Ejemplo n.º 1
0
 def has_permission(self, request, view):
     if request.method == 'GET':
         return is_authenticated(request.user) and \
                (request.user.id == int(view.kwargs.get('uid')) or
                 request.user.is_connected_to(view.kwargs.get('uid')))
     if request.method == 'PUT':
         return is_authenticated(request.user) and request.user.id == int(
             view.kwargs.get('uid'))
     return False
Ejemplo n.º 2
0
 def has_permission(self, request, view):
     # check if user athlete owner or connected coach
     if request.method == 'GET':
         return is_authenticated(request.user) and \
                (request.user.id == int(view.kwargs.get('uid')) or
                 request.user.is_connected_to(view.kwargs.get('uid')))
     # check if user is an authenticated athlete
     if request.method == 'POST':
         return is_authenticated(request.user) and request.user.is_athlete() and \
                request.user.id == int(view.kwargs.get('uid'))
     return False
Ejemplo n.º 3
0
    def has_permission(self, request, view):
        """
        Get whether the user has the permission required to call this view, with this method.

        :param request: request that was done
        :param view: requested view
        :return: `True` if access is authorized, `False` otherwise
        """
        if request.method == "POST":
            return not (request.user and is_authenticated(request.user))

        return request.user and is_authenticated(request.user)
Ejemplo n.º 4
0
    def has_permission(self, request, view):
        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
        if getattr(view, '_ignore_model_permissions', False):
            return True

        if hasattr(view, 'get_queryset'):
            queryset = view.get_queryset()
            assert queryset is not None, (
                '{}.get_queryset() returned None'.format(view.__class__.__name__)
            )
        else:
            queryset = getattr(view, 'queryset', None)

        assert queryset is not None, (
            'Cannot apply DjangoModelPermissions on a view that '
            'does not set `.queryset` or have a `.get_queryset()` method.'
        )

        perms = self.get_required_permissions(request.method, queryset.model)

        return (
            request.user and
            (is_authenticated(request.user) or not self.authenticated_users_only) and
            request.user.has_perms(perms)
        )
Ejemplo n.º 5
0
 def has_permission(self, request, view):
     return (
         request.method in permissions.SAFE_METHODS or
         request.user and
         is_authenticated(request.user) and
         request.user.is_admin
     )
Ejemplo n.º 6
0
    def has_permission(self, request, view):
        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
        if getattr(view, '_ignore_model_permissions', False):
            return True

        # For `.get_queryset` to assume that anonymous check was passed
        # when `authenticated_users_only` is `True`.
        if (not request.user or (not is_authenticated(request.user)
                                 and self.authenticated_users_only)):
            return False

        if hasattr(view, 'get_queryset'):
            queryset = view.get_queryset()
            assert queryset is not None, (
                '{}.get_queryset() returned None'.format(
                    view.__class__.__name__))
        else:
            queryset = getattr(view, 'queryset', None)

        assert queryset is not None, (
            'Cannot apply DjangoModelPermissions on a view that '
            'does not set `.queryset` or have a `.get_queryset()` method.')

        perms = self.get_required_permissions(request.method, queryset.model)

        return request.user.has_perms(perms)
Ejemplo n.º 7
0
    def has_permission(self, request, view):
        """
        List/create objects permission.

        :param request: django request instance.
        :type request: django.http.request.HttpRequest.
        :param view: view set.
        :type view: mk42.apps.core.api.viewsets.event.EventViewset.
        :return: permission is granted.
        :rtype: bool.
        """

        if request.method in SAFE_METHODS:
            # Read permissions are allowed to any request, so we'll always allow GET, HEAD or OPTIONS requests.
            return True

        if all([
                request.method == POST,
                is_authenticated(request.user),
        ]):
            # Allow create events only for authenticated users.
            if not self.check_event_dates(request):
                self.message = _("Invalid dates.")

                return False

            return True

        if request.method == PATCH:
            # In futures steps of flow allow user edit self owned events.
            return True
Ejemplo n.º 8
0
    def has_permission(self, request, view):
        if request.method == 'POST':
            return True

        return request.user and is_authenticated(
            request.user) and (request.user.groups.filter(name="FG").exists()
                               or request.user.is_superuser)
    def has_permission(self, request, view):
        # Read permissions are allowed to authenticated user
        if request.method in permissions.SAFE_METHODS:
            return request.user and is_authenticated(request.user)

