Allow OAuth Applications Access (#60)

This commit allows OAuth Applications that are not bound to a specific user access to the /api/v1/users and /api/v1/courses endpoints.
OpenJUB · Oct 18, 2017 · b1f4140 · b1f4140
1 parent dbfe3a7
commit b1f4140
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/api/v1/views.py b/api/v1/views.py
@@ -1,4 +1,5 @@
-from rest_framework import serializers, views, viewsets, filters, decorators
+from rest_framework import serializers, views, viewsets, filters, decorators, \
+    permissions
 from django_filters.rest_framework import DjangoFilterBackend
 from django import shortcuts
 from django import conf
@@ -8,6 +9,12 @@
 from api.filters import extended as extended_filters
 
 
+class UserOrOAuthApplication(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return (request.user and request.user.is_authenticated) or \
+               (request.auth and request.auth.application)
+
+
 class StudentSerializer(serializers.ModelSerializer):
     class Meta:
         model = core_models.Student
@@ -29,6 +36,7 @@ class Meta:
 class StudentViewSet(viewsets.ReadOnlyModelViewSet):
     # Permissions
     required_scopes = []
+    permission_classes = [UserOrOAuthApplication]
 
     # Content
     queryset = core_models.Student.objects.all()
@@ -67,6 +75,7 @@ def image(self, request, username=None):
 class CourseView(viewsets.ReadOnlyModelViewSet):
     # Permissions
     required_scopes = []
+    permission_classes = [UserOrOAuthApplication]
 
     # Content
     queryset = core_models.Course.objects.all()