def has_permission(self, request, view):
if request.method == 'GET':
return is_authenticated(request.user) and \
(request.user.id == int(view.kwargs.get('uid')) or
request.user.is_connected_to(view.kwargs.get('uid')))
if request.method == 'PUT':
return is_authenticated(request.user) and request.user.id == int(
view.kwargs.get('uid'))
return False
def has_permission(self, request, view):
# check if user athlete owner or connected coach
if request.method == 'GET':
return is_authenticated(request.user) and \
(request.user.id == int(view.kwargs.get('uid')) or
request.user.is_connected_to(view.kwargs.get('uid')))
# check if user is an authenticated athlete
if request.method == 'POST':
return is_authenticated(request.user) and request.user.is_athlete() and \
request.user.id == int(view.kwargs.get('uid'))
return False
def has_permission(self, request, view):
"""
Get whether the user has the permission required to call this view, with this method.
:param request: request that was done
:param view: requested view
:return: `True` if access is authorized, `False` otherwise
"""
if request.method == "POST":
return not (request.user and is_authenticated(request.user))
return request.user and is_authenticated(request.user)
def has_permission(self, request, view):
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True
if hasattr(view, 'get_queryset'):
queryset = view.get_queryset()
assert queryset is not None, (
'{}.get_queryset() returned None'.format(view.__class__.__name__)
)
else:
queryset = getattr(view, 'queryset', None)
assert queryset is not None, (
'Cannot apply DjangoModelPermissions on a view that '
'does not set `.queryset` or have a `.get_queryset()` method.'
)
perms = self.get_required_permissions(request.method, queryset.model)
return (
request.user and
(is_authenticated(request.user) or not self.authenticated_users_only) and
request.user.has_perms(perms)
)
def has_permission(self, request, view):
return (
request.method in permissions.SAFE_METHODS or
request.user and
is_authenticated(request.user) and
request.user.is_admin
)
def has_permission(self, request, view):
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True
# For `.get_queryset` to assume that anonymous check was passed
# when `authenticated_users_only` is `True`.
if (not request.user or (not is_authenticated(request.user)
and self.authenticated_users_only)):
return False
if hasattr(view, 'get_queryset'):
queryset = view.get_queryset()
assert queryset is not None, (
'{}.get_queryset() returned None'.format(
view.__class__.__name__))
else:
queryset = getattr(view, 'queryset', None)
assert queryset is not None, (
'Cannot apply DjangoModelPermissions on a view that '
'does not set `.queryset` or have a `.get_queryset()` method.')
perms = self.get_required_permissions(request.method, queryset.model)
return request.user.has_perms(perms)
def has_permission(self, request, view):
"""
List/create objects permission.
:param request: django request instance.
:type request: django.http.request.HttpRequest.
:param view: view set.
:type view: mk42.apps.core.api.viewsets.event.EventViewset.
:return: permission is granted.
:rtype: bool.
"""
if request.method in SAFE_METHODS:
# Read permissions are allowed to any request, so we'll always allow GET, HEAD or OPTIONS requests.
return True
if all([
request.method == POST,
is_authenticated(request.user),
]):
# Allow create events only for authenticated users.
if not self.check_event_dates(request):
self.message = _("Invalid dates.")
return False
return True
if request.method == PATCH:
# In futures steps of flow allow user edit self owned events.
return True
def has_permission(self, request, view):
if request.method == 'POST':
return True
return request.user and is_authenticated(
request.user) and (request.user.groups.filter(name="FG").exists()
or request.user.is_superuser)
def has_permission(self, request, view):
# Read permissions are allowed to authenticated user
if request.method in permissions.SAFE_METHODS:
return request.user and is_authenticated(request.user)
# Write permissions are only allowed to super user.
return request.user and request.user.is_staff
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
return True
elif request.method == 'PUT' or request.method == 'DELETE':
return request.user.is_staff or obj.writer == request.user
elif request.method == 'POST':
return request.user and is_authenticated(request.user)
def is_user_authenticated(user):
if rest_framework.VERSION < '3.7.0':
from rest_framework.compat import is_authenticated
return is_authenticated(user)
else:
from rest_framework.compat import authenticated
return authenticated(user)
def has_permission(self, request, view):
if view.action == "create" and request.user and is_authenticated(
request.user):
return True
elif view.action == "list" and request.user and request.user.is_superuser:
return True
return False
def get_cache_key(self, request, view):
if is_authenticated(request.user):
ident = request.user.pk
else:
ident = self.get_ident(request)
return self.cache_format % {"scope": self.scope, "ident": ident}
def has_permission(self, request, view):
res = (request.method in SAFE_METHODS
or (request.user and is_authenticated(request.user) and
(request.user.is_staff or request.user.is_superuser)))
if not res:
raise NotAuth()
return res
def get_cache_key(self, request, view):
if is_authenticated(request.user):
ident = request.user.pk
else:
ident = self.get_ident(request)
return self.cache_format % {'scope': self.scope, 'ident': ident}
def has_permission(self, request, view):
"""
List/create objects permission.
:param request: django request instance.
:type request: django.http.request.HttpRequest.
:param view: view set.
:type view: mk42.apps.core.api.viewsets.rsvp.RSVPViewset.
:return: permission is granted.
:rtype: bool.
