diff options
| author | Rafi Zadanly <zadanlyr@gmail.com> | 2023-03-09 06:11:55 +0700 |
|---|---|---|
| committer | Rafi Zadanly <zadanlyr@gmail.com> | 2023-03-09 06:11:55 +0700 |
| commit | 60c166f8b4f5f9cd8d4cdf6422f53d8b5d083648 (patch) | |
| tree | 439910148373c0b207838ec701a8bc13947b91d6 /indoteknik_api/controllers/api_v1 | |
| parent | f790892bb6cf7bd7871e841af92ce3edfc76b8c2 (diff) | |
Optimize auth method
Diffstat (limited to 'indoteknik_api/controllers/api_v1')
21 files changed, 65 insertions, 214 deletions
diff --git a/indoteknik_api/controllers/api_v1/banner.py b/indoteknik_api/controllers/api_v1/banner.py index 4638d095..3fdba0af 100644 --- a/indoteknik_api/controllers/api_v1/banner.py +++ b/indoteknik_api/controllers/api_v1/banner.py @@ -7,10 +7,8 @@ class Banner(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'banner', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_banner(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - manufacture_id = kw.get('manufacture_id') type = kw.get('type') limit = int(kw.get('limit', 0)) diff --git a/indoteknik_api/controllers/api_v1/blog.py b/indoteknik_api/controllers/api_v1/blog.py index af7c4245..5f4f728e 100644 --- a/indoteknik_api/controllers/api_v1/blog.py +++ b/indoteknik_api/controllers/api_v1/blog.py @@ -7,10 +7,8 @@ class Blog(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'blog', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_blog(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - limit = int(kw.get('limit', 0)) offset = int(kw.get('offset', 0)) query = [('active', '=', True)] @@ -27,10 +25,8 @@ class Blog(controller.Controller): return self.response(data) @http.route(prefix + 'blog/<id>', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_blog_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') if not id: return self.response(code=400, description='id is required') diff --git a/indoteknik_api/controllers/api_v1/brand_homepage.py b/indoteknik_api/controllers/api_v1/brand_homepage.py index 9efe307d..42a7c2f3 100644 --- a/indoteknik_api/controllers/api_v1/brand_homepage.py +++ b/indoteknik_api/controllers/api_v1/brand_homepage.py @@ -7,10 +7,8 @@ class BrandHomepage(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'brand_homepage', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_brand_homepage(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - base_url = request.env['ir.config_parameter'].get_param('web.base.url') query = [('status', '=', 'tayang')] diff --git a/indoteknik_api/controllers/api_v1/cart.py b/indoteknik_api/controllers/api_v1/cart.py index 6c540330..a8628432 100644 --- a/indoteknik_api/controllers/api_v1/cart.py +++ b/indoteknik_api/controllers/api_v1/cart.py @@ -7,10 +7,8 @@ class Cart(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'cart', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_cart_by_user_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - user_id = int(kw.get('user_id', 0)) limit = int(kw.get('limit', 0)) offset = int(kw.get('offset', 0)) @@ -28,10 +26,8 @@ class Cart(controller.Controller): return self.response(data) @http.route(prefix + 'cart/create-or-update', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def create_or_update_cart(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - user_id = int(kw.get('user_id', 0)) product_id = int(kw.get('product_id', 0)) qty = int(kw.get('qty', 0)) @@ -55,10 +51,8 @@ class Cart(controller.Controller): return self.response(result) @http.route(prefix + 'cart', auth='public', methods=['DELETE'], csrf=False) + @controller.Controller.must_authorized() def delete_cart_by_user_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - user_id = int(kw.get('user_id', 0)) query = [('user_id', '=', user_id)] product_ids = kw.get('product_ids') diff --git a/indoteknik_api/controllers/api_v1/category.py b/indoteknik_api/controllers/api_v1/category.py index ff1baf6b..b13b0f31 100644 --- a/indoteknik_api/controllers/api_v1/category.py +++ b/indoteknik_api/controllers/api_v1/category.py @@ -8,11 +8,8 @@ class Category(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'category/child', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_category_child(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'parent_id': ['number', 'default:0'] }) @@ -25,11 +22,8 @@ class Category(controller.Controller): return self.response(categories) @http.route(prefix + 'category/tree', auth='public', methods=['GET', 'OPTIONS']) - def get_category_tree(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - + @controller.Controller.must_authorized() + def get_category_tree(self): parent_categories = request.env['product.public.category'].search_read([('parent_frontend_id', '=', False)], ['id', 'name']) data = [] for parent_category in parent_categories: @@ -57,18 +51,16 @@ class Category(controller.Controller): return