From 66bae84aa96812c24d969d0e3a5dd20774401dc0 Mon Sep 17 00:00:00 2001
From: Piero Toffanin <pt@masseranolabs.com>
Date: Thu, 15 Jun 2017 14:34:51 -0400
Subject: [PATCH] Added permissions display, updated docs

---
 app/api/projects.py                             | 10 ++++++----
 app/tests/test_api.py                           | 17 +++++++++++++++--
 slate/source/includes/reference/_permissions.md | 12 +++++++++++-
 slate/source/includes/reference/_project.md     |  9 ++++++++-
 4 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/app/api/projects.py b/app/api/projects.py
index 2c2f5211..ed345c4f 100644
--- a/app/api/projects.py
+++ b/app/api/projects.py
@@ -1,12 +1,9 @@
+from guardian.shortcuts import get_perms
 from rest_framework import serializers, viewsets
 
 from app import models
 from .tasks import TaskIDsSerializer
 
-#class PermissionsSerializer(serializers.ModelSerializer):
-#    class Meta:
-#        model = models.Project
-
 
 class ProjectSerializer(serializers.ModelSerializer):
     tasks = TaskIDsSerializer(many=True, read_only=True)
@@ -14,6 +11,11 @@ class ProjectSerializer(serializers.ModelSerializer):
             default=serializers.CurrentUserDefault()
         )
     created_at = serializers.ReadOnlyField()
+    permissions = serializers.SerializerMethodField()
+
+    def get_permissions(self, obj):
+        return list(map(lambda p: p.replace("_project", ""), get_perms(self.context['request'].user, obj)))
+
 
     class Meta:
         model = models.Project
diff --git a/app/tests/test_api.py b/app/tests/test_api.py
index ac6a538c..43dd8082 100644
--- a/app/tests/test_api.py
+++ b/app/tests/test_api.py
@@ -196,8 +196,14 @@ class TestApi(BootTestCase):
         self.assertTrue(task.last_error is None)
         self.assertTrue(task.pending_action == pending_actions.REMOVE)
 
-        # Can delete project that we we own
         temp_project = Project.objects.create(owner=user)
+
+        # We have permissions to do anything on a project that we own
+        res = client.get('/api/projects/{}/'.format(project.id))
+        for perm in ['delete', 'change', 'view', 'add']:
+            self.assertTrue(perm in res.data['permissions'])
+
+        # Can delete project that we we own
         res = client.delete('/api/projects/{}/'.format(temp_project.id))
         self.assertTrue(res.status_code == status.HTTP_204_NO_CONTENT)
         self.assertTrue(Project.objects.filter(id=temp_project.id).count() == 0) # Really deleted
@@ -207,8 +213,15 @@ class TestApi(BootTestCase):
         res = client.delete('/api/projects/{}/'.format(other_temp_project.id))
         self.assertTrue(res.status_code == status.HTTP_404_NOT_FOUND)
 
-        # Can't delete a project for which we just have view permissions
         assign_perm('view_project', user, other_temp_project)
+
+        # We have view permissions only
+        res = client.get('/api/projects/{}/'.format(other_temp_project.id))
+        self.assertTrue('view' in res.data['permissions'])
+        for perm in ['delete', 'change', 'add']:
+            self.assertFalse(perm in res.data['permissions'])
+
+        # Can't delete a project for which we just have view permissions
         res = client.delete('/api/projects/{}/'.format(other_temp_project.id))
         self.assertTrue(res.status_code == status.HTTP_403_FORBIDDEN)
 
diff --git a/slate/source/includes/reference/_permissions.md b/slate/source/includes/reference/_permissions.md
index eb0d0d90..403a2784 100644
--- a/slate/source/includes/reference/_permissions.md
+++ b/slate/source/includes/reference/_permissions.md
@@ -8,4 +8,14 @@ On top of that, WebODM features a powerful `row level` permission system. You ca
 
 Changes to the permissions of objects can be handled via the `Administration` page of WebODM. 
 
-We are planning to make it easier for users and developers to handle permissions via an API. This is a work in progress.
\ No newline at end of file
+We are planning to make it easier for users and developers to handle permissions via an API. This is a work in progress.
+
+
+### Permission Values
+
+Permission | Description
+----- | -----------
+delete | The object can be deleted
+change | The object can be edited
+add | A related object can be added to the object (a task can be added to the project)
+view | The object can be viewed (read-only)
\ No newline at end of file
diff --git a/slate/source/includes/reference/_project.md b/slate/source/includes/reference/_project.md
index b82c3da0..0656f197 100644
--- a/slate/source/includes/reference/_project.md
+++ b/slate/source/includes/reference/_project.md
@@ -12,7 +12,13 @@
     ],
     "created_at": "2016-12-07T02:09:28.515319Z",
     "name": "Test",
-    "description": ""
+    "description": "",
+    "permissions": [
+        "delete",
+        "change",
+        "add",
+        "view"
+    ]
 }
 ```
 
@@ -25,6 +31,7 @@ tasks | int[] | List of task IDs associated with this project
 created_at | string | Creation date and time
 name | string | Name of the project
 description | string | A more in-depth description
+permissions | string[] | List of actions that the current user is allowed to perform. See [Permissions Values](#permission-values)
 
 
 ### Create a project