def obj_create(self, bundle, request=None, **kwargs):
        """
        Handle POST requests to the resource. If the data validates, create a
        new Review from bundle data.
        """
        form = ReviewForm(bundle.data)

        if not form.is_valid():
            raise self.form_errors(form)

        app = self.get_app(bundle.data["app"])

        # Return 409 if the user has already reviewed this app.
        qs = self._meta.queryset.filter(addon=app, user=request.user)
        if app.is_packaged:
            qs = qs.filter(version_id=bundle.data.get("version", app.current_version.id))
        if qs.exists():
            raise http_error(http.HttpConflict, "You have already reviewed this app.")

        # Return 403 if the user is attempting to review their own app:
        if app.has_author(request.user):
            raise http_error(http.HttpForbidden, "You may not review your own app.")

        # Return 403 if not a free app and the user hasn't purchased it.
        if app.is_premium() and not app.is_purchased(request.amo_user):
            raise http_error(http.HttpForbidden, "You may not review paid apps you haven't purchased.")

        bundle.obj = Review.objects.create(**self._review_data(request, app, form))

        amo.log(amo.LOG.ADD_REVIEW, app, bundle.obj)
        log.debug("[Review:%s] Created by user %s " % (bundle.obj.id, request.user.id))
        record_action("new-review", request, {"app-id": app.id})

        return bundle

    def get_and_check_ownership(self, request, allow_anon=False, **kwargs):
        try:
            # Use queryset, not get_object_list to ensure a distinction
            # between a 404 and a 403.
            obj = self._meta.queryset.get(**kwargs)
        except self._meta.object_class.DoesNotExist:
            unavail = self._meta.queryset_base.filter(**kwargs)
            if unavail.exists():
                obj = unavail[0]
                # Owners can see their app no matter what region.
                if AppOwnerAuthorization().is_authorized(request, object=obj):
                    return obj
                data = {}
                for key in ('name', 'support_email', 'support_url'):
                    value = getattr(obj, key)
                    data[key] = unicode(value) if value else ''
                raise http_error(HttpLegallyUnavailable,
                                 'Not available in your region.',
                                 extra_data=data)
            raise http_error(http.HttpNotFound,
                             'No such app.')

        # If it's public, just return it.
        if allow_anon and obj.is_public():
            return obj

        # Now do the final check to see if you are allowed to see it and
        # return a 403 if you can't.
        if not AppOwnerAuthorization().is_authorized(request, object=obj):
            raise http_error(http.HttpForbidden,
                             'You do not own that app.')
        return obj

    def handle(self, bundle, request, **kwargs):
        form = ReceiptForm(bundle.data)

        if not form.is_valid():
            raise self.form_errors(form)

        bundle.obj = form.cleaned_data["app"]
        type_ = install_type(request, bundle.obj)

        if type_ == apps.INSTALL_TYPE_DEVELOPER:
            return self.record(bundle, request, apps.INSTALL_TYPE_DEVELOPER)

        # The app must be public and if its a premium app, you
        # must have purchased it.
        if not bundle.obj.is_public():
            log.info("App not public: %s" % bundle.obj.pk)
            raise http_error(http.HttpForbidden, "App not public.")

        if bundle.obj.is_premium() and not bundle.obj.has_purchased(request.amo_user):
            # Apps that are premium but have no charge will get an
            # automatic purchase record created. This will ensure that
            # the receipt will work into the future if the price changes.
            if bundle.obj.premium and not bundle.obj.premium.price.price:
                log.info("Create purchase record: {0}".format(bundle.obj.pk))
                AddonPurchase.objects.get_or_create(addon=bundle.obj, user=request.amo_user, type=CONTRIB_NO_CHARGE)
            else:
                log.info("App not purchased: %s" % bundle.obj.pk)
                raise http_error(HttpPaymentRequired, "You have not purchased this app.")

        return self.record(bundle, request, type_)

    def obj_create(self, bundle, request, **kwargs):
        form = UploadForm(bundle.data)

        if not request.amo_user.read_dev_agreement:
            log.info(u'Attempt to use API without dev agreement: %s'
                     % request.amo_user.pk)
            raise http_error(http.HttpUnauthorized,
                             'Terms of service not accepted.')

        if not form.is_valid():
            raise self.form_errors(form)

        if not (OwnerAuthorization()
                .is_authorized(request, object=form.obj)):
            raise http_error(http.HttpForbidden,
                             'You do not own that app.')

        plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]

