def has_object_permission(self, request, view, obj): if view.action not in ['update', 'partial_update', 'destroy']: return True modelperm = DjangoModelPermissions() if modelperm.has_permission(request, view): return True return register_log_has_perm(request, obj)
def if_can_do_actions(request, view, obj): is_owner = obj.user == request.user is_manager = request.user in obj.event.cell.managers.all() dj_perm = DjangoModelPermissions() is_django_perms = dj_perm.has_object_permission(request, view, obj) return is_owner or (is_manager and is_django_perms) or request.user.is_superuser
def get_permissions(self): if self.action == 'create': return [IsAuthenticated(), DjangoModelPermissions()] elif self.action == 'update': return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()] # elif self.action == 'retrieve': # return [DjangoModelPermissionsOrAnonReadOnly()] elif self.action == 'destroy': return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()] elif self.action == 'can_update': return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()] elif self.action == 'all_can_update': return [IsAuthenticated(), DjangoModelPermissions()] return [permission() for permission in self.permission_classes]
def has_object_permission(self, request, view, obj): if not request.user.is_authenticated: return False if request.user is obj.user: return True return DjangoModelPermissions().has_object_permission(request,view,obj)
def get_permissions(self): if self.request.method in SAFE_METHODS: return [AllowAny()] elif self.request.method == 'POST': return [IsAuthenticated()] else: return [DjangoModelPermissions()]
def get_permissions(self): if self.action == 'create': return [IsAuthenticated(), DjangoModelPermissions()] elif self.action == 'update': return [ IsAuthenticated(), DjangoModelPermissions(), RecoverOrderIsSameGroup() ] elif self.action == 'can_create': return [IsAuthenticated(), DjangoModelPermissions()] elif self.action == 'can_update': return [IsAuthenticated(), DjangoModelPermissions()] elif self.action == 'all_can_update': return [IsAuthenticated(), DjangoModelPermissions()] return [permission() for permission in self.permission_classes]
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission): """ Custom Permission class to check user is a course editor for the course or has django model access """ def __init__(self): self.django_perms = DjangoModelPermissions() def has_permission(self, request, view): if self.django_perms.has_permission(request, view): return True elif request.user.is_staff: return True elif request.method == 'POST': course = request.data.get('course') if not course: return False org, _ = parse_course_key_fragment(course) return org and CourseEditor.can_create_course(request.user, org) else: return True # other write access attempts will be caught by object permissions below def has_object_permission(self, request, view, obj): if request.method in SAFE_METHODS: return True else: return CourseEditor.is_course_editable(request.user, obj.course)
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission): """ Custom Permission class to check user is a course editor for the course or has django model access """ def __init__(self): self.django_perms = DjangoModelPermissions() def has_permission(self, request, view): if self.django_perms.has_permission(request, view): return True elif request.user.is_staff: return True elif request.method == 'POST': course = request.data.get('course') if not course: # Fail happily because OPTIONS goes down this path too with a fake POST. # If this is a real POST, we'll complain about the missing course in the view. return True org, _ = parse_course_key_fragment(course) return org and CourseEditor.can_create_course(request.user, org) else: return True # other write access attempts will be caught by object permissions below def has_object_permission(self, request, view, obj): if request.method in SAFE_METHODS: return True else: return CourseEditor.is_course_editable(request.user, obj.course)
def has_permission(self, request, view): is_authenticated = IsAdminUser().has_permission( request, view) or DjangoModelPermissions().has_permission( request, view) oauth2authenticated = False if is_authenticated: oauth2authenticated = isinstance(request.successful_authenticator, OAuth2Authentication) token_has_scope = TokenHasReadWriteScope() return (is_authenticated and not oauth2authenticated) or token_has_scope.has_permission( request, view)
def has_object_permission(self, request, view, obj): owner_policy_perms_map = self.owner_policy_perms_map if obj and request.method in owner_policy_perms_map: kwargs = { 'app_label': obj._meta.app_label, 'model_name': obj._meta.model_name } perm_templates = owner_policy_perms_map[request.method] permissions = [ perm_template.format(**kwargs) for perm_template in perm_templates ] user = request.user is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj) has_owner_policy_perms = (user.has_perms(permissions) or is_owner) if not has_owner_policy_perms: return False return DjangoModelPermissions.has_permission(self, request, view)
def has_object_permission(self, request, view, obj): owner_policy_perms_map = self.owner_policy_perms_map if obj and request.method in owner_policy_perms_map: kwargs = { 'app_label': obj._meta.app_label, 'model_name': obj._meta.model_name } perm_templates = owner_policy_perms_map[request.method] permissions = [ perm_template.format(**kwargs) for perm_template in perm_templates ] user = request.user is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj) has_owner_policy_perms = ( user.has_perms(permissions) or is_owner ) if not has_owner_policy_perms: return False return DjangoModelPermissions.has_permission( self, request, view )
def get_permissions(self): if self.action not in ['update', 'partial_update', 'destroy']: return [IsAuthenticated()] return [DjangoModelPermissions()]
def has_permission(self, request, view): return ApiKeyHeaderPermission().has_permission(request, view) or DjangoModelPermissions().has_permission( request, view)
def has_permission(self, request, view): return DjangoModelPermissions().has_permission(request, view)
def get_permissions(self): if self.action == 'product': return [IsAuthenticated(), DjangoModelPermissions(), IsMFGUser()] return [permission() for permission in self.permission_classes]
def __init__(self): self.django_perms = DjangoModelPermissions()
def get_permissions(self): if self.action == 'create': return [IsAuthenticated(), DjangoModelPermissions()] return [permission() for permission in self.permission_classes]
def get_permissions(self): if self.action in ['list', 'retrieve', 'create']: return [DjangoModelPermissions()] else: return [AllowAny()]
def get_permissions(self): if self.request.method in SAFE_METHODS: return [AllowAny()] else: return [DjangoModelPermissions()]