def has_perm(self, user, perm, obj=None): if not user.is_authenticated() or perm not in self.grants: return False if obj is None: return True elif user.is_active and field_lookup( user, self.user_attr) == field_lookup(obj, self.obj_attr): return True return False
def has_perm(self, user_obj, perm, obj=None): """ Check if user have `view` permission (of object) based on the ``pub_state`` and ``author`` of the instance. If no object is specified, it always return ``True``. If an object is specified, it will return ``True`` when the ``pub_state`` of the instance is: - 'public' | Anyone can see this obj - 'protected' | Seele, Nerv, Children can see this obj - 'draft' | Nobody but the obj author can see this obj Parameters ---------- user_obj : django user model instance A django user model instance which be checked perm : string `app_label.codename` formatted permission string obj : None or django model instance None or django model instance for object permission Returns ------- boolean Wheter the specified user have specified permission (of specified object). """ # construct the permission name permission_name = self.get_full_permission_string('view') # everybody have a potential to see the model if obj is None: return perm == permission_name if perm == permission_name: author = field_lookup(obj, self.author_field_name) pub_state = field_lookup(obj, self.pub_state_field_name) if pub_state == 'public': # if pub_state is public, everyone see this object return True elif pub_state == 'protected': # if pub_state is protected, users who logged in and role isn't # wille see this object return user_obj.is_authenticated() and user_obj.is_member elif pub_state == 'draft': # if pub_state is draft, Only author can see this object. return author == user_obj return False
def test_field_lookup_multiple_bridge_author_username(self): field_value = field_lookup(self.model, 'multiple_bridge__author__username') field_value = list(field_value) expected_value = [x.username for x in (self.bridge2.author, self.bridge3.author)] self.assertEqual(field_value, expected_value)
def has_perm(self, user_obj, perm, obj=None): # User must be logged in if not user_obj.is_authenticated(): return False # See if we can handle that perm if perm not in self.perms and perm not in self.denied: return False # if there isn't an object, that means we're looking for a module permission. # We don't do that. if obj is None: return False # If your account has been disabled, too bad. if not user_obj.is_active: return False # get all authorized_users in the object if not hasattr(self.field_name, '__iter__'): self.field_name = [self.field_name] for lookup in self.field_name: authorized_users = field_lookup(obj, lookup) if hasattr(authorized_users, 'all'): authorized_users = authorized_users.all() if user_obj == authorized_users or \ (hasattr(authorized_users, '__iter__') and user_obj in authorized_users): if perm in self.denied: raise PermissionDenied() return True
def test_field_lookup_multiple_bridge_author_username(self): field_value = field_lookup(self.model, 'multiple_bridge__author__username') field_value = list(field_value) expected_value = [ x.username for x in (self.bridge2.author, self.bridge3.author) ] self.assertEqual(field_value, expected_value)
def test_field_lookup_multiple_bridge_editors__name(self): field_value = field_lookup(self.model, 'multiple_bridge__editors__username') field_value = list(map(list, field_value)) expected_value1 = [x.username for x in self.bridge2.editors.iterator()] expected_value2 = [x.username for x in self.bridge3.editors.iterator()] expected_value = [expected_value1, expected_value2] self.assertEqual(field_value, expected_value)
def has_perm(self, user, perm, obj=None): if not user.is_authenticated() or not user.is_active: return False if obj is None: method = perm.split(".")[1].split("_")[0] return method in ('change', 'delete') else: bar = field_lookup(obj, self.field_name) return user.has_perm(perm, bar)
def test_field_lookup_multiple_bridge_editors(self): field_value = list(field_lookup(self.model, 'multiple_bridge__editors')) field_value = [ [repr(x) for x in field_value[0].iterator()], [repr(x) for x in field_value[1].iterator()], ] expected_value1 = [repr(x) for x in self.bridge2.editors.iterator()] expected_value2 = [repr(x) for x in self.bridge3.editors.iterator()] expected_value = [expected_value1, expected_value2] self.assertEqual(field_value, expected_value)
def has_perm(self, user, perm, obj=None): if not user.is_authenticated() or not user.is_active: return False if DEBUG: print("Logic: ", perm, obj) if obj is None: method = perm.split(".")[1].split("_")[0] return method in ('change', 'delete') else: bar = field_lookup(obj, self.field_name) return user.has_perm(perm, bar) return False
