~azzar1/unity/add-show-desktop-key : contents of ivle/webapp/base/rest.py at revision 1235

~azzar1/unity/add-show-desktop-key : (revision 1235)

# IVLE - Informatics Virtual Learning Environment
# Copyright (C) 2007-2009 The University of Melbourne
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

# Author: Matt Giuca, Will Grant

import cgi
import urlparse
import inspect

import cjson

from ivle.webapp.base.views import BaseView
from ivle.webapp.errors import BadRequest, MethodNotAllowed, Unauthorized

class RESTView(BaseView):
    """
    A view which provides a RESTful interface. The content type is
    unspecified (see JSONRESTView for a specific content type).
    """
    content_type = "application/octet-stream"

    def __init__(self, req, *args, **kwargs):
        for key in kwargs:
            setattr(self, key, kwargs[key])

    def render(self, req):
        raise NotImplementedError()

class JSONRESTView(RESTView):
    """
    A special case of RESTView which deals entirely in JSON.
    """
    content_type = "application/json"

    _allowed_methods = property(
        lambda self: [m for m in ('GET', 'PUT', 'PATCH')
                      if hasattr(self, m)] + ['POST'])

    def authorize(self, req):
        return True # Real authz performed in render().

    def authorize_method(self, req, op):
        if not hasattr(op, '_rest_api_permission'):
            raise Unauthorized()

        if op._rest_api_permission not in self.get_permissions(req.user):
            raise Unauthorized()
    
    def convert_bool(self, value):
        if value in ('True', 'true', True):
            return True
        elif value in ('False', 'false', False):
            return False
        else:
            raise BadRequest()

    def render(self, req):
        if req.method not in self._allowed_methods:
            raise MethodNotAllowed(allowed=self._allowed_methods)

        if req.method == 'GET':
            self.authorize_method(req, self.GET)
            outjson = self.GET(req)
        # Since PATCH isn't yet an official HTTP method, we allow users to
        # turn a PUT into a PATCH by supplying a special header.
        elif req.method == 'PATCH' or (req.method == 'PUT' and
              'X-IVLE-Patch-Semantics' in req.headers_in and
              req.headers_in['X-IVLE-Patch-Semantics'].lower() == 'yes'):
            self.authorize_method(req, self.PATCH)
            try:
                input = cjson.decode(req.read())
            except cjson.DecodeError:
                raise BadRequest('Invalid JSON data')
            outjson = self.PATCH(req, input)
        elif req.method == 'PUT':
            self.authorize_method(req, self.PUT)
            try:
                input = cjson.decode(req.read())
            except cjson.DecodeError:
                raise BadRequest('Invalid JSON data')
            outjson = self.PUT(req, input)
        # POST implies named operation.
        elif req.method == 'POST':
            # TODO: Check Content-Type and implement multipart/form-data.
            data = req.read()
            opargs = dict(cgi.parse_qsl(data, keep_blank_values=1))
            try:
                opname = opargs['ivle.op']
                del opargs['ivle.op']
            except KeyError:
                raise BadRequest('No named operation specified.')

            try:
                op = getattr(self, opname)
            except AttributeError:
                raise BadRequest('Invalid named operation.')

            if not hasattr(op, '_rest_api_callable') or \
               not op._rest_api_callable:
                raise BadRequest('Invalid named operation.')

            self.authorize_method(req, op)

            # Find any missing arguments, except for the first two (self, req)
            (args, vaargs, varkw, defaults) = inspect.getargspec(op)
            args = args[2:]

            # To find missing arguments, we eliminate the provided arguments
            # from the set of remaining function signature arguments. If the
            # remaining signature arguments are in the args[-len(defaults):],
            # we are OK.
            unspec = set(args) - set(opargs.keys())
            if unspec and not defaults:
                raise BadRequest('Missing arguments: ' + ', '.join(unspec))

            unspec = [k for k in unspec if k not in args[-len(defaults):]]

            if unspec:
                raise BadRequest('Missing arguments: ' + ', '.join(unspec))

