Exemplo n.º 1
0
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
    """
    Custom Permission class to check user is a course editor for the course or has django model access
    """
    def __init__(self):
        self.django_perms = DjangoModelPermissions()

    def has_permission(self, request, view):
        if self.django_perms.has_permission(request, view):
            return True
        elif request.user.is_staff:
            return True
        elif request.method == 'POST':
            course = request.data.get('course')
            if not course:
                return False
            org, _ = parse_course_key_fragment(course)
            return org and CourseEditor.can_create_course(request.user, org)
        else:
            return True  # other write access attempts will be caught by object permissions below

    def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        else:
            return CourseEditor.is_course_editable(request.user, obj.course)
Exemplo n.º 2
0
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
    """
    Custom Permission class to check user is a course editor for the course or has django model access
    """
    def __init__(self):
        self.django_perms = DjangoModelPermissions()

    def has_permission(self, request, view):
        if self.django_perms.has_permission(request, view):
            return True
        elif request.user.is_staff:
            return True
        elif request.method == 'POST':
            course = request.data.get('course')
            if not course:
                # Fail happily because OPTIONS goes down this path too with a fake POST.
                # If this is a real POST, we'll complain about the missing course in the view.
                return True
            org, _ = parse_course_key_fragment(course)
            return org and CourseEditor.can_create_course(request.user, org)
        else:
            return True  # other write access attempts will be caught by object permissions below

    def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        else:
            return CourseEditor.is_course_editable(request.user, obj.course)
Exemplo n.º 3
0
    def has_object_permission(self, request, view, obj):
        if view.action not in ['update', 'partial_update', 'destroy']:
            return True

        modelperm = DjangoModelPermissions()
        if modelperm.has_permission(request, view):
            return True

        return register_log_has_perm(request, obj)
Exemplo n.º 4
0
    def has_object_permission(self, request, view, obj):
        if view.action not in ['update', 'partial_update', 'destroy']:
            return True

        modelperm = DjangoModelPermissions()
        if modelperm.has_permission(request, view):
            return True

        return register_log_has_perm(request, obj)
Exemplo n.º 5
0
 def has_object_permission(self, request, view, obj):
     owner_policy_perms_map = self.owner_policy_perms_map
     if obj and request.method in owner_policy_perms_map:
         kwargs = {
             'app_label': obj._meta.app_label,
             'model_name': obj._meta.model_name
         }
         perm_templates = owner_policy_perms_map[request.method]
         permissions = [
             perm_template.format(**kwargs)
             for perm_template in perm_templates
         ]
         user = request.user
         is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
         has_owner_policy_perms = (user.has_perms(permissions) or is_owner)
         if not has_owner_policy_perms:
             return False
     return DjangoModelPermissions.has_permission(self, request, view)
Exemplo n.º 6
0
    def has_object_permission(self, request, view, obj):
        owner_policy_perms_map = self.owner_policy_perms_map
        if obj and request.method in owner_policy_perms_map:
            kwargs = {
                'app_label': obj._meta.app_label,
                'model_name': obj._meta.model_name
            }
            perm_templates = owner_policy_perms_map[request.method]
            permissions = [
                perm_template.format(**kwargs)
                for perm_template
                in perm_templates

            ]
            user = request.user
            is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
            has_owner_policy_perms = (
                user.has_perms(permissions) or is_owner
            )
            if not has_owner_policy_perms:
                return False
        return DjangoModelPermissions.has_permission(
            self, request, view
        )