        # Create app, user and fetch the icon.
        bundle.obj = Addon.from_upload(form.obj, plats,
                                       is_packaged=form.is_packaged)
        AddonUser(addon=bundle.obj, user=request.amo_user).save()

        self._icons_and_images(bundle.obj)
        record_action('app-submitted', request, {'app-id': bundle.obj.pk})

        log.info('App created: %s' % bundle.obj.pk)
        return bundle

 def get_object_list(self, request):
     if not request.amo_user:
         log.info('Anonymous listing not allowed')
         raise http_error(http.HttpForbidden,
                          'Anonymous listing not allowed.')
     return self._meta.queryset.filter(type=amo.ADDON_WEBAPP,
                                       authors=request.amo_user)

    def dispatch(self, request_type, request, **kwargs):
        if not waffle.switch_is_active('stats-api'):
            raise http_error(http.HttpNotImplemented,
                             'Stats not enabled for this host.')

        return super(GlobalStatsResource, self).dispatch(request_type, request,
                                                         **kwargs)

    def obj_create(self, bundle, request, **kwargs):
        # Ensure that people don't pass strings through.
        args = PreviewArgsForm(request.GET)
        if not args.is_valid():
            raise self.form_errors(args)

        addon = self.get_object_or_404(Addon,
                                       pk=args.cleaned_data['app'],
                                       type=amo.ADDON_WEBAPP)
        if not AppOwnerAuthorization().is_authorized(request, object=addon):
            raise http_error(http.HttpForbidden,
                             'You are not an author of that app.')

        data_form = PreviewJSONForm(bundle.data)
        if not data_form.is_valid():
            raise self.form_errors(data_form)

        form = PreviewForm(data_form.cleaned_data)
        if not form.is_valid():
            raise self.form_errors(form)

        form.save(addon)
        bundle.obj = form.instance
        log.info('Preview created: %s' % bundle.obj.pk)
        return bundle

    def obj_update(self, bundle, request, **kwargs):
        """
        Handle PUT requests to the resource. If authorized and the data
        validates, update the indicated resource with bundle data.
        """
        obj = self.get_by_resource_or_404(request, **kwargs)
        if not OwnerAuthorization().is_authorized(request, object=obj):
            raise http_error(
                http.HttpForbidden,
                'You do not have permission to update this review.')

        form = ReviewForm(bundle.data)
        if not form.is_valid():
            raise self.form_errors(form)

        if 'app' in bundle.data:
            error = ('app', "Cannot update a rating's `app`")
            raise self.non_form_errors([error])

        sup = super(RatingResource, self).obj_update(bundle, request, **kwargs)

        amo.log(amo.LOG.EDIT_REVIEW, bundle.obj.addon, bundle.obj)
        log.debug('[Review:%s] Edited by %s' % (bundle.obj.id, request.user.id))

        return sup

    def build_filters(self, filters=None):
        """
        If `addon__exact` is a filter and its value cannot be coerced into an
        int, assume that it's a slug lookup.

        Run the query necessary to determine the app, and substitute the slug
        with the PK in the filter so tastypie will continue doing its thing.
        """
        built = super(RatingResource, self).build_filters(filters)
        if 'addon__exact' in built:
            try:
                int(built['addon__exact'])
            except ValueError:
                app = self.get_app(built['addon__exact'])
                if app:
                    built['addon__exact'] = str(app.pk)

        if built.get('user__exact', None) == 'mine':
            # This is a cheat. Would prefer /mine/ in the URL.
            user = get_user()
            if not user:
                # You must be logged in to use "mine".
                raise http_error(http.HttpUnauthorized, 'You must be logged in to access "mine".')

            built['user__exact'] = user.pk
        return built

    def obj_create(self, bundle, request, **kwargs):
        with statsd.timer("auth.browserid.verify"):
            profile, msg = browserid_authenticate(
                request,
                bundle.data["assertion"],
                browserid_audience=bundle.data["audience"],
                is_native=bundle.data.get("is_native", False),
            )
        if profile is None:
            log.info("No profile")
            raise http_error(http.HttpUnauthorized, "No profile.")

        request.user, request.amo_user = profile.user, profile
        request.groups = profile.groups.all()

        # TODO: move this to the signal.
        profile.log_login_attempt(True)
        user_logged_in.send(sender=profile.user.__class__, request=request, user=profile.user)
        bundle.data = {
            "error": None,
            "token": self.get_token(request.user.email),
            "settings": {"display_name": request.amo_user.display_name, "email": request.user.email},
        }
        bundle.data.update(PermissionResource().dehydrate(Bundle(request=request)).data)
        return bundle

    def obj_create(self, bundle, request, **kwargs):
        with statsd.timer('auth.browserid.verify'):
            profile, msg = browserid_authenticate(
                request, bundle.data['assertion'],
                browserid_audience=bundle.data['audience'],
                is_native=bundle.data.get('is_native', False)
            )
        if profile is None:
            log.info('No profile: %s' % (msg or ''))
            raise http_error(http.HttpUnauthorized,
                             'No profile.')

