.objects.get(user=user)
+    except:
+        token = Token.objects.create(user=user)
     form = StationForm()
     if request.method == 'POST':
         form = StationForm(request.POST, request.FILES)

requirements/base.txt

@@ -31,6 +31,6 @@ django-autoslug==1.7.2
 orbit==0.2
 
 # Django REST framework
-djangorestframework
+djangorestframework==3.0.1
 markdown
-django-filter
+django-filter

requirements/local.txt

@@ -4,4 +4,5 @@ Sphinx
 
 # django-debug-toolbar that works with Django 1.5+
 django-debug-toolbar==1.2.1
+sqlparse==0.1.14
 factory_boy