views.py

# coding=utf-8
from __future__ import unicode_literals
from django.contrib.auth import get_user_model
from django.core.exceptions import PermissionDenied
from django.http.response import Http404
from django.db.models import Q
from django.shortcuts import get_object_or_404

from adim.models import AnObj, AnObjMembership, Annotation
from adim.serializers import AnObjSerializer, SharedAnObjSerializer, AnObjListSerializer, \
    AnnotationSerializer, UserSerializer
from adim.permissions import has_anobj_access
from rest_framework import viewsets
from rest_framework.response import Response
from rest_framework.decorators import detail_route
from rest_framework.permissions import BasePermission, SAFE_METHODS


# ================================
# RestFramework Permission Classes
# ================================

class AccessibleAnObj(BasePermission):
    """
    RestFramework Object-level permission to allow acces to objects related to an accessible AnObj
    Assumes the model instance has an `annotable` attribute.
    """
    def has_object_permission(self, request, view, obj):
        try:
            return has_anobj_access(request, obj.annotable)
        except AnObj.DoesNotExist:
            return False
        except AttributeError:
            return False


class IsOwnerOrReadOnly(BasePermission):
    """
    RestFramework Object-level permission to only allow owners of an object to edit it.
    Assumes the model instance has an `owner` or an `owners` attribute.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in SAFE_METHODS:
            return True

        # Instance must have an attribute named `owner` or `owners`
        if hasattr(obj, 'owner'):
            return obj.owner == request.user
        elif hasattr(obj, 'owners'):
            return obj.owners.filter(id=request.user.id).exists()
        else:
            return False

class WritableAnObjOrReadonly(BasePermission):
    """
    RestFramework Object-level permission to only allow modification on objects
    related to an unlocked AnObj
    Assumes the model instance has an `annotable` attribute.
    """

    def has_permission(self, request, view):
        # For CREATE action, there is no annotation yet, so we have to fetch AnObj first to check for locked state
        if view.action == 'create':
            try:
                annotable = AnObj.objects.get(pk=request.data.get('annotable', -1))
                return not annotable.locked
            except AnObj.DoesNotExist:
                return False
        return True

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in SAFE_METHODS:
            return True

        return not obj.annotable.locked


# ======================
# RestFramework ViewSets
# ======================

class AnObjViewSet(viewsets.ModelViewSet):
    """
    Viewset for owned AnObj, requested by user who is the owner.
    """
    model = AnObj
    serializer_class = AnObjSerializer
    # lookup_field = 'uuid'

    def get_serializer_class(self):
        """
        Use a simplified serializer for listing and
        the complete one for other actions
        """
        if self.action == 'list':
            return AnObjListSerializer
        else:
            return self.serializer_class

    def get_queryset(self):
        """
        Return only owner's anobjs for write actions and
        return also shared anobjs to guests for read actions
        """
        user = self.request.user
        # q = Q(owner=user)
        q = Q(owners=user)
        if self.action == 'list':
            q = q | Q(members=user)

        return AnObj.objects.select_related('envparam').filter(q).distinct()

    @detail_route(methods=['get', 'patch', 'post', 'delete'])
    def members(self, request, pk=None):
        anobj = self.get_object()

        if request.method != 'GET':
            user_model = get_user_model()
            members = []
            for member_data in request.DATA.get('members', []):
                try:
                    q = Q(pk=-1)
                    if member_data.get('id'):
                        q = Q(pk=member_data.get('id'))
                    elif member_data.get('username'):
                        q = Q(username=member_data.get('username'))
                    members.append(user_model.objects.get(q))

                except user_model.DoesNotExist:
                    if member_data.get('username'):
                        opts_members = anobj.sharing_opts.get('members', [])

                        if request.method in ('PATCH', 'POST'):
                            opts_members.append(member_data.get('username'))
                        elif request.method == 'DELETE':
                            opts_members.remove(member_data.get('username'))

                        anobj.sharing_opts['members'] = opts_members
                        anobj.save()

            if request.method in ('PATCH', 'POST'):
                # anobj.members.add(*members)
                anobj.add_members(*members)
            elif request.method == 'DELETE':
                # anobj.members.remove(*members)
                anobj.remove_members(*members)

        return Response({'users': UserSerializer(instance=anobj.members.all(), many=True).data})

    @detail_route(methods=['patch'])
    def set_publish_mode(self, request, pk=None):
        user = request.user
        anobj = AnObj.objects.get(pk=pk)
        new_publish_mode = int(request.DATA.get('publish_mode', 0))
        if new_publish_mode not in xrange(3):
            raise ValueError("Invalid publish mode")

        # membership = get_object_or_404(AnObjMembership, anobj__id=pk, user=user)
        try:
            membership = AnObjMembership.objects.get(anobj=anobj, user=user)
        except AnObjMembership.DoesNotExist:
            # if user == anobj.owner:
            # if user in anobj.owners.all():
            if anobj.is_owned(user.id):
                membership = AnObjMembership.objects.create(anobj=anobj, user=user, publish_mode=new_publish_mode)
            else:
                raise Http404()

        if new_publish_mode == 2 and not (
                anobj.allow_public_publishing or anobj.is_owned(user.id)):
                # anobj.allow_public_publishing or user in anobj.owners.all()):
            raise PermissionDenied

        if membership.publish_mode != new_publish_mode:
            membership.publish_mode = new_publish_mode
            membership.save()

        return Response({'publish_mode': membership.publish_mode})