        request.user, request.amo_user = profile.user, profile
        request.groups = profile.groups.all()

        # TODO: move this to the signal.
        profile.log_login_attempt(True)
        user_logged_in.send(sender=profile.user.__class__, request=request,
                            user=profile.user)
        bundle.data = {
            'error': None,
            'token': self.get_token(request.amo_user.email),
            'settings': {
                'display_name': request.amo_user.display_name,
                'email': request.amo_user.email,
            }
        }
        bundle.data.update(PermissionResource()
                           .dehydrate(Bundle(request=request)).data)
        return bundle

    def obj_get(self, request=None, **kwargs):
        obj = super(StatusResource, self).obj_get(request=request, **kwargs)
        if not AppOwnerAuthorization().is_authorized(request, object=obj):
            raise http_error(http.HttpForbidden,
                             'You are not an author of that app.')

        log.info('App status retreived: %s' % obj.pk)
        return obj

    def obj_delete(self, request, **kwargs):
        obj = self.get_by_resource_or_404(request, **kwargs)
        if not AppOwnerAuthorization().is_authorized(request,
                                                     object=obj.addon):
            raise http_error(http.HttpForbidden,
                             'You are not an author of that app.')

        log.info('Preview deleted: %s' % obj.pk)
        return super(PreviewResource, self).obj_delete(request, **kwargs)

    def obj_get(self, request=None, **kwargs):
        if kwargs.get("pk") == "mine":
            kwargs["pk"] = request.amo_user.pk

        # TODO: put in acl checks for admins to get other users information.
        obj = super(Mine, self).obj_get(request=request, **kwargs)
        if not OwnerAuthorization().is_authorized(request, object=obj):
            raise http_error(http.HttpForbidden, "You do not have access to that account.")
        return obj

    def obj_update(self, bundle, request, **kwargs):
        try:
            obj = self.get_object_list(bundle.request).get(**kwargs)
        except Addon.DoesNotExist:
            raise http_error(http.HttpNotFound, 'No such addon.')

        if not AppOwnerAuthorization().is_authorized(request, object=obj):
            raise http_error(http.HttpForbidden,
                             'You are not an author of that app.')

        form = StatusForm(bundle.data, instance=obj)
        if not form.is_valid():
            raise self.form_errors(form)

        form.save()
        log.info('App status updated: %s' % obj.pk)
        bundle.obj = obj
        return bundle

    def obj_get(self, request, **kw):
        if kw['pk'] != 'site':
            raise http_error(http.HttpNotFound,
                             'No such configuration.')

        return GenericObject({
            # This is the git commit on IT servers.
            'version': getattr(settings, 'BUILD_ID_JS', ''),
            'flags': waffles(request),
            'settings': get_settings(),
        })

    def obj_delete(self, request, **kwargs):
        obj = self.get_by_resource_or_404(request, **kwargs)
        if not (
            AppOwnerAuthorization().is_authorized(request, object=obj.addon)
            or OwnerAuthorization().is_authorized(request, object=obj)
            or PermissionAuthorization("Users", "Edit").is_authorized(request)
            or PermissionAuthorization("Addons", "Edit").is_authorized(request)
        ):
            raise http_error(http.HttpForbidden, "You do not have permission to delete this review.")

        log.info("Rating %s deleted from addon %s" % (obj.pk, obj.addon.pk))
        return super(RatingResource, self).obj_delete(request, **kwargs)

 def post_list(self, request, **kwargs):
     data = self.deserialize(request, request.raw_post_data,
                             format='application/json')
     email = data['email']
     try:
         validate_email(email)
     except ValidationError:
         raise http_error(http.HttpBadRequest, 'Invalid email address')
     basket.subscribe(data['email'], 'marketplace',
                      format='H', country=request.REGION.slug,
                      lang=request.LANG, optin='Y',
                      trigger_welcome='Y')

    def obj_get(self, request, **kw):
        if kw["pk"] != "site":
            raise http_error(http.HttpNotFound, "No such configuration.")

        return GenericObject(
            {
                # This is the git commit on IT servers.
                "version": getattr(settings, "BUILD_ID_JS", ""),
                "flags": waffles(request),
                "settings": get_settings(),
            }
        )

    def obj_create(self, bundle, request, **kwargs):
        region = getattr(request, 'REGION', None)

        if region and region.id not in settings.PURCHASE_ENABLED_REGIONS:
            log.info('Region {0} is not in {1}'
                     .format(region.id, settings.PURCHASE_ENABLED_REGIONS))
            if not waffle.flag_is_active(request, 'allow-paid-app-search'):
                log.info('Flag not active')
                raise http_error(http.HttpForbidden,
                                 'Not allowed to purchase for this flag')

        bundle.obj = GenericObject(_prepare_pay(request, bundle.data['app']))
        return bundle