Limit Graph.command field visibility

Fix #4
matwey · Sep 7, 2024 · f268d12 · f268d12
1 parent 828cc78
commit f268d12
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 7 deletions.
diff --git a/src/collectd_rest/serializers.py b/src/collectd_rest/serializers.py
@@ -23,7 +23,14 @@ class GraphSerializer(serializers.ModelSerializer):
 
 	class Meta:
 		model = models.Graph
-		fields = ('id', 'name', 'title', 'group', 'url', 'command', 'priority', 'granularity', 'max_age')
+		fields = '__all__'
+
+class UnauthenticatedGraphSerializer(GraphSerializer):
+	command = None
+
+	class Meta:
+		model = models.Graph
+		exclude = ('command',)
 
 class GraphGranularitySerializer(serializers.ModelSerializer):
 	class Meta:

diff --git a/src/collectd_rest/views.py b/src/collectd_rest/views.py
@@ -1,6 +1,7 @@
 from collectd_rest import models, serializers, renderers
 from rest_framework import viewsets
 from rest_framework.settings import api_settings
+from django.contrib.auth.models import AnonymousUser
 
 class GraphGranularityViewSet(viewsets.ModelViewSet):
 	queryset = models.GraphGranularity.objects.all()
@@ -15,4 +16,14 @@ class GraphGroupViewSet(viewsets.ModelViewSet):
 class GraphViewSet(viewsets.ModelViewSet):
 	queryset = models.Graph.objects.select_related('granularity')
 	serializer_class = serializers.GraphSerializer
+	unauthenticated_serializer_class = serializers.UnauthenticatedGraphSerializer
 	renderer_classes = api_settings.DEFAULT_RENDERER_CLASSES + [renderers.PNGRenderer, renderers.SVGRenderer, ]
+
+	def get_serializer_class(self):
+		if (not (self.action == "retrieve" or self.action == "list")
+			or isinstance(self.request.accepted_renderer, renderers.ImageRenderer)
+			or not isinstance(self.request.user, AnonymousUser)):
+
+			return super(GraphViewSet, self).get_serializer_class()
+
+		return self.unauthenticated_serializer_class
diff --git a/tests/test_graph.py b/tests/test_graph.py
@@ -2,9 +2,10 @@
 	from django.urls import reverse
 except ImportError:
 	from django.core.urlresolvers import reverse
+from django.contrib.auth.models import User
 from django.test import TestCase
 from rest_framework import status
-from rest_framework.test import APIClient
+from rest_framework.test import APIClient, force_authenticate
 from collectd_rest.models import Graph, GraphGroup, GraphGranularity
 from collectd_rest.rrd import RRDError
 try:
@@ -18,7 +19,7 @@ def setUp(self):
 
 	@patch('collectd_rest.serializers.render')
 	def test_graph_create1(self, mock):
-		command = 'format'
+		command = 'TEST'
 		format = 'PNG'
 
 		url = reverse('graph-list')
@@ -36,7 +37,7 @@ def test_graph_create1(self, mock):
 		mock.assert_called_with(command, format)
 	@patch('collectd_rest.serializers.render')
 	def test_graph_create2(self, mock):
-		command = 'format'
+		command = 'TEST'
 		format = 'png'
 
 		url = reverse('graph-list')
@@ -72,7 +73,7 @@ def test_graph_create3(self):
 		self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
 	@patch('collectd_rest.serializers.render')
 	def test_graph_create4(self, mock):
-		command = 'format'
+		command = 'TEST'
 		format = 'PNG'
 
 		url = reverse('graph-list')
@@ -90,19 +91,36 @@ def test_graph_create4(self, mock):
 		mock.assert_called_with(command, format)
 
 	def test_graph_detail1(self):
+		command = "TEST"
 		group = GraphGroup.objects.create(name="group1", title="Group 1")
 		granularity = GraphGranularity.objects.get(name='default')
-		graph = Graph.objects.create(name="graph1", title="Graph 1", command="format", group=group, granularity=granularity)
+		graph = Graph.objects.create(name="graph1", title="Graph 1", command=command, group=group, granularity=granularity)
 
 		url = reverse('graph-detail', args=[graph.id])
 		response = self.client.get(url)
 		self.assertEqual(response.status_code, status.HTTP_200_OK)
 		json = response.json()
 		self.assertEqual(json['id'], graph.id)
+		self.assertNotIn("command", json)
+
+	def test_graph_detail2(self):
+		command = "TEST"
+		group = GraphGroup.objects.create(name="group1", title="Group 1")
+		user = User.objects.create(username='gendalf')
+		granularity = GraphGranularity.objects.get(name='default')
+		graph = Graph.objects.create(name="graph1", title="Graph 1", command=command, group=group, granularity=granularity)
+
+		url = reverse('graph-detail', args=[graph.id])
+		self.client.force_authenticate(user=user)
+		response = self.client.get(url)
+		self.assertEqual(response.status_code, status.HTTP_200_OK)
+		json = response.json()
+		self.assertEqual(json['id'], graph.id)
+		self.assertEqual(json['command'], command)
 
 	@patch('collectd_rest.serializers.render')
 	def test_graph_create_duplicates(self, mock):
-		command = 'format'
+		command = 'TEST'
 		format = 'png'
 
 		url = reverse('graph-list')