added security layer for adding users in bulk from superuser account …

…only
developer-student-club-thapar · Apr 20, 2022 · 28f11a6 · 28f11a6
1 parent 9ab7b69
commit 28f11a6
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 1 deletion.
diff --git a/officialWebsite/config/settings.py b/officialWebsite/config/settings.py
@@ -32,6 +32,8 @@
 
     # Third-party apps
     "rest_framework",
+    'rest_framework.authtoken',
+    "dj_rest_auth",
     'corsheaders',
 
     # Backend Apps
@@ -57,6 +59,14 @@
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
+REST_FRAMEWORK = {
+   'DEFAULT_AUTHENTICATION_CLASSES': (
+       'rest_framework.authentication.TokenAuthentication',
+   ),
+   'DEFAULT_PERMISSION_CLASSES': (
+        'rest_framework.permissions.IsAdminUser'
+   ),
+}
 ROOT_URLCONF = "officialWebsite.config.urls"
 
 TEMPLATES = [
@@ -123,6 +133,10 @@
 
 AUTH_USER_MODEL = "users.User"
 CORS_ORIGIN_ALLOW_ALL = True
+
+ACCOUNT_AUTHENTICATION_METHOD = "email"
+ACCOUNT_USERNAME_REQUIRED = False
+AUTHENTICATION_BACKENDS = ("django.contrib.auth.backends.ModelBackend",)
 if DEBUG:
     STATIC_URL = "/static/"
     STATICFILES_DIRS = [os.path.join(BASE_DIR, "static_files")]
@@ -155,4 +169,4 @@
 
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
-BULK_ADD = False
+BULK_ADD = True
diff --git a/officialWebsite/config/urls.py b/officialWebsite/config/urls.py
@@ -27,6 +27,8 @@
 from officialWebsite.event import views as event_views
 from officialWebsite.resource import views as resource_views
 from officialWebsite.team import views as team_views
+
+from rest_framework.authtoken.views import obtain_auth_token
 admin.site.site_header = "Developer Student Club TIET"
 admin.site.site_title = "DSC-TIET"
 admin.site.index_title = "DSC-TIET"
@@ -66,6 +68,7 @@
         auth_views.PasswordResetCompleteView.as_view(),
         name="password_reset_complete",
     ),
+    path("api/auth/", include("dj_rest_auth.urls")),
     path("admin/", admin.site.urls),
 ]
 

diff --git a/officialWebsite/users/views.py b/officialWebsite/users/views.py
@@ -3,6 +3,11 @@
 from rest_framework import generics
 from officialWebsite.users.models import User, Year
 from officialWebsite.users.serializers import UserSerializer
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
+
+class IsSuperUser(IsAdminUser):
+    def has_permission(self, request, view):
+        return bool(request.user and request.user.is_superuser)
 
 class LeadListView(APIView):
     """List all leads"""
@@ -80,6 +85,9 @@ def get(self, request, year, format=None):
         return Response(members)
 
 class UserCreateView(generics.ListCreateAPIView):
+    # authenticated
+    permission_classes = (IsSuperUser, )
+
     queryset = User.objects.all()
     serializer_class = UserSerializer
 

diff --git a/requirements.txt b/requirements.txt
@@ -3,6 +3,7 @@ backports.entry-points-selectable==1.1.1
 backports.zoneinfo==0.2.1
 cfgv==3.3.1
 distlib==0.3.4
+dj-rest-auth==2.2.4
 Django==4.0.2
 django-cors-headers==3.11.0
 django-environ==0.8.1