def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
username = request.query_params.get('username')
if username:
decoded = request.user.identity_header.get('decoded', {})
identity_username = decoded.get('identity',
{}).get('user',
{}).get('username')
return username == identity_username
else:
group_read = request.user.access.get('group',
{}).get('read', [])
if group_read:
return True
else:
group_write = request.user.access.get('group', {}).get('write', [])
if group_write:
return True
return False
def test_has_scoped_principal_post(self):
"""Test that a user cannot execute if query param scope=principal is present for POST."""
user = Mock(spec=User)
req = Mock(user=user,
method='POST',
query_params={SCOPE_KEY: PRINCIPAL_SCOPE})
result = is_scope_principal(request=req)
self.assertFalse(result)
def test_has_scoped_principal_get(self):
"""Test that a user can execute if query param scope=principal is present for GET."""
user = Mock(spec=User)
req = Mock(user=user,
method="GET",
query_params={SCOPE_KEY: PRINCIPAL_SCOPE})
result = is_scope_principal(request=req)
self.assertTrue(result)
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
role_read = request.user.access.get('role', {}).get('read', [])
if role_read:
return True
else:
role_write = request.user.access.get('role', {}).get('write', [])
if role_write:
return True
return False
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
policy_read = request.user.access.get("policy", {}).get("read", [])
if policy_read:
return True
else:
policy_write = request.user.access.get("policy",
{}).get("write", [])
if policy_write:
return True
return False
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request) or request._request.path == reverse(
"group-list"):
return True
username = request.query_params.get("username")
if username:
return username == request.user.username
else:
group_read = request.user.access.get("group",
{}).get("read", [])
if group_read:
return True
else:
group_write = request.user.access.get("group", {}).get("write", [])
if group_write:
return True
return False
def test_has_scoped_not_principal_get(self):
"""Test that a user cannot execute if query param scope!=principal is present for GET."""
user = Mock(spec=User)
req = Mock(user=user, method='GET', query_params={SCOPE_KEY: 'bad'})
result = is_scope_principal(request=req)
self.assertFalse(result)