def has_permission(self, request, view): # Workaround to ensure DjangoModelPermissions are not applied # to the root view when using DefaultRouter. if getattr(view, '_ignore_model_permissions', False): return True permission = action_to_permission(view.action) if permission is None: return False user = request.user queryset = view.get_queryset() permission_handler = self.permission_handler(view) has_perm = permission_handler.has_perm(user, permission, queryset=queryset, view=view, request=request) setattr(request, 'user_has_perm', has_perm) if has_perm: return True object_permissions = permission_handler.has_object_level_permissions( user, permission, queryset=queryset) if object_permissions: return True return has_perm
def has_object_permission(self, request, view, obj): if getattr(request, 'user_has_perm', False): return True permission = action_to_permission(view.action) user = request.user queryset = view.get_queryset() permission_handler = self.permission_handler(view) return permission_handler.has_perm(user, permission, queryset=queryset, obj=obj, check_keyword_permissions=False)
def has_permission(self, request, view): from lego.apps.events.models import Event handler = get_permission_handler(Event) perm = action_to_permission(view.action) # Only check keyword permissions for CREATE if perm is CREATE: return handler.has_event_type_level_permission( request.user, request, perm) # The user needs to have permission to edit the event_type AND needs to pass the # main permission check if perm is EDIT: if not handler.has_event_type_level_permission( request.user, request, perm): return False return super().has_permission(request, view)
def get_permissions(viewset_cls): routes = router.get_routes(viewset_cls) actions = [] for route in routes: actions += route.mapping.values() return [action_to_permission(action) for action in actions]