From 4ab79e9fc2c2c74c8a34b9fe119d7d6df0289a47 Mon Sep 17 00:00:00 2001
From: Christian Glatthard <christian.glatthard@students.fhnw.ch>
Date: Fri, 7 Aug 2015 14:39:51 +0200
Subject: [PATCH] specific endpoints list depending on user permissions

---
 ipynbsrv/api/permissions.py | 18 ++++++++++++++----
 ipynbsrv/api/views.py       | 33 +++++++++++++++++++--------------
 2 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/ipynbsrv/api/permissions.py b/ipynbsrv/api/permissions.py
index 7c9daf1..be59f56 100644
--- a/ipynbsrv/api/permissions.py
+++ b/ipynbsrv/api/permissions.py
@@ -84,14 +84,24 @@ def has_object_permission(self, request, view, obj):
 
 class IsSuperUserOrReadOnly(
         permissions.BasePermission,
+        IsAuthenticatedMixin,
         IsSuperUserMixin,
         IsSafeMethodMixin):
 
+    def has_permission(self, request, view):
+        if self.is_authenticated(request):
+            if self.is_safe_method(request):
+                return True
+            if self.is_superuser(request.user):
+                return True
+        return False
+
     def has_object_permission(self, request, view, obj):
-        if self.is_safe_method(request):
-            return True
-        if self.is_superuser(request.user):
-            return True
+        if self.is_authenticated(request):
+            if self.is_safe_method(request):
+                return True
+            if self.is_superuser(request.user):
+                return True
         return False
 
 
diff --git a/ipynbsrv/api/views.py b/ipynbsrv/api/views.py
index 195c75a..e36983c 100644
--- a/ipynbsrv/api/views.py
+++ b/ipynbsrv/api/views.py
@@ -30,20 +30,25 @@ def api_root(request, format=None):
     """
     API Root
     """
-    return Response({'endpoints': {
-        'configurationvariables': 'desc',
-        'users': 'desc',
-        'collaborationgroups': 'desc',
-        'backends': 'desc',
-        'containers': 'desc',
-        'images': 'desc',
-        'snapshots': 'desc',
-        'servers': 'desc',
-        'shares': 'desc',
-        'tags': 'desc',
-        'notifications': 'desc',
-        'notificationlogs': 'desc',
-    }})
+    available_endpoints = {}
+    available_endpoints['users'] = 'desc'
+    available_endpoints['collaborationgroups'] = 'desc'
+    available_endpoints['containers'] = 'desc'
+    available_endpoints['images'] = 'desc'
+    available_endpoints['snapshots'] = 'desc'
+    available_endpoints['shares'] = 'desc'
+    available_endpoints['tags'] = 'desc'
+    available_endpoints['notifications'] = 'desc'
+    available_endpoints['notificationlogs'] = 'desc'
+    available_endpoints['notificationtypes'] = 'desc'
+
+    # additional endpoints for superusers only
+    if request.user.is_superuser:
+        available_endpoints['configurationvariables'] = 'desc'
+        available_endpoints['backends'] = 'desc'
+        available_endpoints['servers'] = 'desc'
+
+    return Response(available_endpoints)
 
 
 class ConfigurationVariableList(generics.ListCreateAPIView):