upgrade authorization && fix permission bugs

portfolio/account/serializers.py

@@ -3,7 +3,7 @@ from .models import Account, Guest
 from rest_framework import serializers
 from rest_framework.authtoken.models import Token
 
-from django.contrib.auth import authenticate, logout
+from django.contrib.auth import authenticate, logout as logoutDjango
 from django.core.paginator import Paginator
 from django.http import JsonResponse
 
@@ -47,16 +47,17 @@ class AccountAuthSerializer(serializers.ModelSerializer):
                 token = Token.objects.get(user = user)
             except:
                 token = Token.objects.create(user = user)
-            return { 'token': token.key, 'user': user.toDict() }
+            return { 'Authorization': 'Token ' + token.key, 'user': user.toDict() }
         else:
             return { 'error': 'login failed'}
 
     @staticmethod
     def logout(request, format=None):
+        logoutDjango(request)
         tokenStr = request.headers['Authorization'].split(' ')[1]
         token = Token.objects.get(key = tokenStr)
         token.delete()
-        return { 'info': 'logout' }
+        return { 'info': 'logout success' }
 
     class Meta:
         model = Account

portfolio/account/views.py

@@ -1,9 +1,9 @@
-from rest_framework import viewsets, mixins, permissions
+from rest_framework import viewsets, mixins
-from rest_framework.authtoken.views import ObtainAuthToken
 from rest_framework.response import Response
+from rest_framework.authtoken.views import ObtainAuthToken
+
 from drf_yasg.utils import swagger_auto_schema
 
-from django.core.paginator import Paginator
 from django.shortcuts import get_object_or_404
 
 from .models import Account, Guest
@@ -14,7 +14,6 @@ class AccountViewSet(viewsets.ModelViewSet):
 
     queryset = Account.objects.all()
     serializer_class = AccountSerializer
-    permission_classes = [permissions.IsAuthenticated]
 
     @swagger_auto_schema(responses={ 200: AccountGetSerializer })
     def retrieve(self, request, pk=None):

portfolio/settings.py

@@ -58,7 +58,10 @@ REST_FRAMEWORK = {
     # or allow read-only access for unauthenticated users.
     'DEFAULT_PERMISSION_CLASSES': [
         # 'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
-        'rest_framework.permissions.IsAdminUser'
+        # 'rest_framework.permissions.IsAdminUser',
+        # 'rest_framework.permissions.IsAuthenticated',
+        'rest_framework.permissions.IsAuthenticatedOrReadOnly',
+        # 'rest_framework.permissions.AllowAny'
     ],
     'DEFAULT_AUTHENTICATION_CLASSES': [
         # 'rest_framework.authentication.BasicAuthentication',

portfolio/urls.py

@@ -39,13 +39,12 @@ schema_view = get_schema_view(
 
 router = routers.DefaultRouter()
 router.register(r'users', views.AccountViewSet, basename='user')
-# router.register(r'users/auth', views.AccountAuth, basename='user auth')
 router.register(r'guests', views.GuestViewSet)
 
 urlpatterns = [
         path('admin/', admin.site.urls),
         path('', include(router.urls)),
-        # path('api-auth/', include('rest_framework.urls', namespace='rest_framework'))
+        re_path(r'users/auth', views.AccountAuth.as_view())
     ]
 
 if settings.DEBUG:
@@ -53,6 +52,5 @@ if settings.DEBUG:
         path('admin/', admin.site.urls),
         path('', include(router.urls)),
         re_path(r'users/auth', views.AccountAuth.as_view()),
-        # path('api-auth/', include('rest_framework.urls', namespace='rest_framework')),
         path('swagger/', schema_view.with_ui('swagger', cache_timeout=0))
     ]