self.response(data) @http.route(prefix + 'categories_homepage/ids', auth='public', methods=['GET', 'OPTIONS']) - def get_categories_homepage_count(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') + @controller.Controller.must_authorized() + def get_categories_homepage_count(self): query = [('status', '=', 'tayang')] categories = request.env['website.categories.homepage'].search_read(query, ['id']) return self.response([x['id'] for x in categories]) @http.route(prefix + 'categories_homepage', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_categories_homepage(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') base_url = request.env['ir.config_parameter'].get_param('web.base.url') query = [('status', '=', 'tayang')] id = kw.get('id') @@ -100,13 +92,11 @@ class Category(controller.Controller): 'brands': [request.env['x_manufactures'].api_single_response(y) for y in brands], 'products': [request.env['product.template'].api_single_response(x) for x in products] }) - return self.response(data) + return self.response(data, headers=[('Cache-Control', 'max-age=3600, public')]) @http.route(prefix + 'category/page/<page>', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_category(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - category_ids = [] page = kw.get('page') if page == 'flash-sale': diff --git a/indoteknik_api/controllers/api_v1/city.py b/indoteknik_api/controllers/api_v1/city.py index 773cd483..6e0e3edb 100644 --- a/indoteknik_api/controllers/api_v1/city.py +++ b/indoteknik_api/controllers/api_v1/city.py @@ -6,10 +6,8 @@ class City(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'city', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_city(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - parameters = [] name = kw.get('name') diff --git a/indoteknik_api/controllers/api_v1/content.py b/indoteknik_api/controllers/api_v1/content.py index 2d788306..99077c19 100644 --- a/indoteknik_api/controllers/api_v1/content.py +++ b/indoteknik_api/controllers/api_v1/content.py @@ -7,10 +7,8 @@ class WebsiteContent(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'coupon_program', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_coupon_program(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - reward_type = str(kw.get('reward_type', '')) limit = int(kw.get('limit', 0)) offset = int(kw.get('offset', 0)) @@ -26,17 +24,13 @@ class WebsiteContent(controller.Controller): 'coupon_total': request.env['coupon.program'].search_count(query), 'coupons': [request.env['coupon.program'].api_single_response(x) for x in coupons] } - # print (data) + return self.response(data) - @http.route(prefix + 'banner/brand', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_banner_by_brand(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - # base_url = request.env['ir.config_parameter'].get_param('web.base.url') - category_id = int(kw.get('category_id'), 0) query = [ ('x_status_banner', '=', 'tayang'), @@ -63,9 +57,8 @@ class WebsiteContent(controller.Controller): return self.response(data) @http.route(prefix + 'product_ads', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_product_ads(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') base_url = request.env['ir.config_parameter'].get_param('web.base.url') query = [ ('page', '=', 'product'), @@ -83,15 +76,12 @@ class WebsiteContent(controller.Controller): return self.response(data) @http.route(prefix + 'video_content', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_video_content(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - # base_url = request.env['ir.config_parameter'].get_param('web.base.url') query = [('status', '=', 'tayang'), ('slide_type', '=', 'video')] limit = int(kw.get('limit', 0)) offset = int(kw.get('offset', 0)) videos = request.env['website.content'].search(query, limit=limit, offset=offset, order='sequence') - # data = [] data = { 'video_total': request.env['website.content'].search_count(query), 'videos': [request.env['website.content'].api_single_response(x) for x in videos] diff --git a/indoteknik_api/controllers/api_v1/customer.py b/indoteknik_api/controllers/api_v1/customer.py index 57120751..42877f49 100644 --- a/indoteknik_api/controllers/api_v1/customer.py +++ b/indoteknik_api/controllers/api_v1/customer.py @@ -8,10 +8,8 @@ class CustomerReview(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'last_seen_products', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_last_seen_products(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - email = str(kw.get('email', '')) if not email: return self.response(code=401, description='Unauthorized') @@ -43,12 +41,9 @@ class CustomerReview(controller.Controller): }) return self.response(data) - - @http.route(prefix + 'customer_review', auth='public', methods=['GET', 'OPTIONS']) - def