Test permmision

2016-08-26 00:51:05 +08:00 · 2016-08-26 00:51:05 +08:00 · d95ffdfbf7
parent bb76f6c652
commit d95ffdfbf7
6 changed files with 37 additions and 13 deletions
--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@ -173,12 +173,12 @@ REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': (
-        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
+        'rest_framework.permissions.IsAdminUser',
+    ),
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
    ),
-    # 'DEFAULT_AUTHENTICATION_CLASSES': (
-    #     'rest_framework.authentication.BasicAuthentication',
-    #     'rest_framework.authentication.SessionAuthentication',
-    # ),
 }
 # This setting is required to override the Django's main loop, when running in
 # development mode, such as ./manage runserver
--- a/apps/templates/_foot_js.html
+++ b/apps/templates/_foot_js.html
@ -35,7 +35,9 @@
    }

    var csrftoken = getCookie('csrftoken');
-    console.log(csrftoken)
+    var sessionid = getCookie('sessionid');
+    console.log(csrftoken);
+    console.log(sessionid);

    function csrfSafeMethod(method) {
        // these HTTP methods do not require CSRF protection
@ -46,6 +48,7 @@
        beforeSend: function(xhr, settings) {
            if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
                xhr.setRequestHeader("X-CSRFToken", csrftoken);
+{#                xhr.setRequestHeader("sessionid", sessionid);#}
            }
        }
    });
--- a/apps/users/api.py
+++ b/apps/users/api.py
@ -13,11 +13,24 @@ class UserListAddApi(generics.ListCreateAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

+    # permission_classes = (
+    #     permissions.DenyAll,
+    # )
+

 class UserDetailDeleteUpdateApi(generics.RetrieveUpdateDestroyAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

+    def put(self, request, *args, **kwargs):
+        print(request.META)
+        return super(UserDetailDeleteUpdateApi, self).put(request, *args, **kwargs)
+
+    # def get(self, request, *args, **kwargs):
+    #     print("hello world")
+    #     print(request.user)
+    #     return super(UserDetailDeleteUpdateApi, self).get(request, *args, **kwargs)
+

 class UserGroupListAddApi(generics.ListCreateAPIView):
    queryset = UserGroup.objects.all()
--- a/apps/users/models.py
+++ b/apps/users/models.py
@ -148,7 +148,7 @@ class User(AbstractUser):

    @property
    def is_staff(self):
-        if self.is_authenticated and self.is_active and not self.is_expired:
+        if self.is_authenticated and self.is_active and not self.is_expired and self.is_superuser:
            return True
        else:
            return False
--- a/apps/users/templates/users/user_detail.html
+++ b/apps/users/templates/users/user_detail.html
@ -231,13 +231,19 @@
            var status = $(obj).prop('checked');

            $.ajax({
-{#                url: "{% url 'users:user-detail-api' pk=user.id %}",#}
-                url: "{% url 'users:login' %}",
-                type: "POST",
+                url: "{% url 'users:user-detail-api' pk=user.id %}",
+{#                url: "{% url 'users:login' %}",#}
+                type: "PUT",
                data: {
                    'username': "{{ user.username }}",
                    'email': "{{ user.email }}",
                    'is_active': status
+                },
+                success: function (data, status) {
+                    console.log(data)
+                },
+                error: function () {
+                    console.log('error')
                }
            })
        }
--- a/apps/users/views.py
+++ b/apps/users/views.py
@ -28,9 +28,11 @@ class UserLoginView(FormView):
            return HttpResponseRedirect(reverse('users:user-list'))
        return super(UserLoginView, self).get(request, *args, **kwargs)

-    # def post(self, request, *args, **kwargs):
-    #     print(self.request.user)
-    #     return HttpResponseRedirect('/')
+    def post(self, request, *args, **kwargs):
+        print(self.request.user)
+        print(request.POST)
+        print(request.session.session_key)
+        return HttpResponseRedirect('/')

    def form_valid(self, form):
        username = form.cleaned_data.get('username', '')