From 6f1472addb401bf21b0d4feb9dd755d6e8892f09 Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Fri, 24 Jan 2020 19:26:00 +0000
Subject: [PATCH] Add ability to limit APITokens to a package

---
 app/blueprints/api/tokens.py             |  4 ++++
 app/models.py                            | 11 +++++++++-
 app/templates/api/create_edit_token.html |  1 +
 migrations/versions/df66c78e6791_.py     | 26 ++++++++++++++++++++++++
 4 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 migrations/versions/df66c78e6791_.py

diff --git a/app/blueprints/api/tokens.py b/app/blueprints/api/tokens.py
index fcc22bb..b8da78d 100644
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@@ -29,6 +29,8 @@ from wtforms.ext.sqlalchemy.fields import QuerySelectField
 
 class CreateAPIToken(FlaskForm):
 	name	     = StringField("Name", [InputRequired(), Length(1, 30)])
+	package      = QuerySelectField("Limit to package", allow_blank=True, \
+			get_pk=lambda a: a.id, get_label=lambda a: a.title)
 	submit	     = SubmitField("Save")
 
 
@@ -70,6 +72,8 @@ def create_edit_token(username, id=None):
 		access_token = session.pop("token_" + str(id), None)
 
 	form = CreateAPIToken(formdata=request.form, obj=token)
+	form.package.query_factory = lambda: Package.query.filter_by(author=user).all()
+
 	if request.method == "POST" and form.validate():
 		if is_new:
 			token = APIToken()
diff --git a/app/models.py b/app/models.py
index 2e37758..1849075 100644
--- a/app/models.py
+++ b/app/models.py
@@ -864,12 +864,21 @@ class PackageScreenshot(db.Model):
 class APIToken(db.Model):
 	id           = db.Column(db.Integer, primary_key=True)
 	access_token = db.Column(db.String(34), unique=True)
+
 	name         = db.Column(db.String(100), nullable=False)
 	owner_id     = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
+	# owner is created using backref
+
 	created_at   = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
 
+	package_id = db.Column(db.Integer, db.ForeignKey("package.id"), nullable=True)
+	package    = db.relationship("Package", foreign_keys=[package_id])
+
 	def canOperateOnPackage(self, package):
-		return packages.count() == 0 or package in packages
+		if self.package and self.package != None:
+			return False
+
+		return package.owner == self.owner
 
 
 class EditRequest(db.Model):
diff --git a/app/templates/api/create_edit_token.html b/app/templates/api/create_edit_token.html
index 582cb94..c56a097 100644
--- a/app/templates/api/create_edit_token.html
+++ b/app/templates/api/create_edit_token.html
@@ -47,6 +47,7 @@
 		{{ form.hidden_tag() }}
 
 		{{ render_field(form.name, placeholder="Human readable") }}
+		{{ render_field(form.package) }}
 
 		{{ render_submit_field(form.submit) }}
 	</form>
diff --git a/migrations/versions/df66c78e6791_.py b/migrations/versions/df66c78e6791_.py
new file mode 100644
index 0000000..b3f4088
--- /dev/null
+++ b/migrations/versions/df66c78e6791_.py
@@ -0,0 +1,26 @@
+"""empty message
+
+Revision ID: df66c78e6791
+Revises: a0f6c8743362
+Create Date: 2020-01-24 18:39:58.363417
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = 'df66c78e6791'
+down_revision = 'a0f6c8743362'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column('api_token', sa.Column('package_id', sa.Integer(), nullable=True))
+    op.create_foreign_key(None, 'api_token', 'package', ['package_id'], ['id'])
+
+
+def downgrade():
+    op.drop_constraint(None, 'api_token', type_='foreignkey')
+    op.drop_column('api_token', 'package_id')