From 2c97ad185df58d1a58ca34584578d492f5b0c7b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Zahradn=C3=ADk?= <adam@zahradnik.xyz>
Date: Tue, 23 Jan 2024 22:06:48 +0100
Subject: [PATCH] master: fix authorization, improve error messages

---
 trojstenid/users/models.py     |  5 -----
 trojstenid/users/urls_oauth.py | 13 ++++++++++++-
 trojstenid/users/views.py      | 30 +++++++++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/trojstenid/users/models.py b/trojstenid/users/models.py
index 5084b87..68dfa7a 100644
--- a/trojstenid/users/models.py
+++ b/trojstenid/users/models.py
@@ -10,11 +10,6 @@
 class Application(AbstractApplication):
     group = models.ForeignKey(Group, on_delete=models.RESTRICT, blank=True, null=True)
 
-    def is_usable(self, request):
-        if self.group is not None:
-            return request.user.groups.contains(self.group)
-        return True
-
 
 def user_avatar_name(user, filename):
     _, ext = path.splitext(filename)
diff --git a/trojstenid/users/urls_oauth.py b/trojstenid/users/urls_oauth.py
index dad3bd3..195712b 100644
--- a/trojstenid/users/urls_oauth.py
+++ b/trojstenid/users/urls_oauth.py
@@ -1,5 +1,16 @@
+from django.urls import re_path
 from oauth2_provider import urls
+from oauth2_provider.views import IntrospectTokenView, RevokeTokenView, TokenView
+
+from trojstenid.users.views import TrojstenAuthorizationView
 
 app_name = urls.app_name
 
-urlpatterns = urls.base_urlpatterns + urls.oidc_urlpatterns
+base_urlpatterns = [
+    re_path(r"^authorize/$", TrojstenAuthorizationView.as_view(), name="authorize"),
+    re_path(r"^token/$", TokenView.as_view(), name="token"),
+    re_path(r"^revoke_token/$", RevokeTokenView.as_view(), name="revoke-token"),
+    re_path(r"^introspect/$", IntrospectTokenView.as_view(), name="introspect"),
+]
+
+urlpatterns = base_urlpatterns + urls.oidc_urlpatterns
diff --git a/trojstenid/users/views.py b/trojstenid/users/views.py
index cefaf57..3ccc3db 100644
--- a/trojstenid/users/views.py
+++ b/trojstenid/users/views.py
@@ -1,9 +1,37 @@
 from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.shortcuts import redirect
+from django.core.exceptions import PermissionDenied
+from django.shortcuts import get_object_or_404, redirect, render
 from django.views.generic import TemplateView, UpdateView
+from oauth2_provider.views import AuthorizationView
 
 from trojstenid.users.forms.settings import ProfileForm
+from trojstenid.users.models import Application
+
+
+class TrojstenAuthorizationView(AuthorizationView):
+    def dispatch(self, request, *args, **kwargs):
+        application = get_object_or_404(
+            Application, client_id=request.GET.get("client_id")
+        )
+
+        if application.group:
+            if not request.user.is_authenticated:
+                raise PermissionDenied()
+
+            if not request.user.groups.contains(application.group):
+                return render(
+                    request,
+                    "oauth2_provider/authorize.html",
+                    {
+                        "error": {
+                            "error": "Chýbajúce oprávnenia.",
+                            "description": "Nemáš práva na prístup do tejto aplikácie.",
+                        }
+                    },
+                )
+
+        return super().dispatch(request, *args, **kwargs)
 
 
 class ProfileView(LoginRequiredMixin, UpdateView):