def has_perm(self, user, perm, obj): # non authenticated users cannot gain access through dynamic conditions if not user.is_authenticated() or perm not in self.grants: return False if obj is None: return True else: conditions = field_lookup(obj, self.condition_field).split(',') # any of the following conditions can be true for cond in conditions: if self.check_dynamic_condition(user, cond): return True return False
def has_perm(self, user_obj, perm, obj=None): # User must be logged in if not user_obj.is_authenticated: logger.debug("%s not signed in" % user_obj) return False # See if we can handle that perm if perm not in self.perms and perm not in self.denied: logger.debug("%s - permission not recognized" % perm) return False # if there isn't an object, that means we're looking for a module permission. # We don't do that. if obj is None: logger.debug( "%s - has_perm called without model instance; denying permission" % perm) return False # If your account has been disabled, too bad. if not user_obj.is_active: logger.debug("%s is not an active user" % user_obj) return False # get all authorized_users in the object if isinstance(self.field_name, string_types): self.field_name = [self.field_name] for lookup in self.field_name: authorized_users = field_lookup(obj, lookup) # break out of a generator expression if hasattr(authorized_users, '__iter__'): authorized_users = list(authorized_users) else: authorized_users = [authorized_users] for user in authorized_users: if hasattr(user, 'all'): authorized_users.extend(user.all()) authorized_users.remove(user) if (user_obj in authorized_users): if perm in self.denied: logger.debug("%s - DENIED for %s in lookup '%s'" % (perm, user_obj, lookup)) raise PermissionDenied() logger.debug("%s - GRANTED for %s in lookup '%s'" % (perm, user_obj, lookup)) return True
def has_perm(self, user_obj, perm, obj=None): # User must be logged in if not user_obj.is_authenticated: logger.debug("%s not signed in" % user_obj) return False # See if we can handle that perm if perm not in self.perms and perm not in self.denied: logger.debug("%s - permission not recognized" % perm) return False # if there isn't an object, that means we're looking for a module permission. # We don't do that. if obj is None: logger.debug("%s - has_perm called without model instance; denying permission" % perm) return False # If your account has been disabled, too bad. if not user_obj.is_active: logger.debug("%s is not an active user" % user_obj) return False # get all authorized_users in the object if isinstance(self.field_name, string_types): self.field_name = [self.field_name] for lookup in self.field_name: authorized_users = field_lookup(obj, lookup) # break out of a generator expression if hasattr(authorized_users, '__iter__'): authorized_users = list(authorized_users) else: authorized_users = [authorized_users] for user in authorized_users: if hasattr(user, 'all'): authorized_users.extend(user.all()) authorized_users.remove(user) if (user_obj in authorized_users): if perm in self.denied: logger.debug("%s - DENIED for %s in lookup '%s'" % (perm, user_obj, lookup)) raise PermissionDenied() logger.debug("%s - GRANTED for %s in lookup '%s'" % (perm, user_obj, lookup)) return True
def test_field_lookup_editors(self): field_value = field_lookup(self.model, 'editors') field_value = (x for x in field_value.iterator()) expected_value = map(repr, (self.editor1, self.editor2)) self.assertQuerysetEqual(field_value, expected_value)
def test_field_lookup_single_bridge_editors_username(self): field_value = list( field_lookup(self.model, 'single_bridge__editors__username')) expected_value = [x.username for x in self.bridge1.editors.iterator()] self.assertEqual(field_value, expected_value)
def test_field_lookup_multiple_bridge_author(self): field_value = field_lookup(self.model, 'multiple_bridge__author') expected_value = list( map(repr, (self.bridge2.author, self.bridge3.author))) self.assertQuerysetEqual(field_value, expected_value)
def test_field_lookup_single_bridge_author_username(self): field_value = field_lookup(self.model, 'single_bridge__author__username') self.assertEqual(field_value, self.bridge1.author.username)
def test_field_lookup_single_bridge_editors(self): field_value = field_lookup(self.model, 'single_bridge__editors') field_value = (x for x in field_value.iterator()) expected_value = list(map(repr, self.bridge1.editors.iterator())) self.assertQuerysetEqual(field_value, expected_value)
def accessor(fieldname): """ returns an accessor function for fieldname where fieldname can be a '_' seperated django field name """ return lambda x: field_lookup(x, fieldname)
def test_field_lookup_single_bridge_editors_username(self): field_value = list(field_lookup(self.model, 'single_bridge__editors__username')) expected_value = [x.username for x in self.bridge1.editors.iterator()] self.assertEqual(field_value, expected_value)
def test_field_lookup_author(self): field_value = field_lookup(self.model, 'author') self.assertEqual(field_value, self.author)
