Add ability to limit APITokens to a package

diff --git a/app/blueprints/api/tokens.py b/app/blueprints/api/tokens.py
index fcc22bb6246eea0cc98867bade1e846c716e210c..b8da78dbcf896e6bc9e6c41b754b24b0797afefb 100644 (file)
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@@ -29,6 +29,8 @@ from wtforms.ext.sqlalchemy.fields import QuerySelectField
 
 class CreateAPIToken(FlaskForm):
        name         = StringField("Name", [InputRequired(), Length(1, 30)])
+       package      = QuerySelectField("Limit to package", allow_blank=True, \
+                       get_pk=lambda a: a.id, get_label=lambda a: a.title)
        submit       = SubmitField("Save")
 
 
@@ -70,6 +72,8 @@ def create_edit_token(username, id=None):
                access_token = session.pop("token_" + str(id), None)
 
        form = CreateAPIToken(formdata=request.form, obj=token)
+       form.package.query_factory = lambda: Package.query.filter_by(author=user).all()
+
        if request.method == "POST" and form.validate():
                if is_new:
                        token = APIToken()

diff --git a/app/models.py b/app/models.py
index 2e37758c05e136b745a61b93f0b1318d5bc8b579..18490751459a175759f57c2e00a18ab85dc8f974 100644 (file)
--- a/app/models.py
+++ b/app/models.py
@@ -864,12 +864,21 @@ class PackageScreenshot(db.Model):
 class APIToken(db.Model):
        id           = db.Column(db.Integer, primary_key=True)
        access_token = db.Column(db.String(34), unique=True)
+
        name         = db.Column(db.String(100), nullable=False)
        owner_id     = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
+       # owner is created using backref
+
        created_at   = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
 
+       package_id = db.Column(db.Integer, db.ForeignKey("package.id"), nullable=True)
+       package    = db.relationship("Package", foreign_keys=[package_id])
+
        def canOperateOnPackage(self, package):
-               return packages.count() == 0 or package in packages
+               if self.package and self.package != None:
+                       return False
+
+               return package.owner == self.owner
 
 
 class EditRequest(db.Model):

diff --git a/app/templates/api/create_edit_token.html b/app/templates/api/create_edit_token.html
index 582cb94f08da5611e22648e80ec64887de11b489..c56a097bc4d8c69a94b3b07972fe7ffa0a5f6259 100644 (file)
--- a/app/templates/api/create_edit_token.html
+++ b/app/templates/api/create_edit_token.html
@@ -47,6 +47,7 @@
                {{ form.hidden_tag() }}
 
                {{ render_field(form.name, placeholder="Human readable") }}
+               {{ render_field(form.package) }}
 
                {{ render_submit_field(form.submit) }}
        </form>

diff --git a/migrations/versions/df66c78e6791_.py b/migrations/versions/df66c78e6791_.py
new file mode 100644 (file)
index 0000000..b3f4088
--- /dev/null
+++ b/migrations/versions/df66c78e6791_.py
@@ -0,0 +1,26 @@
+"""empty message
+
+Revision ID: df66c78e6791
+Revises: a0f6c8743362
+Create Date: 2020-01-24 18:39:58.363417
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = 'df66c78e6791'
+down_revision = 'a0f6c8743362'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column('api_token', sa.Column('package_id', sa.Integer(), nullable=True))
+    op.create_foreign_key(None, 'api_token', 'package', ['package_id'], ['id'])
+
+
+def downgrade():
+    op.drop_constraint(None, 'api_token', type_='foreignkey')
+    op.drop_column('api_token', 'package_id')