get_customer_review(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') + @controller.Controller.must_authorized() + def get_customer_review(self): base_url = request.env['ir.config_parameter'].get_param('web.base.url') query = [('status', '=', 'tayang')] reviews = request.env['customer.review'].search(query, order='sequence') diff --git a/indoteknik_api/controllers/api_v1/district.py b/indoteknik_api/controllers/api_v1/district.py index 8240ac3b..a6484b4d 100644 --- a/indoteknik_api/controllers/api_v1/district.py +++ b/indoteknik_api/controllers/api_v1/district.py @@ -6,10 +6,8 @@ class District(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'district', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_district(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - parameters = [] name = kw.get('name') diff --git a/indoteknik_api/controllers/api_v1/flash_sale.py b/indoteknik_api/controllers/api_v1/flash_sale.py index 45c2f20f..8ff6ac9b 100644 --- a/indoteknik_api/controllers/api_v1/flash_sale.py +++ b/indoteknik_api/controllers/api_v1/flash_sale.py @@ -11,10 +11,9 @@ class FlashSale(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'flash_sale', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_flash_sale(self, **kw): - try: - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') + try: base_url = request.env['ir.config_parameter'].get_param('web.base.url') active_flash_sale = request.env['product.pricelist'].get_active_flash_sale() data = {} diff --git a/indoteknik_api/controllers/api_v1/invoice.py b/indoteknik_api/controllers/api_v1/invoice.py index 59cacfc4..4937e8dd 100644 --- a/indoteknik_api/controllers/api_v1/invoice.py +++ b/indoteknik_api/controllers/api_v1/invoice.py @@ -8,11 +8,8 @@ class Invoice(controller.Controller): PREFIX_PARTNER = PREFIX + 'partner/<partner_id>/' @http.route(PREFIX_PARTNER + 'invoice', auth='public', method=['GET', 'OPTIONS']) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def get_partner_invoice(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'name': [], @@ -21,8 +18,6 @@ class Invoice(controller.Controller): }) limit = params['value']['limit'] offset = params['value']['offset'] - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) @@ -47,17 +42,12 @@ class Invoice(controller.Controller): return self.response(data) @http.route(PREFIX_PARTNER + 'invoice/<id>', auth='public', method=['GET', 'OPTIONS']) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def get_partner_invoice_by_id(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'id': ['number'] }) - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) diff --git a/indoteknik_api/controllers/api_v1/manufacture.py b/indoteknik_api/controllers/api_v1/manufacture.py index b01dc49d..e49872be 100644 --- a/indoteknik_api/controllers/api_v1/manufacture.py +++ b/indoteknik_api/controllers/api_v1/manufacture.py @@ -8,10 +8,8 @@ class Manufacture(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'manufacture', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_manufacture(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - query = [] name = kw.get('name') @@ -37,10 +35,8 @@ class Manufacture(controller.Controller): return self.response(data) @http.route(prefix + 'manufacture/<id>', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_manufacture_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') manufacture = request.env['x_manufactures'].search([('id', '=', id)], limit=1) data = {} @@ -49,10 +45,8 @@ class Manufacture(controller.Controller): return self.response(data) @http.route(prefix + 'manufacture/page/<page>', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_manufacture_by_page(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - manufacture_ids = [] page = kw.get('page') if page == 'flash-sale': diff --git a/indoteknik_api/controllers/api_v1/page_content.py b/indoteknik_api/controllers/api_v1/page_content.py index 64f57d3e..f05e37f6 100644 --- a/indoteknik_api/controllers/api_v1/page_content.py +++ b/indoteknik_api/controllers/api_v1/page_content.py @@ -6,10 +6,8 @@ class PageContent(controller.Controller): PREFIX = '/api/v1/' @http.route(PREFIX + 'page-content', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_page_content(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - data = None url_path = kw.get('url_path') page_content = request.env['website.page.content'].search([('url_path', '=', url_path)], limit=1) diff --git a/indoteknik_api/controllers/api_v1/partner.py b/indoteknik_api/controllers/api_v1/partner.py index ba59a1ce..fc05ae90 100644 --- a/indoteknik_api/controllers/api_v1/partner.py +++ b/indoteknik_api/controllers/api_v1/partner.py @@ -8,10 +8,8 @@ class Partner(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'partner/<id>/address', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_partner_address_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - params = self.get_request_params(kw, { 'id': ['required', 'number'] }) @@ -24,10 +22,8 @@ class Partner(controller.Controller): return self.response(partner) @http.route(prefix + 'partner/<id>/address', auth='public', methods=['PUT', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized() def write_partner_address_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - params = self.get_request_params(kw, { 'id': ['required', 'number'], 'type': ['default:other'], @@ -55,10 +51,8 @@ class Partner(controller.Controller): }) @http.route(prefix + 'partner/address', auth='public', methods=['POST', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized() def create_partner_address(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - params = self.get_request_params(kw, { 'parent_id': ['required', 'number'], 'type': ['default:other'], @@ -82,11 +76,8 @@ class Partner(controller.Controller): }) @http.route(prefix + 'partner/<id>', auth='public', methods=['PUT', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized() def write_partner_by_id(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'id': ['required', 'number'], 'name': [], @@ -102,9 +93,6 @@ class Partner(controller.Controller): partner = request.env[self._name].search([('id', '=', params['value']['id'])], limit=1) if not partner: return self.response(code=404, description='User not found') - - if user_token['partner_id'] not in self.get_partner_child_ids(partner.id): - return self.unauthorized_response() partner.write(params['value']) @@ -113,10 +101,8 @@ class Partner(controller.Controller): }) @http.route(prefix + 'partner/industry', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_partner_industry(self): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - partner_industry = request.env['res.partner.industry'].search([]) data = [] for industry in partner_industry: @@ -128,10 +114,8 @@ class Partner(controller.Controller): return self.response(data) @http.route(prefix + 'partner/company_type', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_partner_company_type(self): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - partner_company_type = request.env['res.partner.company_type'].search([]) data = [] for company_type in partner_company_type: diff --git a/indoteknik_api/controllers/api_v1/product.py b/indoteknik_api/controllers/api_v1/product.py index dc941f13..c9672223 100644 --- a/indoteknik_api/controllers/api_v1/product.py +++ b/indoteknik_api/controllers/api_v1/product.py @@ -12,10 +12,8 @@ class Product(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'new_product', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_new_product(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - is_brand_only = int(kw.get('is_brand_only', 0)) base_url = request.env['ir.config_parameter'].get_param('web.base.url') @@ -85,10 +83,8 @@ class Product(controller.Controller): return self.response(data) @http.route(prefix + 'product', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_product(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - name = kw.get('name') manufactures = kw.get('manufactures') categories = kw.get('categories') @@ -152,10 +148,8 @@ class Product(controller.Controller): return self.response(data) @http.route(prefix + 'product/solr', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_product_solr(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - name = kw.get('name') solr_flag = kw.get('flag') limit = int(kw.get('limit', 0)) @@ -183,10 +177,8 @@ class Product(controller.Controller): return self.response(data) @http.route(prefix + 'product/<id>', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_product_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') if not id: return self.response(code=400, description='id is required') @@ -200,10 +192,8 @@ class Product(controller.Controller): return self.response(data) @http.route(prefix + 'product/<id>/similar', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_product_similar_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') if not id: return self.response(code=400, description='id is required') diff --git a/indoteknik_api/controllers/api_v1/product_variant.py b/indoteknik_api/controllers/api_v1/product_variant.py index 25d051d7..999ced6f 100644 --- a/indoteknik_api/controllers/api_v1/product_variant.py +++ b/indoteknik_api/controllers/api_v1/product_variant.py @@ -6,10 +6,8 @@ class ProductVariant(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'product_variant/<id>', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_product_variant_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') if not id: return self.response(code=400, description='id is required') diff --git a/indoteknik_api/controllers/api_v1/promotion.py