            # We have extra arguments if the are no match args in the function
            # signature, AND there is no **.
            extra = set(opargs.keys()) - set(args)
            if extra and not varkw:
                raise BadRequest('Extra arguments: ' + ', '.join(extra))

            outjson = op(req, **opargs)

        req.content_type = self.content_type
        if outjson is not None:
            req.write(cjson.encode(outjson))
            req.write("\n")

class named_operation(object):
    '''Declare a function to be accessible to HTTP users via the REST API.
    '''
    def __init__(self, permission):
        self.permission = permission

    def __call__(self, func):
        func._rest_api_callable = True
        func._rest_api_permission = self.permission
        return func

class require_permission(object):
    '''Declare the permission required for use of a method via the REST API.
    '''
    def __init__(self, permission):
        self.permission = permission

    def __call__(self, func):
        func._rest_api_permission = self.permission
        return func


1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	1	# IVLE - Informatics Virtual Learning Environment
	2	# Copyright (C) 2007-2009 The University of Melbourne
	3	#
	4	# This program is free software; you can redistribute it and/or modify
	5	# it under the terms of the GNU General Public License as published by
	6	# the Free Software Foundation; either version 2 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	17
	18	# Author: Matt Giuca, Will Grant
	19
	20	import cgi
1099.4.1 by Nick Chadwick Working on putting worksheets into the database.	21	import urlparse
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	22	import inspect
	23
	24	import cjson
	25
	26	from ivle.webapp.base.views import BaseView
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	27	from ivle.webapp.errors import BadRequest, MethodNotAllowed, Unauthorized
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	28
	29	class RESTView(BaseView):
	30	"""
	31	A view which provides a RESTful interface. The content type is
	32	unspecified (see JSONRESTView for a specific content type).
	33	"""
	34	content_type = "application/octet-stream"
	35
	36	def __init__(self, req, args, *kwargs):
1099.1.46 by Nick Chadwick Fixed a slight issue in the indentation of xhtml.py	37	for key in kwargs:
	38	setattr(self, key, kwargs[key])
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	39
	40	def render(self, req):
1099.1.52 by William Grant ivle.webapp.base.rest#RESTView: Remove broken old render() - it should be	41	raise NotImplementedError()
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	42
	43	class JSONRESTView(RESTView):
	44	"""
	45	A special case of RESTView which deals entirely in JSON.
	46	"""
	47	content_type = "application/json"
	48
	49	_allowed_methods = property(
	50	lambda self: [m for m in ('GET', 'PUT', 'PATCH')
	51	if hasattr(self, m)] + ['POST'])
	52
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	53	def authorize(self, req):
	54	return True # Real authz performed in render().
	55
	56	def authorize_method(self, req, op):
	57	if not hasattr(op, '_rest_api_permission'):
	58	raise Unauthorized()
	59
	60	if op._rest_api_permission not in self.get_permissions(req.user):
	61	raise Unauthorized()
1099.4.3 by Nick Chadwick Updated the tutorial service, to now allow users to edit worksheets	62
	63	def convert_bool(self, value):
1099.1.188 by Nick Chadwick Fixed a slight issue in convert_bool, which now uses a tuple, and	64	if value in ('True', 'true', True):
1099.4.3 by Nick Chadwick Updated the tutorial service, to now allow users to edit worksheets	65	return True
1099.1.188 by Nick Chadwick Fixed a slight issue in convert_bool, which now uses a tuple, and	66	elif value in ('False', 'false', False):
1099.4.3 by Nick Chadwick Updated the tutorial service, to now allow users to edit worksheets	67	return False
	68	else:
	69	raise BadRequest()
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	70
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	71	def render(self, req):
	72	if req.method not in self._allowed_methods:
	73	raise MethodNotAllowed(allowed=self._allowed_methods)
	74
	75	if req.method == 'GET':
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	76	self.authorize_method(req, self.GET)
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	77	outjson = self.GET(req)
	78	# Since PATCH isn't yet an official HTTP method, we allow users to
	79	# turn a PUT into a PATCH by supplying a special header.
