Add some helpers + CRUD & more restructuring

Author: lasley

oauth_provider/controllers/oauth_api_controller.py

@@ -68,20 +68,19 @@ def data_get(self, access_token=None, model=None, *args, **kwargs):
                 operation.
             model (str): Name of model to operate on.
             domain (list, optional): Domain to apply to the search, in the
-                standard Odoo format. This only applies if there is not
-                already a filter on the token scope. Otherwise, the scope
-                will take precedence.
+                standard Odoo format. This will be appended to the scope's
+                pre-existing filter.
         """
         token = self._get_token(access_token)
         model = self._get_model(model)
-        data = token.get_data_for_model(
+        data = token.get_data(
             model,
             domain=kwargs.get('domain', []),
         )
         return self._json_response(data=data)
 
     @route('/oauth2/data',
-           type='oauth',
+           type='json',
            auth='none',
            csrf=False,
            methods=['POST'],

oauth_provider/exceptions.py

@@ -4,16 +4,28 @@
 
 from werkzeug import exceptions
 
+from odoo import _
+
 
 class OauthApiException(exceptions.BadRequest):
     pass
 
 
 class OauthInvalidTokenException(exceptions.Unauthorized):
+
     def __init__(self):
         super(OauthInvalidTokenException, self).__init__(
-            'Invalid or Expired Token',
+            _('Invalid or expired token'),
         )
         self.traceback = ('', '', '')
 
 
+class OauthScopeValidationException(exceptions.Forbidden):
+
+    def __init__(self, code='unknown'):
+        msg = _(
+            'There was an error validating the attempted action against '
+            'your session\'s authorized scope. The error code is: %s',
+        )
+        super(OauthInvalidTokenException, self).__init__(msg % code)
+        self.traceback = ('', '', '')

oauth_provider/models/oauth_provider_scope.py

@@ -6,9 +6,12 @@
 import dateutil
 import time
 from collections import defaultdict
-from odoo import models, api, fields
+
+from odoo import api, fields, models, _
 from odoo.tools.safe_eval import safe_eval
 
+from ..exceptions import OauthScopeValidationException
+
 
 class OauthProviderScope(models.Model):
     _name = 'oauth.provider.scope'
@@ -41,9 +44,10 @@ class OauthProviderScope(models.Model):
         ('code_unique', 'UNIQUE (code)',
          'The code of the scopes must be unique !'),
     ]
-
+    
+    @property
     @api.model
-    def _get_ir_filter_eval_context(self):
+    def ir_filter_eval_context(self):
         """ Returns the base eval context for ir.filter domains evaluation """
         return {
             'datetime': datetime,
@@ -54,23 +58,46 @@ def _get_ir_filter_eval_context(self):
         }
 
     @api.multi
-    def get_data_for_model(self, model, res_id=None, all_scopes_match=False):
-        """ Return the data matching the scopes from the requested model """
+    def filter_by_model(self, model):
+        """ Return the current scopes that are associated to the model.
+
+        Args:
+            model (str): Name of the model to operate on.
+
+        Returns:
+            OauthProviderScope: Recordsets associated to the model.
+        """
+        return self.filtered(lambda record: record.model == model)
+
+    @api.multi
+    def get_data(self, model, res_id=None, all_scopes_match=False,
+                 domain=None):
+        """ Return the data matching the scopes from the requested model.
+
+        Args:
+            model (str): Name of the model to operate on.
+            res_id (int): ID of record to find. Will only return this record,
+                if defined.
+            all_scopes_match (bool): True to filter out records that do not
+                match all of the scopes in the current recordset.
+            domain (list of tuples, optional): Domain to append to the
+                `filter_domain` that is defined in the scope.
+
+        Returns:
+            dict: If `res_id` is defined, this will be the scoped data for the
+                appropriate record (or empty dict if no match). Otherwise,
+                this will be a dictionary of scoped record data, keyed by
+                record ID.
+        """
+
         data = defaultdict(dict)
-        eval_context = self._get_ir_filter_eval_context()
+        eval_context = self.ir_filter_eval_context
         all_scopes_records = self.env[model]
-        for scope in self.filtered(lambda record: record.model == model):
-            # Retrieve the scope's domain
-            filter_domain = [(1, '=', 1)]
-            if scope.filter_id:
-                filter_domain = safe_eval(
-                    scope.filter_id.sudo().domain, eval_context)
-            if res_id is not None:
-                filter_domain.append(('id', '=', res_id))
-
-            # Retrieve data of the matching records, depending on the scope's
-            # fields
-            records = self.env[model].search(filter_domain)
+
+        for scope in self.filter_by_model(model):
+
+            records = scope._get_scoped_records(eval_context, domain)
+
             for record_data in records.read(scope.field_ids.mapped('name')):
                 for field, value in record_data.items():
                     if isinstance(value, tuple):
@@ -86,17 +113,174 @@ def get_data_for_model(self, model, res_id=None, all_scopes_match=False):
                 all_scopes_records &= records
 