        # Write permissions are only allowed to super user.
        return request.user and request.user.is_staff
Ejemplo n.º 10
0
 def has_object_permission(self, request, view, obj):
     if request.method == 'GET':
         return True
     elif request.method == 'PUT' or request.method == 'DELETE':
         return request.user.is_staff or obj.writer == request.user
     elif request.method == 'POST':
         return request.user and is_authenticated(request.user)
Ejemplo n.º 11
0
def is_user_authenticated(user):
    if rest_framework.VERSION < '3.7.0':
        from rest_framework.compat import is_authenticated
        return is_authenticated(user)
    else:
        from rest_framework.compat import authenticated
        return authenticated(user)
Ejemplo n.º 12
0
 def has_permission(self, request, view):
     if view.action == "create" and request.user and is_authenticated(
             request.user):
         return True
     elif view.action == "list" and request.user and request.user.is_superuser:
         return True
     return False
Ejemplo n.º 13
0
    def get_cache_key(self, request, view):
        if is_authenticated(request.user):
            ident = request.user.pk
        else:
            ident = self.get_ident(request)

        return self.cache_format % {"scope": self.scope, "ident": ident}
Ejemplo n.º 14
0
 def has_permission(self, request, view):
     res = (request.method in SAFE_METHODS
            or (request.user and is_authenticated(request.user) and
                (request.user.is_staff or request.user.is_superuser)))
     if not res:
         raise NotAuth()
     return res
Ejemplo n.º 15
0
    def get_cache_key(self, request, view):
        if is_authenticated(request.user):
            ident = request.user.pk
        else:
            ident = self.get_ident(request)

        return self.cache_format % {'scope': self.scope, 'ident': ident}
Ejemplo n.º 16
0
    def has_permission(self, request, view):
        """
        List/create objects permission.

        :param request: django request instance.
        :type request: django.http.request.HttpRequest.
        :param view: view set.
        :type view: mk42.apps.core.api.viewsets.rsvp.RSVPViewset.
        :return: permission is granted.
        :rtype: bool.
        """

        if request.method in SAFE_METHODS:
            # Read permissions are allowed to any request, so we'll always allow GET, HEAD or OPTIONS requests.
            return True

        if all([
                request.method == POST,
                is_authenticated(request.user),
        ]):
            # Allow join to event only for authenticated users.
            return True

        if request.method == DELETE:
            # In futures steps of flow allow user delete own RSVP.
            return True
Ejemplo n.º 17
0
 def has_permission(self, request, view):
     if request.method in permissions.SAFE_METHODS:
         return True
     contest = Contest.objects.get(pk=view.kwargs['pk'])
     return (contest.public and request.user
             and is_authenticated(request.user)
             and not request.user.contest_account.filter(contest=contest)
             ) or (not contest.public and request.user.is_staff)
Ejemplo n.º 18
0
    def get_cache_key(self, request, view):
        if is_authenticated(request.user):
            return None  # Only throttle unauthenticated requests.

        return self.cache_format % {
            'scope': self.scope,
            'ident': self.get_ident(request)
        }
Ejemplo n.º 19
0
    def has_permission(self, request, view):
        # Read permissions are allowed to authenticated users only,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return request.user and is_authenticated(request.user)

        # Allows access only to admin users for put/update/delete.
        return request.user and request.user.is_staff
 def get(self, request):
     if is_authenticated(request.user):
         username = request.user.username
     else:
         username = None
     return Response({
         'username': username
     })
Ejemplo n.º 21
0
 def dispatch(self, request, *args, **kwargs):
     try:
         return super(SafeTenantViewSetMixin,
                      self).dispatch(request, *args, **kwargs)
     except ProgrammingError:
         if request.user and not is_authenticated(request.user):
             raise exceptions.NotAuthenticated()
         raise
Ejemplo n.º 22
0
 def has_permission(self, request, view):
     if request.user.is_anonymous:
         return (request.method in SAFE_METHODS
                 or request.user and is_authenticated(request.user))
     participants = Participant.objects.filter(
         email=request.user.email).count()
     if participants > 0:
         return True
Ejemplo n.º 23
0
 def has_permission(self, request, view):
     if request.user.is_anonymous:
         return (request.method in SAFE_METHODS
                 or request.user and is_authenticated(request.user))
     attendees = Attendance.objects.filter(
         participant__email=request.user.email).count()
     if attendees > 0:
         return True
Ejemplo n.º 24
0
    def create(self, request, format=None):
        if is_authenticated(request.user):
            raise PermissionDenied()

        serializer = NewAccountSerializer(data=request.data)
        if serializer.is_valid(raise_exception=True):
            user = serializer.save()
            return Response(AccountSerializer(user).data, status=201)
Ejemplo n.º 25
0
 def get_is_follows(self, obj) -> bool:
     """
     Check if a `request.user` follows this user (`obj`).
     """
     follower = self.context.get('request').user
     if not is_authenticated(follower):
         return False
     followee = obj
     return Follow.objects.follows(follower=follower, followee=followee)
Ejemplo n.º 26
0
 def has_permission(self, request, view):
     if view.action == "create":
         return True
     elif view.action in ["update", "retrieve", "destroy"] \
      and is_authenticated(request.user):
         return True
     elif view.action == "list" and request.user.is_superuser:
         return True
     return False
Ejemplo n.º 27
0
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        if request.method == 'POST':
            return True

