def has_object_permission(self, request, view, obj):
if view.action not in ['update', 'partial_update', 'destroy']:
return True
modelperm = DjangoModelPermissions()
if modelperm.has_permission(request, view):
return True
return register_log_has_perm(request, obj)
def has_object_permission(self, request, view, obj):
if view.action not in ['update', 'partial_update', 'destroy']:
return True
modelperm = DjangoModelPermissions()
if modelperm.has_permission(request, view):
return True
return register_log_has_perm(request, obj)
def if_can_do_actions(request, view, obj):
is_owner = obj.user == request.user
is_manager = request.user in obj.event.cell.managers.all()
dj_perm = DjangoModelPermissions()
is_django_perms = dj_perm.has_object_permission(request, view, obj)
return is_owner or (is_manager
and is_django_perms) or request.user.is_superuser
def get_permissions(self):
if self.action == 'create':
return [IsAuthenticated(), DjangoModelPermissions()]
elif self.action == 'update':
return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()]
# elif self.action == 'retrieve':
# return [DjangoModelPermissionsOrAnonReadOnly()]
elif self.action == 'destroy':
return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()]
elif self.action == 'can_update':
return [IsAuthenticated(), IsSameGroup(), DjangoModelPermissions()]
elif self.action == 'all_can_update':
return [IsAuthenticated(), DjangoModelPermissions()]
return [permission() for permission in self.permission_classes]
def has_object_permission(self, request, view, obj):
if not request.user.is_authenticated:
return False
if request.user is obj.user:
return True
return DjangoModelPermissions().has_object_permission(request,view,obj)
def get_permissions(self):
if self.request.method in SAFE_METHODS:
return [AllowAny()]
elif self.request.method == 'POST':
return [IsAuthenticated()]
else:
return [DjangoModelPermissions()]
def get_permissions(self):
if self.action == 'create':
return [IsAuthenticated(), DjangoModelPermissions()]
elif self.action == 'update':
return [
IsAuthenticated(),
DjangoModelPermissions(),
RecoverOrderIsSameGroup()
]
elif self.action == 'can_create':
return [IsAuthenticated(), DjangoModelPermissions()]
elif self.action == 'can_update':
return [IsAuthenticated(), DjangoModelPermissions()]
elif self.action == 'all_can_update':
return [IsAuthenticated(), DjangoModelPermissions()]
return [permission() for permission in self.permission_classes]
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
"""
Custom Permission class to check user is a course editor for the course or has django model access
"""
def __init__(self):
self.django_perms = DjangoModelPermissions()
def has_permission(self, request, view):
if self.django_perms.has_permission(request, view):
return True
elif request.user.is_staff:
return True
elif request.method == 'POST':
course = request.data.get('course')
if not course:
return False
org, _ = parse_course_key_fragment(course)
return org and CourseEditor.can_create_course(request.user, org)
else:
return True # other write access attempts will be caught by object permissions below
def has_object_permission(self, request, view, obj):
if request.method in SAFE_METHODS:
return True
else:
return CourseEditor.is_course_editable(request.user, obj.course)
class IsCourseRunEditorOrDjangoOrReadOnly(BasePermission):
"""
Custom Permission class to check user is a course editor for the course or has django model access
"""
def __init__(self):
self.django_perms = DjangoModelPermissions()
def has_permission(self, request, view):
if self.django_perms.has_permission(request, view):
return True
elif request.user.is_staff:
return True
elif request.method == 'POST':
course = request.data.get('course')
if not course:
# Fail happily because OPTIONS goes down this path too with a fake POST.
# If this is a real POST, we'll complain about the missing course in the view.
return True
org, _ = parse_course_key_fragment(course)
return org and CourseEditor.can_create_course(request.user, org)
else:
return True # other write access attempts will be caught by object permissions below
def has_object_permission(self, request, view, obj):
if request.method in SAFE_METHODS:
return True
else:
return CourseEditor.is_course_editable(request.user, obj.course)
def has_permission(self, request, view):
is_authenticated = IsAdminUser().has_permission(
request, view) or DjangoModelPermissions().has_permission(
request, view)
oauth2authenticated = False
if is_authenticated:
oauth2authenticated = isinstance(request.successful_authenticator,
OAuth2Authentication)
token_has_scope = TokenHasReadWriteScope()
return (is_authenticated
and not oauth2authenticated) or token_has_scope.has_permission(
request, view)
def has_object_permission(self, request, view, obj):
owner_policy_perms_map = self.owner_policy_perms_map
if obj and request.method in owner_policy_perms_map:
kwargs = {
'app_label': obj._meta.app_label,
'model_name': obj._meta.model_name
}
perm_templates = owner_policy_perms_map[request.method]
permissions = [
perm_template.format(**kwargs)
for perm_template in perm_templates
]
user = request.user
is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
has_owner_policy_perms = (user.has_perms(permissions) or is_owner)
if not has_owner_policy_perms:
return False
return DjangoModelPermissions.has_permission(self, request, view)
def has_object_permission(self, request, view, obj):
owner_policy_perms_map = self.owner_policy_perms_map
if obj and request.method in owner_policy_perms_map:
kwargs = {
'app_label': obj._meta.app_label,
'model_name': obj._meta.model_name
}
perm_templates = owner_policy_perms_map[request.method]
permissions = [
perm_template.format(**kwargs)
for perm_template
in perm_templates
]
user = request.user
is_owner = OwnerPolicyPermissionHelper.is_user_owner(user, obj)
has_owner_policy_perms = (
user.has_perms(permissions) or is_owner
)
if not has_owner_policy_perms:
return False
return DjangoModelPermissions.has_permission(
self, request, view
)
def get_permissions(self):
if self.action not in ['update', 'partial_update', 'destroy']:
return [IsAuthenticated()]
return [DjangoModelPermissions()]
def has_permission(self, request, view):
return ApiKeyHeaderPermission().has_permission(request, view) or DjangoModelPermissions().has_permission(
request, view)
def has_permission(self, request, view):
return DjangoModelPermissions().has_permission(request, view)
def get_permissions(self):
if self.action == 'product':
return [IsAuthenticated(), DjangoModelPermissions(), IsMFGUser()]
return [permission() for permission in self.permission_classes]
def __init__(self):
self.django_perms = DjangoModelPermissions()
def get_permissions(self):
if self.action == 'create':
return [IsAuthenticated(), DjangoModelPermissions()]
return [permission() for permission in self.permission_classes]
def get_permissions(self):
if self.action in ['list', 'retrieve', 'create']:
return [DjangoModelPermissions()]
else:
return [AllowAny()]
def get_permissions(self):
if self.request.method in SAFE_METHODS:
return [AllowAny()]
else:
return [DjangoModelPermissions()]