	80	elif req.method == 'PATCH' or (req.method == 'PUT' and
	81	'X-IVLE-Patch-Semantics' in req.headers_in and
	82	req.headers_in['X-IVLE-Patch-Semantics'].lower() == 'yes'):
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	83	self.authorize_method(req, self.PATCH)
1099.1.53 by William Grant ivle.webapp.base.rest#JSONRESTView: Check for bad JSON input, rather than	84	try:
	85	input = cjson.decode(req.read())
	86	except cjson.DecodeError:
	87	raise BadRequest('Invalid JSON data')
	88	outjson = self.PATCH(req, input)
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	89	elif req.method == 'PUT':
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	90	self.authorize_method(req, self.PUT)
1099.1.53 by William Grant ivle.webapp.base.rest#JSONRESTView: Check for bad JSON input, rather than	91	try:
	92	input = cjson.decode(req.read())
	93	except cjson.DecodeError:
	94	raise BadRequest('Invalid JSON data')
	95	outjson = self.PUT(req, input)
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	96	# POST implies named operation.
	97	elif req.method == 'POST':
	98	# TODO: Check Content-Type and implement multipart/form-data.
1099.4.1 by Nick Chadwick Working on putting worksheets into the database.	99	data = req.read()
1099.4.3 by Nick Chadwick Updated the tutorial service, to now allow users to edit worksheets	100	opargs = dict(cgi.parse_qsl(data, keep_blank_values=1))
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	101	try:
	102	opname = opargs['ivle.op']
1099.4.3 by Nick Chadwick Updated the tutorial service, to now allow users to edit worksheets	103	del opargs['ivle.op']
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	104	except KeyError:
	105	raise BadRequest('No named operation specified.')
	106
	107	try:
	108	op = getattr(self, opname)
	109	except AttributeError:
	110	raise BadRequest('Invalid named operation.')
	111
	112	if not hasattr(op, '_rest_api_callable') or \
	113	not op._rest_api_callable:
	114	raise BadRequest('Invalid named operation.')
	115
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	116	self.authorize_method(req, op)
	117
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	118	# Find any missing arguments, except for the first two (self, req)
	119	(args, vaargs, varkw, defaults) = inspect.getargspec(op)
	120	args = args[2:]
	121
	122	# To find missing arguments, we eliminate the provided arguments
	123	# from the set of remaining function signature arguments. If the
	124	# remaining signature arguments are in the args[-len(defaults):],
	125	# we are OK.
	126	unspec = set(args) - set(opargs.keys())
	127	if unspec and not defaults:
1099.1.52 by William Grant ivle.webapp.base.rest#RESTView: Remove broken old render() - it should be	128	raise BadRequest('Missing arguments: ' + ', '.join(unspec))
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	129
	130	unspec = [k for k in unspec if k not in args[-len(defaults):]]
	131
	132	if unspec:
1099.1.52 by William Grant ivle.webapp.base.rest#RESTView: Remove broken old render() - it should be	133	raise BadRequest('Missing arguments: ' + ', '.join(unspec))
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	134
	135	# We have extra arguments if the are no match args in the function
	136	# signature, AND there is no **.
	137	extra = set(opargs.keys()) - set(args)
	138	if extra and not varkw:
	139	raise BadRequest('Extra arguments: ' + ', '.join(extra))
	140
	141	outjson = op(req, **opargs)
	142
	143	req.content_type = self.content_type
	144	if outjson is not None:
	145	req.write(cjson.encode(outjson))
	146	req.write("\n")
	147
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	148	class named_operation(object):
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	149	'''Declare a function to be accessible to HTTP users via the REST API.
	150	'''
1099.1.112 by William Grant Implement authorization in JSON REST views. Add security declarations to	151	def __init__(self, permission):
	152	self.permission = permission
	153
	154	def __call__(self, func):
	155	func._rest_api_callable = True
	156	func._rest_api_permission = self.permission
	157	return func
	158
	159	class require_permission(object):
	160	'''Declare the permission required for use of a method via the REST API.
	161	'''
	162	def __init__(self, permission):
	163	self.permission = permission
	164
	165	def __call__(self, func):
	166	func._rest_api_permission = self.permission
	167	return func
1099.1.34 by William Grant Split up ivle.webapp.base.views into ivle.webapp.base.{rest,xhtml}, as it was	168