def test_field_lookup_author_username(self): field_value = field_lookup(self.model, 'author__username') self.assertEqual(field_value, self.author.username)
def has_perm(self, user_obj, perm, obj=None): """ Check if user have permission (of object) If the user_obj is not authenticated, it return ``False``. If no object is specified, it return ``True`` when the corresponding permission was specified to ``True`` (changed from v0.7.0). This behavior is based on the django system. https://code.djangoproject.com/wiki/RowLevelPermissions If an object is specified, it will return ``True`` if the user is found in ``field_name`` of the object (e.g. ``obj.collaborators``). So once the object store the user as a collaborator in ``field_name`` attribute (default: ``collaborators``), the collaborator can change or delete the object (you can change this behavior to set ``any_permission``, ``change_permission`` or ``delete_permission`` attributes of this instance). Parameters ---------- user_obj : django user model instance A django user model instance which be checked perm : string `app_label.codename` formatted permission string obj : None or django model instance None or django model instance for object permission Returns ------- boolean Whether the specified user have specified permission (of specified object). """ if not is_authenticated(user_obj): return False # construct the permission full name change_permission = self.get_full_permission_string('change') delete_permission = self.get_full_permission_string('delete') if obj is None: # object permission without obj should return True # Ref: https://code.djangoproject.com/wiki/RowLevelPermissions if self.any_permission: return True if self.change_permission and perm == change_permission: return True if self.delete_permission and perm == delete_permission: return True return False elif user_obj.is_active: # get collaborator queryset collaborators = field_lookup(obj, self.field_name) if hasattr(collaborators, 'all'): collaborators = collaborators.all() if user_obj in collaborators: if self.any_permission: # have any kind of permissions to the obj return True if (self.change_permission and perm == change_permission): return True if (self.delete_permission and perm == delete_permission): return True return False
def test_field_lookup_editors_username(self): field_value = list(field_lookup(self.model, 'editors__username')) expected_value = [x.username for x in (self.editor1, self.editor2)] self.assertEqual(field_value, expected_value)
def has_perm(self, user_obj, perm, obj=None): """ Check if user have permission (of object) If the user_obj is not authenticated, it return ``False``. If no object is specified, it return ``True`` when the corresponding permission was specified to ``True`` (changed from v0.7.0). This behavior is based on the django system. https://code.djangoproject.com/wiki/RowLevelPermissions If an object is specified, it will return ``True`` if the user is specified in ``field_name`` of the object (e.g. ``obj.author``). So once user create an object and the object store who is the author in ``field_name`` attribute (default: ``author``), the author can change or delete the object (you can change this behavior to set ``any_permission``, ``change_permissino`` or ``delete_permission`` attributes of this instance). Parameters ---------- user_obj : django user model instance A django user model instance which be checked perm : string `app_label.codename` formatted permission string obj : None or django model instance None or django model instance for object permission Returns ------- boolean Wheter the specified user have specified permission (of specified object). """ if not user_obj.is_authenticated(): return False # construct the permission full name change_permission = self.get_full_permission_string('change') delete_permission = self.get_full_permission_string('delete') # check if the user is authenticated if obj is None: # object permission without obj should return True # Ref: https://code.djangoproject.com/wiki/RowLevelPermissions if self.any_permission: return True if self.change_permission and perm == change_permission: return True if self.delete_permission and perm == delete_permission: return True return False elif user_obj.is_active: # get author instance author = field_lookup(obj, self.field_name) if author == user_obj: if self.any_permission: # have any kind of permissions to the obj return True if (self.change_permission and perm == change_permission): return True if (self.delete_permission and perm == delete_permission): return True return False
def test_field_lookup_multiple_bridge_author(self): field_value = field_lookup(self.model, 'multiple_bridge__author') expected_value = list(map(repr, (self.bridge2.author, self.bridge3.author))) self.assertQuerysetEqual(field_value, expected_value)