From d95ffdfbf737d4b963cb652b915e00f31cb0c908 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 26 Aug 2016 00:51:05 +0800
Subject: [PATCH] Test permmision

---
 apps/jumpserver/settings.py                 | 10 +++++-----
 apps/templates/_foot_js.html                |  5 ++++-
 apps/users/api.py                           | 13 +++++++++++++
 apps/users/models.py                        |  2 +-
 apps/users/templates/users/user_detail.html | 12 +++++++++---
 apps/users/views.py                         |  8 +++++---
 6 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py
index b70bf8950..cab2806e7 100644
--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -173,12 +173,12 @@ REST_FRAMEWORK = {
     # Use Django's standard `django.contrib.auth` permissions,
     # or allow read-only access for unauthenticated users.
     'DEFAULT_PERMISSION_CLASSES': (
-        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
+        'rest_framework.permissions.IsAdminUser',
+    ),
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
     ),
-    # 'DEFAULT_AUTHENTICATION_CLASSES': (
-    #     'rest_framework.authentication.BasicAuthentication',
-    #     'rest_framework.authentication.SessionAuthentication',
-    # ),
 }
 # This setting is required to override the Django's main loop, when running in
 # development mode, such as ./manage runserver
diff --git a/apps/templates/_foot_js.html b/apps/templates/_foot_js.html
index b610cb089..72351ac6a 100644
--- a/apps/templates/_foot_js.html
+++ b/apps/templates/_foot_js.html
@@ -35,7 +35,9 @@
     }
 
     var csrftoken = getCookie('csrftoken');
-    console.log(csrftoken)
+    var sessionid = getCookie('sessionid');
+    console.log(csrftoken);
+    console.log(sessionid);
 
     function csrfSafeMethod(method) {
         // these HTTP methods do not require CSRF protection
@@ -46,6 +48,7 @@
         beforeSend: function(xhr, settings) {
             if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
                 xhr.setRequestHeader("X-CSRFToken", csrftoken);
+{#                xhr.setRequestHeader("sessionid", sessionid);#}
             }
         }
     });
diff --git a/apps/users/api.py b/apps/users/api.py
index a6f70e690..bcd635fdb 100644
--- a/apps/users/api.py
+++ b/apps/users/api.py
@@ -13,11 +13,24 @@ class UserListAddApi(generics.ListCreateAPIView):
     queryset = User.objects.all()
     serializer_class = UserSerializer
 
+    # permission_classes = (
+    #     permissions.DenyAll,
+    # )
+
 
 class UserDetailDeleteUpdateApi(generics.RetrieveUpdateDestroyAPIView):
     queryset = User.objects.all()
     serializer_class = UserSerializer
 
+    def put(self, request, *args, **kwargs):
+        print(request.META)
+        return super(UserDetailDeleteUpdateApi, self).put(request, *args, **kwargs)
+
+    # def get(self, request, *args, **kwargs):
+    #     print("hello world")
+    #     print(request.user)
+    #     return super(UserDetailDeleteUpdateApi, self).get(request, *args, **kwargs)
+
 
 class UserGroupListAddApi(generics.ListCreateAPIView):
     queryset = UserGroup.objects.all()
diff --git a/apps/users/models.py b/apps/users/models.py
index 0269be3bf..f459f5cc3 100644
--- a/apps/users/models.py
+++ b/apps/users/models.py
@@ -148,7 +148,7 @@ class User(AbstractUser):
 
     @property
     def is_staff(self):
-        if self.is_authenticated and self.is_active and not self.is_expired:
+        if self.is_authenticated and self.is_active and not self.is_expired and self.is_superuser:
             return True
         else:
             return False
diff --git a/apps/users/templates/users/user_detail.html b/apps/users/templates/users/user_detail.html
index 88188c28e..bdf4c5eb1 100644
--- a/apps/users/templates/users/user_detail.html
+++ b/apps/users/templates/users/user_detail.html
@@ -231,13 +231,19 @@
             var status = $(obj).prop('checked');
 
             $.ajax({
-{#                url: "{% url 'users:user-detail-api' pk=user.id %}",#}
-                url: "{% url 'users:login' %}",
-                type: "POST",
+                url: "{% url 'users:user-detail-api' pk=user.id %}",
+{#                url: "{% url 'users:login' %}",#}
+                type: "PUT",
                 data: {
                     'username': "{{ user.username }}",
                     'email': "{{ user.email }}",
                     'is_active': status
+                },
+                success: function (data, status) {
+                    console.log(data)
+                },
+                error: function () {
+                    console.log('error')
                 }
             })
         }
diff --git a/apps/users/views.py b/apps/users/views.py
index 14ba96268..ee781c068 100644
--- a/apps/users/views.py
+++ b/apps/users/views.py
@@ -28,9 +28,11 @@ class UserLoginView(FormView):
             return HttpResponseRedirect(reverse('users:user-list'))
         return super(UserLoginView, self).get(request, *args, **kwargs)
 
-    # def post(self, request, *args, **kwargs):
-    #     print(self.request.user)
-    #     return HttpResponseRedirect('/')
+    def post(self, request, *args, **kwargs):
+        print(self.request.user)
+        print(request.POST)
+        print(request.session.session_key)
+        return HttpResponseRedirect('/')
 
     def form_valid(self, form):
         username = form.cleaned_data.get('username', '')