        is_authed = request.user and is_authenticated(request.user)
        is_self = request.user and request.user.id == obj.id
        return is_authed and is_self
Ejemplo n.º 28
0
    def has_permission(self, request, view):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in SAFE_METHODS:
            return True

        return request.user and is_authenticated(
            request.user) and (request.user.groups.filter(name="FG").exists()
                               or request.user.is_superuser)
Ejemplo n.º 29
0
 def has_permission(self, request, view):
     if not is_authenticated(request.user):
         return False
     elif request.user.is_staff:
         return True
     elif request.method in permissions.SAFE_METHODS:
         return True
     else:
         return False
Ejemplo n.º 30
0
 def get_serializer_class(self):
     user = self.request.user
     is_in_flight = is_authenticated(user) and self.get_flight_queryset(
     ).filter(players__user=user).exists()
     if is_in_flight or user.is_staff:
         # include contact info
         return PlayerSerializer
     else:
         return PlayerPublicSerializer
Ejemplo n.º 31
0
    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS\
                and obj.access == _AccessMixIn.ACCESS_TYPES[1][0]:
            return True

        # Instance must have an attribute named `owner`.
        is_authed = request.user and is_authenticated(request.user)
        is_owner = request.user and request.user == obj.owner
        return is_authed() and is_owner
Ejemplo n.º 32
0
 def get_queryset(self):
     q = Flight.objects.all()
     mine = self.kwargs.get('mine')
     user = self.request.user
     if mine:
         if is_authenticated(user):
             q = q.filter(players__user=user)
         else:
             # anonymous users don't have any.
             q = q.none()
     return q
Ejemplo n.º 33
0
 def has_permission(self, request, view):
     """
     Give permission for admin or user to access API
     """
     if request.method in ('GET', 'PUT', 'DELETE'):
         return (
             request.user and
             request.user.is_staff or
             is_authenticated(request.user)
             )
     return request.user and request.user.is_staff
Ejemplo n.º 34
0
 def has_object_permission(self, request, view, obj):
     if request in ('GET', 'HEAD', 'OPTIONS'):
         return True
     if not request.user:
         return False
     if not is_authenticated(request.user):
         return False
     if isinstance(obj, OwnedModel):
         return obj.owner == request.user.profile
     else:
         return True
Ejemplo n.º 35
0
    def get_cache_key(self, request, view):
        """
        If `view.throttle_scope` is not set, don't apply this throttle.

        Otherwise generate the unique cache key by concatenating the user id
        with the '.throttle_scope` property of the view.
        """
        if is_authenticated(request.user):
            ident = request.user.pk
        else:
            ident = self.get_ident(request)

        return self.cache_format % {"scope": self.scope, "ident": ident}
Ejemplo n.º 36
0
    def has_permission(self, request, view):
        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
        if getattr(view, '_ignore_model_permissions', False):
            return True

        if not request.user or (
           not is_authenticated(request.user) and self.authenticated_users_only):
            return False

        queryset = self._queryset(view)
        perms = self.get_required_permissions(request.method, queryset.model)

        return request.user.has_perms(perms)
Ejemplo n.º 37
0
Archivo: api.py Proyecto: awfki/netbox
 def has_permission(self, request, view):
     if not settings.LOGIN_REQUIRED:
         return True
     return request.user and is_authenticated(request.user)
Ejemplo n.º 38
0
    def get_cache_key(self, request, view):
        if is_authenticated(request.user):
            return None  # Only throttle unauthenticated requests.

        return self.cache_format % {"scope": self.scope, "ident": self.get_ident(request)}
Ejemplo n.º 39
0
 def has_permission(self, request, view):
     return (
         request.method == 'POST' or
         request.method in SAFE_METHODS or
         request.user and is_authenticated(request.user)
     )
 def render(self, data, media_type=None, renderer_context=None):
     request = renderer_context['request']
     if is_authenticated(request.user):
         return b'authenticated'
     return b'not authenticated'
Ejemplo n.º 41
0
 def list(self, request, format=None):
     if not is_authenticated(request.user):
         raise NotAuthenticated()
     return Response(AccountSerializer(request.user).data)
Ejemplo n.º 42
0
 def has_permission(self, request, view):
     return request.user and is_authenticated(request.user)