funkwhale/api/funkwhale_api/common/permissions.py

import operator

from django.conf import settings
from django.http import Http404

from rest_framework.permissions import BasePermission

from funkwhale_api.common import preferences


class ConditionalAuthentication(BasePermission):

    def has_permission(self, request, view):
        if preferences.get('common__api_authentication_required'):
            return request.user and request.user.is_authenticated
        return True


class OwnerPermission(BasePermission):
    """
    Ensure the request user is the owner of the object.

    Usage:

    class MyView(APIView):
        model = MyModel
        permission_classes = [OwnerPermission]
        owner_field = 'owner'
        owner_checks = ['read', 'write']
    """
    perms_map = {
        'GET': 'read',
        'OPTIONS': 'read',
        'HEAD': 'read',
        'POST': 'write',
        'PUT': 'write',
        'PATCH': 'write',
        'DELETE': 'write',
    }

    def has_object_permission(self, request, view, obj):
        method_check = self.perms_map[request.method]
        owner_checks = getattr(view, 'owner_checks', ['read', 'write'])
        if method_check not in owner_checks:
            # check not enabled
            return True

        owner_field = getattr(view, 'owner_field', 'user')
        owner = operator.attrgetter(owner_field)(obj)
        if owner != request.user:
            raise Http404
        return True
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`import operator`

Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00			`from django.conf import settings`
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`from django.http import Http404`
Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00
See #152: use new user permissions on relevant viewsets 2018-05-18 16:48:46 +00:00			`from rest_framework.permissions import BasePermission`
Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00
See #186: moved api authentication required setting to preference 2018-04-28 04:11:50 +00:00			`from funkwhale_api.common import preferences`

Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00
			`class ConditionalAuthentication(BasePermission):`

			`def has_permission(self, request, view):`
See #186: moved api authentication required setting to preference 2018-04-28 04:11:50 +00:00			`if preferences.get('common__api_authentication_required'):`
Switched to is_authenticated (no parenthesis) 2017-12-15 22:42:20 +00:00			`return request.user and request.user.is_authenticated`
Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00			`return True`
Brand new file importer 2017-12-27 22:32:02 +00:00

Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`class OwnerPermission(BasePermission):`
			`"""`
			`Ensure the request user is the owner of the object.`

			`Usage:`

			`class MyView(APIView):`
			`model = MyModel`
			`permission_classes = [OwnerPermission]`
			`owner_field = 'owner'`
			`owner_checks = ['read', 'write']`
			`"""`
			`perms_map = {`
			`'GET': 'read',`
			`'OPTIONS': 'read',`
			`'HEAD': 'read',`
			`'POST': 'write',`
			`'PUT': 'write',`
			`'PATCH': 'write',`
			`'DELETE': 'write',`
			`}`

			`def has_object_permission(self, request, view, obj):`
			`method_check = self.perms_map[request.method]`
			`owner_checks = getattr(view, 'owner_checks', ['read', 'write'])`
			`if method_check not in owner_checks:`
			`# check not enabled`
			`return True`

			`owner_field = getattr(view, 'owner_field', 'user')`
			`owner = operator.attrgetter(owner_field)(obj)`
			`if owner != request.user:`
			`raise Http404`
			`return True`