b/indoteknik_api/controllers/api_v1/promotion.py index 14d98b14..b137fe2e 100644 --- a/indoteknik_api/controllers/api_v1/promotion.py +++ b/indoteknik_api/controllers/api_v1/promotion.py @@ -8,10 +8,8 @@ class Promotion(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'promotion/<id>', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_promotion_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - base_url = request.env['ir.config_parameter'].get_param('web.base.url') id = kw.get('id') if not id: diff --git a/indoteknik_api/controllers/api_v1/sale_order.py b/indoteknik_api/controllers/api_v1/sale_order.py index 5e5aae47..34583c37 100644 --- a/indoteknik_api/controllers/api_v1/sale_order.py +++ b/indoteknik_api/controllers/api_v1/sale_order.py @@ -9,12 +9,9 @@ class SaleOrder(controller.Controller): PREFIX_PARTNER = prefix + 'partner/<partner_id>/' @http.route(prefix + "sale_order_number", auth='public', method=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_number_sale_order(self, **kw): # for midtrans only - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - sale_order_id = int(kw.get('sale_order_id', '0')) sale_number = str(kw.get('sale_number', '')) if sale_order_id > 0: @@ -49,11 +46,8 @@ class SaleOrder(controller.Controller): return self.response(data) @http.route(PREFIX_PARTNER + 'sale_order', auth='public', method=['GET', 'OPTIONS']) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def get_partner_sale_order(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'name': [], @@ -62,8 +56,6 @@ class SaleOrder(controller.Controller): }) limit = params['value']['limit'] offset = params['value']['offset'] - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) @@ -84,17 +76,12 @@ class SaleOrder(controller.Controller): return self.response(data) @http.route(PREFIX_PARTNER + 'sale_order/<id>', auth='public', method=['GET', 'OPTIONS']) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def partner_get_sale_order_detail(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'id': ['number'] }) - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) @@ -111,17 +98,12 @@ class SaleOrder(controller.Controller): return self.response(data) @http.route(PREFIX_PARTNER + 'sale_order/<id>/checkout', auth='public', method=['POST', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def partner_checkout_sale_order_by_id(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'id': ['number'] }) - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) @@ -207,17 +189,12 @@ class SaleOrder(controller.Controller): return self.response('Dokumen tidak ditemukan', code=404) @http.route(PREFIX_PARTNER + 'sale_order/<id>/cancel', auth='public', method=['POST', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def partner_cancel_sale_order(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'partner_id': ['number'], 'id': ['number'] }) - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) @@ -234,11 +211,8 @@ class SaleOrder(controller.Controller): return self.response(data) @http.route(PREFIX_PARTNER + 'sale_order/checkout', auth='public', method=['POST', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized(private=True, private_key='partner_id') def create_partner_sale_order(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - product_pricelist_default_discount_id = request.env['ir.config_parameter'].get_param('product.pricelist.default_discount_id') product_pricelist_default_discount_id = int(product_pricelist_default_discount_id) @@ -251,9 +225,6 @@ class SaleOrder(controller.Controller): 'po_file': [], 'type': [], }) - - if not user_token['partner_id'] == params['value']['partner_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) diff --git a/indoteknik_api/controllers/api_v1/sub_district.py b/indoteknik_api/controllers/api_v1/sub_district.py index 706cc660..3af7f2e1 100644 --- a/indoteknik_api/controllers/api_v1/sub_district.py +++ b/indoteknik_api/controllers/api_v1/sub_district.py @@ -6,10 +6,8 @@ class SubDistrict(controller.Controller): prefix = '/api/v1/' @http.route(prefix + 'sub_district', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_sub_district(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - parameters = [] name = kw.get('name') diff --git a/indoteknik_api/controllers/api_v1/user.py b/indoteknik_api/controllers/api_v1/user.py index 0c7f8153..1f1f2413 100644 --- a/indoteknik_api/controllers/api_v1/user.py +++ b/indoteknik_api/controllers/api_v1/user.py @@ -21,10 +21,8 @@ class User(controller.Controller): return data @http.route(prefix + 'user/login', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def login(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - email = kw.get('email') password = kw.get('password') if not email or not password: @@ -52,10 +50,8 @@ class User(controller.Controller): }) @http.route(prefix + 