app_permissions.py 3.13 KB
Newer Older
1 2 3
from rest_framework import permissions
from rest_framework.permissions import (  # noqa: F401
    BasePermission,
4 5
    IsAuthenticated as rf_IsAuthenticated,
    IsAdminUser,
6 7 8 9 10
)

from backend_app.utils import is_member


11
class IsAuthenticated(rf_IsAuthenticated):
Florent Chehab's avatar
Florent Chehab committed
12 13
    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)
14 15 16


class IsStaff(IsAdminUser):
Florent Chehab's avatar
Florent Chehab committed
17 18
    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)
19 20


Florent Chehab's avatar
Florent Chehab committed
21
class IsDri(BasePermission):
22 23 24 25 26
    """
    Permission to make a viewset readonly unless the request user
    is a member of the DRI group.
    """

Florent Chehab's avatar
Florent Chehab committed
27 28 29
    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)

30 31 32 33 34 35 36 37 38 39 40
    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        else:
            return is_member("DRI", request.user)


class IsOwner(BasePermission):
    """
    Permission that checks that the requester is the owner of the object.

41
    The object must have an owner field that corresponds to a user, or the object
42
    must be the user itself.
43 44 45
    """

    def has_object_permission(self, request, view, obj):
46 47 48 49 50
        try:
            return request.user == obj.owner
        except AttributeError:
            # For the user model
            return request.user == obj
51

Florent Chehab's avatar
Florent Chehab committed
52 53 54
    def has_permission(self, request, view):
        return True

55

56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
class IsFollower(BasePermission):
    """
    Permission that checks that the requester is a follower of the object (a list of universities).

    The object must have a "followers" field that corresponds to a list of users.
    """

    def has_object_permission(self, request, view, obj):
        return obj.followers.filter(pk=request.user.pk).exists()


class IsPublic(BasePermission):
    """
    Permission that checks that the object is public.

    The object must have a "is_public" field.
    """

    def has_object_permission(self, request, view, obj):
        return obj.is_public


78 79 80 81 82
class NoDelete(BasePermission):
    """
    Permission to prevent the use of the DELETE method.
    """

Florent Chehab's avatar
Florent Chehab committed
83 84
    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)
85

Florent Chehab's avatar
Florent Chehab committed
86 87
    def has_permission(self, request, view):
        return request.method != "DELETE"
88 89


Florent Chehab's avatar
Florent Chehab committed
90
class NoPost(BasePermission):
91 92 93 94
    """
    Permission to disallow POST request
    """

Florent Chehab's avatar
Florent Chehab committed
95 96 97
    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)

98 99 100 101
    def has_permission(self, request, view):
        return request.method != "POST"


Florent Chehab's avatar
Florent Chehab committed
102
class ReadOnly(BasePermission):
103 104 105 106
    """
    Permission to make a viewset read-only.
    """

107 108 109 110 111 112 113 114
    def has_object_permission(self, request, view, obj):
        """
        We absolutely need this one since it is used with "OR".
        If we don't put it, the IsOwner Or ReadOnly would pass the the has_permission on IsOwner
        and then the has_object_permission on Read_only.
        """
        return request.method in permissions.SAFE_METHODS

115 116
    def has_permission(self, request, view):
        return request.method in permissions.SAFE_METHODS