Workspaces

Pipfile

@@ -7,10 +7,8 @@ verify_ssl = true
 [packages]
 django = "==2.1.5"
 wemake-python-styleguide = "==0.6.3"
-
 # see https://github.com/wemake-services/wemake-python-styleguide/pull/472#issuecomment-460057878
 flake8 = '==3.6.0'
-
 django-rest-framework = "*"
 pillow = "*"
 drf-writable-nested = "*"
@@ -22,6 +20,7 @@ djangorestframework-camel-case = "*"
 django-oauth-toolkit = "*"
 django-cors-middleware = "*"
 pyuploadcare = "*"
+dry-rest-permissions = "*"
 
 [requires]
 python_version = "3.6"

postpost/api/middlewares.py

@@ -0,0 +1,45 @@
+from api.models import Workspace
+
+
+class GlobalWorkspaceMiddleware(object):
+    """
+    Add request-relevant workspace object to request object.
+
+    Because most of requests to our API tied to specific workspace (e.g.
+    work with publications), the middleware saves us from a lot of repeated
+    code for extracting workspace by request data.
+    """
+
+    def __init__(self, get_response):
+        """
+        Standard interface of django middleware.
+
+        See more:
+        https://docs.djangoproject.com/en/2.1/topics/http/middleware/#init-get-response
+        """
+        self.get_response = get_response
+
+    def __call__(self, request):
+        """
+        Executed before view and other middlewares are called.
+
+        And this method does nothing.
+        """
+        return self.get_response(request)
+
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        """
+        One of the django middleware hook.
+
+        Uses here for inject relevant workspace to request objects.
+        Search Workspace instance by url params that a router usually
+        generates.
+
+        See more about this middleware hook:
+        https://docs.djangoproject.com/en/2.1/topics/http/middleware/#process-view
+        """
+        workspace_name = view_kwargs.get('workspace_pk') or view_kwargs.get('workspace_name')
+        if workspace_name:
+            workspace = Workspace.objects.filter(name=workspace_name).first()
+            if workspace:
+                request.workspace = workspace

postpost/api/migrations/0003_workspaces.py

@@ -0,0 +1,46 @@
+# Generated by Django 2.1.5 on 2019-02-06 19:09
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('api', '0002_auto_20190128_2219'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Workspace',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.SlugField(unique=True)),
+                ('created_at', models.DateTimeField(auto_now_add=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='WorkspaceMember',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('role', models.CharField(choices=[('publisher', 'Publisher: only create and edit publications'), ('admin', 'Admin: also can edit platforms and members')], default='publisher', max_length=64)),
+                ('created_at', models.DateTimeField(auto_now_add=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('member', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('workspace', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.Workspace')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='publication',
+            name='workspace',
+            field=models.ForeignKey(default=None, on_delete=django.db.models.deletion.CASCADE, to='api.Workspace'),
+            preserve_default=False,
+        ),
+        migrations.AlterUniqueTogether(
+            name='workspacemember',
+            unique_together={('member', 'workspace')},
+        ),
+    ]

postpost/api/models/__init__.py

@@ -1,2 +1,4 @@
-from api.models.platform_settings import PlatformPost  # noqa: F401
-from api.models.publications import Publication  # noqa: F401
+from api.models.platform_post import PlatformPost  # noqa: F401
+from api.models.publication import Publication  # noqa: F401
+from api.models.workspace import Workspace  # noqa: F401
+from api.models.workspace_member import WorkspaceMember  # noqa: F401

postpost/api/models/publications.py → postpost/api/models/publication.py

@@ -1,7 +1,10 @@
 from django.db import models
 from pyuploadcare.dj import models as uploadcare_models
+from rest_framework.request import Request
 
+from api import permissions
 from api.models import PlatformPost
+from api.models.workspace import Workspace
 
 
 class Publication(models.Model):
@@ -12,6 +15,7 @@ class Publication(models.Model):
     text = models.TextField()
     picture = uploadcare_models.ImageField(blank=True, null=True)
 
+    workspace = models.ForeignKey(Workspace, on_delete=models.CASCADE, null=False)
     scheduled_at = models.DateTimeField(blank=True, null=True)
 
     created_at = models.DateTimeField(auto_now_add=True, editable=False)
@@ -34,3 +38,11 @@ def current_status(self) -> str:
             return PlatformPost.SENDING_STATUS
         else:
             return PlatformPost.SUCCESS_STATUS
+
+    @staticmethod
+    def has_read_permission(request: Request) -> bool:
+        return permissions.check_workspace_member(request)
+
+    @staticmethod
+    def has_write_permission(request: Request) -> bool:
+        return permissions.check_workspace_member(request)

postpost/api/models/workspace.py

@@ -0,0 +1,23 @@
+from django.db import models
+from rest_framework.request import Request
+
+from api import permissions
+
+
+class Workspace(models.Model):
+    """
+    Workspace — space with members, publications and tuned platforms. Has a unique name.
+    """
+
+    name = models.SlugField(unique=True)
+
+    created_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    @staticmethod
+    def has_list_permission(request: Request) -> bool:
+        return permissions.check_authenticated(request)
+
+    @staticmethod
+    def has_create_permission(request: Request) -> bool:
+        return permissions.check_authenticated(request)

postpost/api/models/workspace_member.py

@@ -0,0 +1,46 @@
+from django.conf import settings
+from django.db import models
+from rest_framework.request import Request
+
+from api import permissions
+from api.models.workspace import Workspace
+
+PUBLISHER_ROLE = 'publisher'
+ADMIN_ROLE = 'admin'
+WORKSPACE_ROLES = [
+    (PUBLISHER_ROLE, 'Publisher: only create and edit publications'),
+    (ADMIN_ROLE, 'Admin: also can edit platforms and members'),
+]
+
+
+class WorkspaceMember(models.Model):
+    """
+    Many-to-many junction table user <-> workspace with role.
+    """
+
+    member = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        null=False,
+    )
+    workspace = models.ForeignKey(
+        Workspace,
+        on_delete=models.CASCADE,
+        null=False,
+    )
+    role = models.CharField(
+        choices=WORKSPACE_ROLES,
+        default=PUBLISHER_ROLE,
+        null=False,
+        max_length=64,  # noqa: Z432
+    )
+
+    created_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    @staticmethod
+    def has_list_permission(request: Request) -> bool:
+        return permissions.check_workspace_member(request)
+
+    class Meta(object):
+        unique_together = ('member', 'workspace')

postpost/api/permissions.py

@@ -0,0 +1,43 @@
+from rest_framework import permissions
+from rest_framework.request import Request
+
+from api.models import WorkspaceMember
+from api.models.workspace_member import ADMIN_ROLE
+
+
+def check_authenticated(request: Request):
+    return request.user.is_authenticated
+
+
+def check_workspace_admin(request: Request):
+    """
+    Checks that the user role is admin role in current workspace.
+    """
+    is_workspace_admin = WorkspaceMember.objects.filter(
+        workspace=request.workspace,
+        member=request.user,
+        role=ADMIN_ROLE,
+    ).exists()
+    return is_workspace_admin
+
+
+def check_workspace_member(request: Request):
+    """
+    Just check user membership in current workspace.
+    """
+    is_workspace_member = WorkspaceMember.objects.filter(
+        workspace=request.workspace,
+        member=request.user,
+    ).exists()
+    return is_workspace_member
+
+
+def check_superuser(request: Request):
+    """
+    Check standard django is_superuser flag :shrug:.
+
+    More info:
+    https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.models.User.is_superuser
+    """
+    is_superuser = request.user.is_authenticated() and request.user.is_superuser
+    return is_superuser