'user/register', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def register(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - name = kw.get('name') email = kw.get('email') password = kw.get('password') @@ -104,10 +100,8 @@ class User(controller.Controller): return self.response({'register': True}) @http.route(prefix + 'user/activation-request', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def request_activation_user(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - email = kw.get('email') user = self.get_user_by_email(email) if not user: @@ -117,7 +111,7 @@ class User(controller.Controller): return self.response({'activation_request': False, 'reason': 'ACTIVE'}) token_source = string.ascii_letters + string.digits - user.activation_token = ''.join(random.choice(token_source) for i in range(20)) + user.activation_token = ''.join(random.choice(token_source) for i in range(21)) return self.response({ 'activation_request': True, 'token': user.activation_token, @@ -125,10 +119,8 @@ class User(controller.Controller): }) @http.route(prefix + 'user/<id>', auth='public', methods=['PUT', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized() def update_user(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') user = request.env['res.users'].search([('id', '=', id)], limit=1) @@ -146,10 +138,8 @@ class User(controller.Controller): }) @http.route(prefix + 'user/<id>/address', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized() def get_user_address_by_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - id = kw.get('id') user = request.env['res.users'].search([('id', '=', id)], limit=1) @@ -163,10 +153,8 @@ class User(controller.Controller): return self.response(address) @http.route(prefix + 'user/activation', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def activation_user(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - token = kw.get('token') if not token: return self.response(code=400, description='token is required') diff --git a/indoteknik_api/controllers/api_v1/wishlist.py b/indoteknik_api/controllers/api_v1/wishlist.py index a3299033..50d38dc7 100644 --- a/indoteknik_api/controllers/api_v1/wishlist.py +++ b/indoteknik_api/controllers/api_v1/wishlist.py @@ -8,10 +8,8 @@ class Wishlist(controller.Controller): PREFIX_USER = prefix + 'user/<user_id>/' @http.route(prefix + 'wishlist', auth='public', methods=['GET']) + @controller.Controller.must_authorized() def get_wishlist_by_user_id(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - user_id = int(kw.get('user_id', 0)) product_id = kw.get('product_id', 0) variant_id = kw.get('variant_id', 0) @@ -24,7 +22,6 @@ class Wishlist(controller.Controller): query += [('variant_id', '=', int(variant_id))] wishlists = request.env['website.user.wishlist'].search(query, limit=limit, offset=offset, order='create_date desc') - # product = [request.env['product.template'].api_single_response(wishlist.product_id) for wishlist in wishlists] product = [] for wishlist in wishlists: if wishlist.product_id: @@ -38,10 +35,8 @@ class Wishlist(controller.Controller): return self.response(data) @http.route(prefix + 'wishlist/create-or-delete', auth='public', methods=['POST'], csrf=False) + @controller.Controller.must_authorized() def create_or_delete_wishlist(self, **kw): - if not self.authenticate(): - return self.response(code=401, description='Unauthorized') - user_id = int(kw.get('user_id', 0)) product_id = kw.get('product_id', 0) variant_id = kw.get('variant_id', 0) @@ -74,11 +69,8 @@ class Wishlist(controller.Controller): return self.response(result) @http.route(PREFIX_USER + 'wishlist', auth='public', methods=['GET', 'OPTIONS']) + @controller.Controller.must_authorized(private=True, private_key='user_id') def get_user_wishlist(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'user_id': ['number'], 'product_id': ['number'], @@ -87,8 +79,7 @@ class Wishlist(controller.Controller): }) limit = params['value']['limit'] offset = params['value']['offset'] - if not user_token['id'] == params['value']['user_id']: - return self.unauthorized_response() + if not params['valid']: return self.response(code=400, description=params) @@ -109,17 +100,12 @@ class Wishlist(controller.Controller): return self.response(data) @http.route(PREFIX_USER + 'wishlist/create-or-delete', auth='public', methods=['POST', 'OPTIONS'], csrf=False) + @controller.Controller.must_authorized(private=True, private_key='user_id') def create_or_delete_user_wishlist(self, **kw): - user_token = self.authenticate() - if not user_token: - return self.unauthorized_response() - params = self.get_request_params(kw, { 'user_id': ['number'], 'product_id': ['required', 'number'], }) - if not user_token['id'] == params['value']['user_id']: - return self.unauthorized_response() if not params['valid']: return self.response(code=400, description=params) |