def has_permission(self, request, view): if bypass_permissions(request): return True # request should be token authenticated if not request.auth: return False # detail actions are processed in has_object_permission method if view.action != "create": return True object_type_url = request.data.get("type") if not object_type_url: return False try: object_type = ObjectType.objects.get_by_url(object_type_url) except (ObjectType.DoesNotExist, ValueError, TypeError): return False object_type_permission = request.auth.get_permission_for_object_type( object_type) return bool( object_type_permission and object_type_permission.mode == PermissionModes.read_and_write)
def has_permission(self, request: Request, view) -> bool: from rest_framework.viewsets import ViewSetMixin if bypass_permissions(request): return True scopes_required = get_required_scopes(view) component = self.get_component(view) if not self.permission_fields: return request.jwt_auth.has_auth(scopes_required, component) main_resource = self.get_main_resource() if view.action == "create": if view.__class__ is main_resource: main_object_data = request.data else: main_object_url = request.data[view.permission_main_object] main_object_path = urlparse(main_object_url).path main_object = get_resource_for_path(main_object_path) main_object_data = self.format_data(main_object, request) fields = self.get_fields(main_object_data) return request.jwt_auth.has_auth(scopes_required, component, **fields) # detect if this is an unsupported method - if it's a viewset and the # action was not mapped, it's not supported and DRF will catch it if view.action is None and isinstance(view, ViewSetMixin): return True # by default - check if the action is allowed at all return request.jwt_auth.has_auth(scopes_required, component)
def has_permission(self, request: Request, view) -> bool: # permission checks run before the handler is determined. if there is no handler, # a "method is not allowed" must be raised, not an HTTP 403 (see #385) # this implementation works for both APIView and viewsets has_handler = hasattr(view, request.method.lower()) if not has_handler: view.http_method_not_allowed(request) # JWTs are only valid for a short amount of time self.check_jwt_expiry(request.jwt_auth.payload) from rest_framework.viewsets import ViewSetMixin if bypass_permissions(request): return True scopes_required = get_required_scopes(view) component = self.get_component(view) if not self.permission_fields: return request.jwt_auth.has_auth(scopes_required, component) main_resource = self.get_main_resource() if view.action == "create": if view.__class__ is main_resource: main_object_data = request.data else: main_object_url = request.data[view.permission_main_object] main_object_path = urlparse(main_object_url).path try: main_object = get_resource_for_path(main_object_path) except ObjectDoesNotExist: raise ValidationError({ view.permission_main_object: ValidationError( _("The object does not exist in the database"), code="object-does-not-exist", ).detail }) except DjangoValidationError as exc: err_dict = as_serializer_error( ValidationError({view.permission_main_object: exc})) raise ValidationError(err_dict) main_object_data = self.format_data(main_object, request) fields = self.get_fields(main_object_data) return request.jwt_auth.has_auth(scopes_required, component, **fields) # detect if this is an unsupported method - if it's a viewset and the # action was not mapped, it's not supported and DRF will catch it if view.action is None and isinstance(view, ViewSetMixin): return True # by default - check if the action is allowed at all return request.jwt_auth.has_auth(scopes_required, component)
def has_permission(self, request: Request, view) -> bool: if bypass_permissions(request): return True scopes_required = get_required_scopes(view) component = self.get_component(view) main_object = view._get_zaak() main_object_data = self.format_data(main_object, request) fields = self.get_fields(main_object_data) return request.jwt_auth.has_auth(scopes_required, component, **fields)
def has_object_permission(self, request, view, obj): if bypass_permissions(request): return True object_permission = request.user.get_permission_for_object_type( obj.object_type) if not object_permission: return False if request.method in SAFE_METHODS: return True return bool(object_permission.mode == PermissionModes.read_and_write)
def has_permission(self, request, view): if bypass_permissions(request): return True # user should be authenticated if not (request.user and request.user.is_authenticated): return False # detail actions are processed in has_object_permission method if view.action != "create": return True object_type = request.data["type"] object_permission = request.user.get_permission_for_object_type( object_type) return bool( object_permission and object_permission.mode == PermissionModes.read_and_write)
def has_object_permission(self, request, view, obj): if bypass_permissions(request): return True object_permission = request.auth.get_permission_for_object_type( obj.object.object_type) if not object_permission: return False # forbid showing history if there is field based auth if (view.action == "history" and object_permission.mode == PermissionModes.read_only and object_permission.use_fields): return False if request.method in SAFE_METHODS: return True return bool(object_permission.mode == PermissionModes.read_and_write)
def has_object_permission(self, request: Request, view, obj) -> bool: if bypass_permissions(request): return True scopes_required = get_required_scopes(view) component = self.get_component(view) if not self.permission_fields: return request.jwt_auth.has_auth(scopes_required, component) main_resource = self.get_main_resource() if view.__class__ is main_resource: main_object = obj else: main_object = self.get_main_object(obj, view.permission_main_object) main_object_data = self.format_data(main_object, request) fields = self.get_fields(main_object_data) return request.jwt_auth.has_auth(scopes_required, component, **fields)