class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
"""
Custom Permission class to check user is a course editor for the course or has django model access
"""
def __init__(self):
self.django_perms = DjangoModelPermissions()
def has_permission(self, request, view):
if self.django_perms.has_permission(request, view):
return True
elif request.user.is_staff:
return True
elif request.method == 'POST':
course = request.data.get('course')
if not course:
return False
org, _ = parse_course_key_fragment(course)
return org and CourseEditor.can_create_course(request.user, org)
else:
return True # other write access attempts will be caught by object permissions below
def has_object_permission(self, request, view, obj):
if request.method in SAFE_METHODS:
return True
else:
return CourseEditor.is_course_editable(request.user, obj.course)
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
"""
Custom Permission class to check user is a course editor for the course or has django model access
"""
def __init__(self):
self.django_perms = DjangoModelPermissions()
def has_permission(self, request, view):
if self.django_perms.has_permission(request, view):
return True
elif request.user.is_staff:
return True
elif request.method == 'POST':
course = request.data.get('course')
if not course:
# Fail happily because OPTIONS goes down this path too with a fake POST.
# If this is a real POST, we'll complain about the missing course in the view.
return True
org, _ = parse_course_key_fragment(course)
return org and CourseEditor.can_create_course(request.user, org)
else:
return True # other write access attempts will be caught by object permissions below
def has_object_permission(self, request, view, obj):
if request.method in SAFE_METHODS:
return True
else:
return CourseEditor.is_course_editable(request.user, obj.course)
def has_object_permission(self, request, view, obj):
if view.action not in ['update', 'partial_update', 'destroy']:
return True
modelperm = DjangoModelPermissions()
if modelperm.has_permission(request, view):
return True
return register_log_has_perm(request, obj)
def has_object_permission(self, request, view, obj):
if view.action not in ['update', 'partial_update', 'destroy']:
return True
modelperm = DjangoModelPermissions()
if modelperm.has_permission(request, view):
return True
return register_log_has_perm(request, obj)
def has_object_permission(self, request, view, obj):
owner_policy_perms_map = self.owner_policy_perms_map
if obj and request.method in owner_policy_perms_map:
kwargs = {
'app_label': obj._meta.app_label,
'model_name': obj._meta.model_name
}
perm_templates = owner_policy_perms_map[request.method]
permissions = [
perm_template.format(**kwargs)
for perm_template in perm_templates
]
user = request.user
is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
has_owner_policy_perms = (user.has_perms(permissions) or is_owner)
if not has_owner_policy_perms:
return False
return DjangoModelPermissions.has_permission(self, request, view)
def has_object_permission(self, request, view, obj):
owner_policy_perms_map = self.owner_policy_perms_map
if obj and request.method in owner_policy_perms_map:
kwargs = {
'app_label': obj._meta.app_label,
'model_name': obj._meta.model_name
}
perm_templates = owner_policy_perms_map[request.method]
permissions = [
perm_template.format(**kwargs)
for perm_template
in perm_templates
]
user = request.user
is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
has_owner_policy_perms = (
user.has_perms(permissions) or is_owner
)
if not has_owner_policy_perms:
return False
return DjangoModelPermissions.has_permission(
self, request, view
)