         # If all scopes are required to match, filter the results to keep only
-        # those mathing all scopes
+        # those matching all scopes
         if all_scopes_match:
-            data = dict(filter(
-                lambda record_data: record_data[0] in all_scopes_records.ids,
-                data.items()))
-
-        # If a single record was requested, return only data coming from this
-        # record
-        # Return an empty dictionnary if this record didn't recieve data to
-        # return
+            data = dict(
+                filter(
+                    lambda _data: _data[0] in all_scopes_records.ids,
+                    data.items(),
+                ),
+            )
+
         if res_id is not None:
             data = data.get(res_id, {})
 
         return data
+
+    @api.multi
+    def create_record(self, model, vals):
+        """ Create a record, validate the scope, and return (if valid).
+
+        Args:
+            model (str): Name of the model to operate on.
+            vals (dict): Values to create record with, keyed by field name.
+
+        Returns:
+            OauthProviderScope: Newly created record
+
+        Raises:
+            OauthScopeValidationException: If fields are included in vals,
+                but are not within the current scope.
+        """
+        
+        if not self._validate_scope_field(model, vals):
+            raise OauthScopeValidationException('field')
+
+        record = self.env[model].create(vals)
+
+        if not self._validate_scope_record(record):
+            raise OauthScopeValidationException('record')
+
+        return record
+
+    @api.multi
+    def write_record(self, records, vals):
+        """ Write to a recordset, adhering to the current scope.
+
+        Args:
+            records (models.Model): Recordset to write to.
+            vals (dict): Values to modify records with, keyed by field name.
+
+        Returns:
+            OauthProviderScope: The same recordset that was provided as input.
+
+        Raises:
+            OauthScopeValidationException: Raised in the following cases:
+                * If records are attempted to be edited, but are not within
+                    the current scope.
+                * If fields are included in vals, but are not within the
+                    current scope.
+                * If the record no longer falls within scope after being
+        """
+
+        if not self._validate_scope_field(records._name, vals):
+            raise OauthScopeValidationException('field')
+
+        if not self._validate_scope_record(records):
+            raise OauthScopeValidationException('record')
+
+        records.write(vals)
+
+        if not self._validate_scope_record(records):
+            raise OauthScopeValidationException('record')
+
+        return records
+
+    @api.multi
+    def delete_record(self, records):
+        """ Delete a recordset that is within the current scope.
+
+        Args:
+            records (models.Model): Recordset to delete.
+
+        Raises:
+            OauthScopeValidationException: If records are not within the
+                current scope.
+        """
+        
+        if not self._validate_scope_record(records):
+            raise OauthScopeValidationException('record')
+
+        records.unlink()
+
+    @api.multi
+    def _get_filter_domain(self, eval_context):
+        """ Return the scope's domain.
+
+        Args:
+            eval_context (dict): Base eval context, such as provided by
+                `ir_filter_eval_context`
+
+        Returns:
+            list of tuples: Domain of the scope, in standard Odoo format.
+        """
+        self.ensure_one()
+        filter_domain = [(1, '=', 1)]
+        if self.filter_id:
+            filter_domain = safe_eval(
+                self.filter_id.sudo().domain,
+                eval_context,
+            )
+        if res_id is not None:
+            filter_domain.append(
+                ('id', '=', res_id),
+            )
+        return filter_domain
+
+    @api.multi
+    def _get_scoped_records(self, model, eval_context=None, add_domain=None):
+        """ Return records that are within the scopes in the recordset.
+
+        Args:
+            model (str): Name of the model to operate on.
+            eval_context (dict, optional): Base eval context, such as provided
+                by `ir_filter_eval_context`.
+            add_domain (list of tuples, optional): Domain to append to the
+                `filter_domain` that is defined in the scope.
+
+        Returns:
+            models.Model: Recordset matching the scope.
+        """
+        self.ensure_one()
+        if eval_context is None:
+            eval_context = self.ir_filter_eval_context
+        if add_domain is None:
+            add_domain = []
+        filter_domain = self._get_filter_domain(eval_context)
+        return self.env[model].search(filter_domain + add_domain)
+
+    @api.multi
+    def _validate_scope_record(self, records):
+        """ Validate that the recordset is within the current scope.
+
+        Args:
+            records (models.Model): Recordset to validate.
+
+        Returns:
+            bool: Indicating whether the records are within scope.
+        """
+
+        scoped_records = self._get_scoped_records(
+            self.env[records._name],
+        )
+        return all([
+            r.id in scoped_records for r in records
+        ])
+
+    @api.multi
+    def _validate_scope_field(self, model, vals):
+        """ Validate that the input vals do not violate the current scope.
+
+        Args:
+            model (str): Name of the model to operate on.
+            vals (dict): Values that should be checked against the current
+                scope, keyed by field name.
+
+        Returns:
+            bool: Whether the values are within the scope.
+        """
+        scopes = self.filter_by_model(model)
+        field_names = scopes.field_ids.mapped('name')
+        return all([
+            f in field_names for f in vals.keys()
+        ])