"""
if request.method in SAFE_METHODS:
# Read permissions are allowed to any request, so we'll always allow GET, HEAD or OPTIONS requests.
return True
if all([
request.method == POST,
is_authenticated(request.user),
]):
# Allow join to event only for authenticated users.
return True
if request.method == DELETE:
# In futures steps of flow allow user delete own RSVP.
return True
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True
contest = Contest.objects.get(pk=view.kwargs['pk'])
return (contest.public and request.user
and is_authenticated(request.user)
and not request.user.contest_account.filter(contest=contest)
) or (not contest.public and request.user.is_staff)
def get_cache_key(self, request, view):
if is_authenticated(request.user):
return None # Only throttle unauthenticated requests.
return self.cache_format % {
'scope': self.scope,
'ident': self.get_ident(request)
}
def has_permission(self, request, view):
# Read permissions are allowed to authenticated users only,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return request.user and is_authenticated(request.user)
# Allows access only to admin users for put/update/delete.
return request.user and request.user.is_staff
def get(self, request):
if is_authenticated(request.user):
username = request.user.username
else:
username = None
return Response({
'username': username
})
def dispatch(self, request, *args, **kwargs):
try:
return super(SafeTenantViewSetMixin,
self).dispatch(request, *args, **kwargs)
except ProgrammingError:
if request.user and not is_authenticated(request.user):
raise exceptions.NotAuthenticated()
raise
def has_permission(self, request, view):
if request.user.is_anonymous:
return (request.method in SAFE_METHODS
or request.user and is_authenticated(request.user))
participants = Participant.objects.filter(
email=request.user.email).count()
if participants > 0:
return True
def has_permission(self, request, view):
if request.user.is_anonymous:
return (request.method in SAFE_METHODS
or request.user and is_authenticated(request.user))
attendees = Attendance.objects.filter(
participant__email=request.user.email).count()
if attendees > 0:
return True
def create(self, request, format=None):
if is_authenticated(request.user):
raise PermissionDenied()
serializer = NewAccountSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
user = serializer.save()
return Response(AccountSerializer(user).data, status=201)
def get_is_follows(self, obj) -> bool:
"""
Check if a `request.user` follows this user (`obj`).
"""
follower = self.context.get('request').user
if not is_authenticated(follower):
return False
followee = obj
return Follow.objects.follows(follower=follower, followee=followee)
def has_permission(self, request, view):
if view.action == "create":
return True
elif view.action in ["update", "retrieve", "destroy"] \
and is_authenticated(request.user):
return True
elif view.action == "list" and request.user.is_superuser:
return True
return False
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
if request.method == 'POST':
return True
is_authed = request.user and is_authenticated(request.user)
is_self = request.user and request.user.id == obj.id
return is_authed and is_self
def has_permission(self, request, view):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in SAFE_METHODS:
return True
return request.user and is_authenticated(
request.user) and (request.user.groups.filter(name="FG").exists()
or request.user.is_superuser)
def has_permission(self, request, view):
if not is_authenticated(request.user):
return False
elif request.user.is_staff:
return True
elif request.method in permissions.SAFE_METHODS:
return True
else:
return False
def get_serializer_class(self):
user = self.request.user
is_in_flight = is_authenticated(user) and self.get_flight_queryset(
).filter(players__user=user).exists()
if is_in_flight or user.is_staff:
# include contact info
return PlayerSerializer
else:
return PlayerPublicSerializer
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS\
and obj.access == _AccessMixIn.ACCESS_TYPES[1][0]:
return True
# Instance must have an attribute named `owner`.
is_authed = request.user and is_authenticated(request.user)
is_owner = request.user and request.user == obj.owner
return is_authed() and is_owner
def get_queryset(self):
q = Flight.objects.all()
mine = self.kwargs.get('mine')
user = self.request.user
if mine:
if is_authenticated(user):
q = q.filter(players__user=user)
else:
# anonymous users don't have any.
q = q.none()
return q
def has_permission(self, request, view):
"""
Give permission for admin or user to access API
"""
if request.method in ('GET', 'PUT', 'DELETE'):
return (
request.user and
request.user.is_staff or
is_authenticated(request.user)
)
return request.user and request.user.is_staff
def has_object_permission(self, request, view, obj):
if request in ('GET', 'HEAD', 'OPTIONS'):
return True
if not request.user:
return False
if not is_authenticated(request.user):
return False
if isinstance(obj, OwnedModel):
return obj.owner == request.user.profile
else:
return True
def get_cache_key(self, request, view):
"""
If `view.throttle_scope` is not set, don't apply this throttle.
Otherwise generate the unique cache key by concatenating the user id
with the '.throttle_scope` property of the view.
"""
if is_authenticated(request.user):
ident = request.user.pk
else:
ident = self.get_ident(request)
return self.cache_format % {"scope": self.scope, "ident": ident}
def has_permission(self, request, view):
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True
if not request.user or (
not is_authenticated(request.user) and self.authenticated_users_only):
return False
queryset = self._queryset(view)
perms = self.get_required_permissions(request.method, queryset.model)
return request.user.has_perms(perms)
def has_permission(self, request, view):
if not settings.LOGIN_REQUIRED:
return True
return request.user and is_authenticated(request.user)
def get_cache_key(self, request, view):
if is_authenticated(request.user):
return None # Only throttle unauthenticated requests.
return self.cache_format % {"scope": self.scope, "ident": self.get_ident(request)}
def has_permission(self, request, view):
return (
request.method == 'POST' or
request.method in SAFE_METHODS or
request.user and is_authenticated(request.user)
)
def render(self, data, media_type=None, renderer_context=None):
request = renderer_context['request']
if is_authenticated(request.user):
return b'authenticated'
return b'not authenticated'
def list(self, request, format=None):
if not is_authenticated(request.user):
raise NotAuthenticated()
return Response(AccountSerializer(request.user).data)
def has_permission(self, request, view):
return request.user and is_authenticated(request.user)
