funkwhale/api/funkwhale_api/common/permissions.py

import operator

from django.core.exceptions import ObjectDoesNotExist
from django.http import Http404

from rest_framework.permissions import BasePermission

from funkwhale_api.common import preferences


class ConditionalAuthentication(BasePermission):
    def has_permission(self, request, view):
        if preferences.get("common__api_authentication_required"):
            return (request.user and request.user.is_authenticated) or (
                hasattr(request, "actor") and request.actor
            )
        return True


class OwnerPermission(BasePermission):
    """
    Ensure the request user is the owner of the object.

    Usage:

    class MyView(APIView):
        model = MyModel
        permission_classes = [OwnerPermission]
        owner_field = 'owner'
        owner_checks = ['read', 'write']
    """

    perms_map = {
        "GET": "read",
        "OPTIONS": "read",
        "HEAD": "read",
        "POST": "write",
        "PUT": "write",
        "PATCH": "write",
        "DELETE": "write",
    }

    def has_object_permission(self, request, view, obj):
        method_check = self.perms_map[request.method]
        owner_checks = getattr(view, "owner_checks", ["read", "write"])
        if method_check not in owner_checks:
            # check not enabled
            return True

        owner_field = getattr(view, "owner_field", "user")
        owner_exception = getattr(view, "owner_exception", Http404)
        try:
            owner = operator.attrgetter(owner_field)(obj)
        except ObjectDoesNotExist:
            raise owner_exception

        if not owner or not request.user.is_authenticated or owner != request.user:
            raise owner_exception
        return True
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`import operator`

See #170: exclude by default all channels-related entities from /artists, /albums and /tracks endpoints results, for backward compatibility 2019-11-25 08:49:49 +00:00			`from django.core.exceptions import ObjectDoesNotExist`
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`from django.http import Http404`
See #170: exclude by default all channels-related entities from /artists, /albums and /tracks endpoints results, for backward compatibility 2019-11-25 08:49:49 +00:00
See #152: use new user permissions on relevant viewsets 2018-05-18 16:48:46 +00:00			`from rest_framework.permissions import BasePermission`
Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00
See #186: moved api authentication required setting to preference 2018-04-28 04:11:50 +00:00			`from funkwhale_api.common import preferences`

Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00
			`class ConditionalAuthentication(BasePermission):`
			`def has_permission(self, request, view):`
Blacked the code 2018-06-09 13:36:16 +00:00			`if preferences.get("common__api_authentication_required"):`
Audio federation 2018-09-22 12:29:30 +00:00			`return (request.user and request.user.is_authenticated) or (`
			`hasattr(request, "actor") and request.actor`
			`)`
Initial commit that merge both the front end and the API in the same repository 2017-06-23 21:00:42 +00:00			`return True`
Brand new file importer 2017-12-27 22:32:02 +00:00

Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`class OwnerPermission(BasePermission):`
			`"""`
			`Ensure the request user is the owner of the object.`

			`Usage:`

			`class MyView(APIView):`
			`model = MyModel`
			`permission_classes = [OwnerPermission]`
			`owner_field = 'owner'`
			`owner_checks = ['read', 'write']`
			`"""`
Blacked the code 2018-06-09 13:36:16 +00:00
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`perms_map = {`
Blacked the code 2018-06-09 13:36:16 +00:00			`"GET": "read",`
			`"OPTIONS": "read",`
			`"HEAD": "read",`
			`"POST": "write",`
			`"PUT": "write",`
			`"PATCH": "write",`
			`"DELETE": "write",`
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`}`

			`def has_object_permission(self, request, view, obj):`
			`method_check = self.perms_map[request.method]`
Blacked the code 2018-06-09 13:36:16 +00:00			`owner_checks = getattr(view, "owner_checks", ["read", "write"])`
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`if method_check not in owner_checks:`
			`# check not enabled`
			`return True`

Blacked the code 2018-06-09 13:36:16 +00:00			`owner_field = getattr(view, "owner_field", "user")`
See #170: exclude by default all channels-related entities from /artists, /albums and /tracks endpoints results, for backward compatibility 2019-11-25 08:49:49 +00:00			`owner_exception = getattr(view, "owner_exception", Http404)`
			`try:`
			`owner = operator.attrgetter(owner_field)(obj)`
			`except ObjectDoesNotExist:`
			`raise owner_exception`

Fix #563: unplayable radios for anonymous users 2019-05-02 08:01:02 +00:00			`if not owner or not request.user.is_authenticated or owner != request.user:`
See #170: exclude by default all channels-related entities from /artists, /albums and /tracks endpoints results, for backward compatibility 2019-11-25 08:49:49 +00:00			`raise owner_exception`
Added owner permission to check user has the right to read/update object 2018-03-18 20:31:22 +00:00			`return True`