Carles/312 api security

[txels]

Functional description

Supports two security mechanisms as defined in http://txels.tpondemand.com/entity/312.

• User: an authenticated user, in which case only her objects will be visible
• Client: a client will use a token.

Tokens need to be created in core (can be done via admin), and then you will be able to register this token in the client, e.g. storing it as a setting.

Tokens are fairly simple things, consisting of an informative label and a key. We can eventually later extend this to use tokens for other purposes (teams and users).

Additionally to the permissions/ownership check, I added a useful mixin that allows to dynamically limit which fields to return in the payload.

Permissions and dynamic field mixin are applied for now to repos and features.

Example for manual testing:

• Create a token in the admin
• Create some team, users, projects, and features or repos
• Browse to /core/features/feature/?X-Ployst-Access-Token=<token_key>&fields=feature_id,title without logging in - should see all features
• Same without token - get a 403
• Log in (via admin) with some account that cannot access all features and browse to /core/features/feature/ - should see only features from projects of own teams

---

Code details

This work in progress includes:

• API base classes for security and ownership checks.
• A mixin for filtering fields
• A testcase mixin that simplifies writing tests that require passing ownership checks
• Fixes the "not implemented" failing test - we're all green now :)

I'll probably extend this with additional tests for the base classes/mixins. If you have suggestions about what else to test let me know.