Merge branch 'master' into TMSS-841

18599add · Ramesh Kumar · 57b881ef · 88d217ed · 18599add · 18599add
Commit 18599add authored 3 years ago by Ramesh Kumar
--- a/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/lofar_viewset.py
+++ b/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/lofar_viewset.py
@@ -55,9 +55,23 @@ class LOFARViewSet(viewsets.ModelViewSet):
    filter_fields = '__all__'
    ordering_fields = '__all__'

+    def _get_permitted_methods(self, request):
+        # Django returns an "Allow" header that reflects what methods the model supports in principle, but not what
+        # the current user is actually has permission to perform. We use the "Access-Control-Allow-Methods" header
+        # to disclose read/write permission to the frontend, so that it can render its views accordingly.
+        allowed_methods = []
+        for method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
+            request.method = method
+            if TMSSPermissions().has_permission(request=request, view=self):
+                allowed_methods.append(method)
+        return allowed_methods
+
    @swagger_auto_schema(responses={403: 'forbidden'})
    def list(self, request, **kwargs):
-        return super(LOFARViewSet, self).list(request, **kwargs)
+        response = super(LOFARViewSet, self).list(request, **kwargs)
+        if "Access-Control-Allow-Methods" not in response:
+            response["Access-Control-Allow-Methods"] = ", ".join(self._get_permitted_methods(request))
+        return response

    @swagger_auto_schema(responses={400: 'invalid specification', 403: 'forbidden'})
    def create(self, request, **kwargs):
@@ -65,7 +79,10 @@ class LOFARViewSet(viewsets.ModelViewSet):

    @swagger_auto_schema(responses={403: 'forbidden', 404: 'not found'})
    def retrieve(self, request, pk=None, **kwargs):
-        return super(LOFARViewSet, self).retrieve(request, pk, **kwargs)
+        response = super(LOFARViewSet, self).retrieve(request, pk, **kwargs)
+        if "Access-Control-Allow-Methods" not in response:
+            response["Access-Control-Allow-Methods"] = ", ".join(self._get_permitted_methods(request))
+        return response

    @swagger_auto_schema(responses={400: 'invalid specification', 403: 'forbidden', 404: 'not found'})
    def update(self, request, pk=None, **kwargs):

--- a/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/permissions.py
+++ b/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/permissions.py
@@ -34,8 +34,8 @@ def get_project_roles_for_user(user):

        try:
            return tuple(user.project_roles)
-        except AttributeError:
-            # the user is a non-TMSSUser, for example anonyous/not-logged-in
+        except (AttributeError, TypeError):
+            # the user is a non-TMSSUser, for example anonyous/not-logged-in, or project_roles are None
            # return empty project roles
            return tuple()