    @detail_route(methods=['patch'])
    def env_param(self, request, pk=None):
        pass


class UAnObjViewSet(AnObjViewSet):
    """
    Accessing AnObj by uuid. extents AnObj
    """
    lookup_field = 'uuid'


class SharedAnObjViewSet(AnObjViewSet):
    """
    ViewSet for shared AnObj, requested by a user
    who is not the owner but a member.
    """
    serializer_class = SharedAnObjSerializer

    def get_serializer_class(self):
        """
        Use a simplified serializer for listing and
        the complete one for other actions
        """
        if self.action == 'list':
            return AnObjListSerializer
        else:
            return self.serializer_class

    def get_queryset(self):
        """
        Return only owner's anobjs for write actions and
        return also shared anobjs to guests for read actions
        """
        # return AnObj.objects.filter(members=self.request.user)

        user = self.request.user
        # q = Q(owner=user)
        q = Q(owners=user)
        if self.action in ('list', 'retrieve', 'members'):
            q = q | Q(members=user)

        return AnObj.objects.filter(q).distinct()

    @detail_route(methods=['get'])
    def members(self, request, pk=None):
        anobj = self.get_object()
        if anobj.allow_public_publishing:
            users = UserSerializer(instance=anobj.members.all(), many=True).data
        else:
            users = []
        return Response({'users': users})
    #
    # @detail_route(methods=['patch'])
    # def set_publish_mode(self, request, pk=None):
    #     user = request.user
    #     anobj = AnObj.objects.get(pk=pk)
    #     membership = get_object_or_404(AnObjMembership, anobj__id=pk, user=user)
    #
    #     new_publish_mode = int(request.DATA.get('publish_mode', 0))
    #     if new_publish_mode not in xrange(3):
    #         raise ValueError("Invalid publish mode")
    #
    #     if new_publish_mode == 2 and not (
    #             anobj.allow_public_publishing or user == anobj.owner):
    #         raise PermissionDenied
    #
    #     if membership.publish_mode != new_publish_mode:
    #         membership.publish_mode = new_publish_mode
    #         membership.save()
    #
    #     return Response({'publish_mode': membership.publish_mode})
    #


class UserViewSet(viewsets.ReadOnlyModelViewSet):
    """
    List of registered users for an AnObj.
    The anobj uuid is given as a querystring variable
    ?uuid=<the-uuid-value-for-the-anobj>
    """
    model = get_user_model()
    serializer_class = UserSerializer

    def get_queryset(self):
        uuid = self.request.GET.get('uuid', "")
        q = Q(anobjs__uuid=uuid) | Q(shared_anobjs__uuid=uuid)
        return self.model.objects.filter(q)
        # try:
        #
        #     anobj = AnObj.objects.get(uuid=self.request.GET.get('uuid', ""))
        #     return self.model.objects.filter(pk=anobj.owner_id)
        # except AnObj.DoesNotExist:
        #     return []


class AnnotationViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allow annotations to be viewed or edited
    """
    model = Annotation
    serializer_class = AnnotationSerializer
    permission_classes = (AccessibleAnObj, IsOwnerOrReadOnly, WritableAnObjOrReadonly)

    def get_queryset(self):
        if self.request.user.has_perm('adim.can_review_exercise'):
            queryset = Annotation.objects.all()
        else:
            queryset = Annotation.objects.filter(owner=self.request.user)
        return queryset

    def create(self, request, *args, **kwargs):
        """
        Override create to set annotation's owner to request.owner
        :param request:
        :param args:
        :param kwargs:
        :return:
        """
        request.data['owner'] = request.user.id
        request.data['owner_id'] = request.user.id
        return super(AnnotationViewSet, self).create(request, *args, **kwargs)

    # def list(self, request):
    #     return Response([])
    #
    # def pre_save(self, obj):
    #     """
    #     For new annotation, check annotable access permission
    #     and set the owner of the annotation
    #     :param obj:
    #     :return:
    #     """
    #     if obj.annotable.locked:
    #         raise Exception("Annotable locked")
    #
    #     # ok
    #     if obj.id:
    #         if obj.owner != self.request.user:
    #             raise Exception("Annotable access forbidden")
    #
    #     else:
    #         # user = self.request.user
    #         # anobj_q = Q(pk=obj.annotable_id) & (Q(owner=user) | Q(members=user))
    #         try:
    #             anobj = AnObj.objects.get(pk=obj.annotable_id)
    #             if not has_anobj_access(self.request, anobj):
    #                 raise Exception("Annotable access forbidden")
    #
    #         except AnObj.DoesNotExist:
    #             raise Exception("Annotable access forbidden")
    #         # if not AnObj.objects.filter(anobj_q).exists():
    #
    #         obj.owner = self.request.user
    #
    #     super(AnnotationViewSet, self).pre_save(obj)


class SharedAnnotationViewSet(viewsets.ReadOnlyModelViewSet):
    """

    """
    model = Annotation
    serializer_class = AnnotationSerializer

    def get_queryset(self):
        """
        Return the shared annotations for this anobj

        anots = anobj.annotations.filter(owner__anobjmembership__publish_mode__gte=<publish_level>, owner__anobjmembership__anobj=anobj).select_related('owner')
        """
        anobj = get_object_or_404(AnObj, pk=self.kwargs.get('anobjs_pk', -1))
        # publish_level = 1 if self.request.user in anobj.owners.all() else 2
        publish_level = 1 if anobj.is_owned(self.request.user.id) else 2

        q = (
            Q(annotable=anobj) &
            Q(owner__anobjmembership__publish_mode__gte=publish_level) &
            Q(owner__anobjmembership__anobj=anobj)
        )
        return Annotation.objects.filter(q).exclude(owner=self.request.user)