From 23269f47b839ff781ef28b7a191d347f21bff1a8 Mon Sep 17 00:00:00 2001
From: Nikos Roussos <nikos@roussos.cc>
Date: Sat, 13 Dec 2014 19:49:15 +0200
Subject: [PATCH] Token based API auth for Data PATCH

---
 SatNOGS/api/perms.py                      | 22 ++++++++++++++++++++++
 SatNOGS/api/serializers.py                |  2 +-
 SatNOGS/api/views.py                      |  9 +++++++--
 SatNOGS/templates/rest_framework/api.html | 10 +++-------
 SatNOGS/users/models.py                   |  7 ++++---
 SatNOGS/users/views.py                    |  5 ++++-
 requirements/base.txt                     |  4 ++--
 requirements/local.txt                    |  1 +
 8 files changed, 44 insertions(+), 16 deletions(-)
 create mode 100644 SatNOGS/api/perms.py

diff --git a/SatNOGS/api/perms.py b/SatNOGS/api/perms.py
new file mode 100644
index 0000000..e7e22b4
--- /dev/null
+++ b/SatNOGS/api/perms.py
@@ -0,0 +1,22 @@
+from rest_framework import permissions
+
+
+class SafeMethodsOnlyPermission(permissions.BasePermission):
+    """Anyone can access non-destructive methods (like GET and HEAD)"""
+    def has_permission(self, request, view):
+        return self.has_object_permission(request, view)
+
+    def has_object_permission(self, request, view, obj=None):
+        return request.method in permissions.SAFE_METHODS
+
+
+class StationOwnerCanEditPermission(SafeMethodsOnlyPermission):
+    """Only the owner can push new data"""
+    def has_object_permission(self, request, view, obj=None):
+        if obj is None:
+            can_edit = True
+        else:
+            can_edit = request.user == obj.observation.author
+        return (can_edit or
+                super(StationOwnerCanEditPermission,
+                      self).has_object_permission(request, view, obj))
\ No newline at end of file
diff --git a/SatNOGS/api/serializers.py b/SatNOGS/api/serializers.py
index 853ef9e..1c6761e 100644
--- a/SatNOGS/api/serializers.py
+++ b/SatNOGS/api/serializers.py
@@ -48,4 +48,4 @@ class ObservationSerializer(serializers.ModelSerializer):
 class DataSerializer(serializers.ModelSerializer):
     class Meta:
         model = Data
-        fields = ('start', 'end', 'observation', 'ground_station', 'payload')
+        fields = ('id', 'start', 'end', 'observation', 'ground_station', 'payload')
diff --git a/SatNOGS/api/views.py b/SatNOGS/api/views.py
index 9b90737..86b141c 100644
--- a/SatNOGS/api/views.py
+++ b/SatNOGS/api/views.py
@@ -1,5 +1,6 @@
-from rest_framework import viewsets
+from rest_framework import viewsets, mixins
 
+from api.perms import StationOwnerCanEditPermission
 from api import serializers
 from base.models import (Antenna, Data, Observation, Satellite, Station,
                          Transponder)
@@ -30,6 +31,10 @@ class ObservationView(viewsets.ModelViewSet):
     serializer_class = serializers.ObservationSerializer
 
 
-class DataView(viewsets.ModelViewSet):
+class DataView(viewsets.ReadOnlyModelViewSet,
+               mixins.UpdateModelMixin):
     queryset = Data.objects.all()
     serializer_class = serializers.DataSerializer
+    permission_classes = [
+        StationOwnerCanEditPermission
+    ]
diff --git a/SatNOGS/templates/rest_framework/api.html b/SatNOGS/templates/rest_framework/api.html
index 65b44fb..3805a99 100644
--- a/SatNOGS/templates/rest_framework/api.html
+++ b/SatNOGS/templates/rest_framework/api.html
@@ -3,11 +3,7 @@
 {% block title %}SatNOGS Network API{% endblock %}
 
 {% block branding %}
-    <a class='brand' rel="nofollow" href='#'>
-        SatNOGS Network API <span class="version">1.0</span>
-    </a>
-{% endblock %}
-
-{% block footer %}
-	<p>2014 - The SatNOGS devs</p>
+  <a class="navbar-brand" rel="nofollow" href="#">
+    SatNOGS Network API <span class="version"></span>
+  </a>
 {% endblock %}
\ No newline at end of file
diff --git a/SatNOGS/users/models.py b/SatNOGS/users/models.py
index cc0b5e1..252b113 100644
--- a/SatNOGS/users/models.py
+++ b/SatNOGS/users/models.py
@@ -7,9 +7,10 @@ from django.db.models.signals import post_save
 
 
 def gen_token(sender, instance, created, **kwargs):
-    token = Token.objects.get(user=instance)
-    if not token:
-        Token.objects.crete(user=instance)
+    try:
+        Token.objects.get(user=instance)
+    except:
+        Token.objects.create(user=instance)
 
 
 class User(AbstractUser):
diff --git a/SatNOGS/users/views.py b/SatNOGS/users/views.py
index caf00c0..4c58f9d 100644
--- a/SatNOGS/users/views.py
+++ b/SatNOGS/users/views.py
@@ -56,7 +56,10 @@ def view_user(request, username):
     user = User.objects.get(username=username)
     observations = Observation.objects.filter(author=user)[0:10]
     stations = Station.objects.filter(owner=user)
-    token = Token.objects.get(user=user)
+    try:
+        token = Token.objects.get(user=user)
+    except:
+        token = Token.objects.create(user=user)
     form = StationForm()
     if request.method == 'POST':
         form = StationForm(request.POST, request.FILES)
diff --git a/requirements/base.txt b/requirements/base.txt
index 98aa294..cce5bba 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -31,6 +31,6 @@ django-autoslug==1.7.2
 orbit==0.2
 
 # Django REST framework
-djangorestframework
+djangorestframework==3.0.1
 markdown
-django-filter
\ No newline at end of file
+django-filter
diff --git a/requirements/local.txt b/requirements/local.txt
index 6b1f7ba..80a7e22 100644
--- a/requirements/local.txt
+++ b/requirements/local.txt
@@ -4,4 +4,5 @@ Sphinx
 
 # django-debug-toolbar that works with Django 1.5+
 django-debug-toolbar==1.2.1
+sqlparse==0.1.14
 factory_boy