oauth_provider/models/oauth_provider_token.py

@@ -39,6 +39,12 @@ class OauthProviderToken(models.Model):
          'The refresh token must be unique per client !'),
     ]
 
+    @property
+    @api.multi
+    def user_scopes(self):
+        self.ensure_one()
+        return self.sudo(user=self.user_id).scope_ids
+
     @api.multi
     def _compute_active(self):
         for token in self:
@@ -85,15 +91,30 @@ def generate_user_id(self):
         return self.client_id.generate_user_id(self.user_id)
 
     @api.multi
-    def get_data_for_model(self, model, res_id=None, all_scopes_match=False):
+    def get_data(self, model, res_id=None, all_scopes_match=False,
+                 domain=None):
         """ Returns the data of the accessible records of the requested model,
 
+        Args:
+            model (str): Name of the model to operate on.
+            res_id (int): ID of record to find. Will only return this record,
+                if defined.
+            all_scopes_match (bool): True to filter out records that do not
+                match all of the scopes in the current recordset.
+            domain (list of tuples, optional): Domain to append to the
+                `filter_domain` that is defined in the scope.
+
+        Returns:
+            dict: If `res_id` is defined, this will be the scoped data for the
+                appropriate record (or empty dict if no match). Otherwise,
+                this will be a dictionary of scoped record data, keyed by
+                record ID.
+
         Data are returned depending on the allowed scopes for the token
         If the all_scopes_match argument is set to True, return only records
         allowed by all token's scopes
         """
-        self.ensure_one()
-
         # Retrieve records allowed from all scopes
-        return self.sudo(user=self.user_id).scope_ids.get_data_for_model(
-            model, res_id=res_id, all_scopes_match=all_scopes_match)
+        return self.user_scopes.get_data(
+            model, res_id=res_id, all_scopes_match=all_scopes_match,
+        )