diff --git a/apiserver/apiserver/api/permissions.py b/apiserver/apiserver/api/permissions.py index 46e999f..bde5278 100644 --- a/apiserver/apiserver/api/permissions.py +++ b/apiserver/apiserver/api/permissions.py @@ -5,7 +5,16 @@ class AllowMetadata(BasePermission): return request.method in ['OPTIONS', 'HEAD'] def is_admin_director(user): - return bool(user.is_staff or user.member.is_director or user.member.is_staff) + if user.is_staff: + return True + + if hasattr(user, 'member'): + if user.member.is_director: + return True + if user.member.is_staff: + return True + + return False class IsObjOwnerOrAdmin(BasePermission): def has_object_permission(self, request, view, obj): diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py index daa2179..cbe7910 100644 --- a/apiserver/apiserver/api/views.py +++ b/apiserver/apiserver/api/views.py @@ -1,7 +1,7 @@ from django.contrib.auth.models import User, Group -from django.shortcuts import get_object_or_404 +from django.shortcuts import get_object_or_404, redirect from django.db.models import Max -from django.http import HttpResponse +from django.http import HttpResponse, Http404 from django.core.files.base import File from django.core.cache import cache from rest_framework import viewsets, views, mixins, generics, exceptions @@ -26,6 +26,7 @@ from .permissions import ( IsAdminOrReadOnly, IsInstructorOrReadOnly ) +from .. import settings # define some shortcuts Base = viewsets.GenericViewSet @@ -331,6 +332,26 @@ class StatsView(views.APIView): return Response(stats) +class BackupView(views.APIView): + def get(self, request): + if not is_admin_director(self.request.user): + raise exceptions.PermissionDenied() + + backup_path = cache.get('backup_path') + backup_url = 'https://static.{}/backups/{}'.format( + settings.PRODUCTION_HOST, + backup_path, + ) + + if not backup_path: + raise Http404 + + if request.META['HTTP_USER_AGENT'].lower().startswith('wget'): + return redirect(backup_url) + else: + return Response(dict(url=backup_url)) + + class RegistrationView(RegisterView): serializer_class = serializers.MyRegisterSerializer diff --git a/apiserver/apiserver/urls.py b/apiserver/apiserver/urls.py index ef38f41..12d50b3 100644 --- a/apiserver/apiserver/urls.py +++ b/apiserver/apiserver/urls.py @@ -30,5 +30,6 @@ urlpatterns = [ url(r'^user/', views.UserView.as_view(), name='user'), url(r'^ping/', views.PingView.as_view(), name='ping'), url(r'^stats/', views.StatsView.as_view(), name='stats'), + url(r'^backup/', views.BackupView.as_view(), name='backup'), url(IPN_ROUTE, views.IpnView.as_view(), name='ipn'), ]