62 lines
1.7 KiB
Python
62 lines
1.7 KiB
Python
import operator
|
|
|
|
from django.conf import settings
|
|
from django.http import Http404
|
|
|
|
from rest_framework.permissions import BasePermission, DjangoModelPermissions
|
|
|
|
|
|
class ConditionalAuthentication(BasePermission):
|
|
|
|
def has_permission(self, request, view):
|
|
if settings.API_AUTHENTICATION_REQUIRED:
|
|
return request.user and request.user.is_authenticated
|
|
return True
|
|
|
|
|
|
class HasModelPermission(DjangoModelPermissions):
|
|
"""
|
|
Same as DjangoModelPermissions, but we pin the model:
|
|
|
|
class MyModelPermission(HasModelPermission):
|
|
model = User
|
|
"""
|
|
def get_required_permissions(self, method, model_cls):
|
|
return super().get_required_permissions(method, self.model)
|
|
|
|
|
|
class OwnerPermission(BasePermission):
|
|
"""
|
|
Ensure the request user is the owner of the object.
|
|
|
|
Usage:
|
|
|
|
class MyView(APIView):
|
|
model = MyModel
|
|
permission_classes = [OwnerPermission]
|
|
owner_field = 'owner'
|
|
owner_checks = ['read', 'write']
|
|
"""
|
|
perms_map = {
|
|
'GET': 'read',
|
|
'OPTIONS': 'read',
|
|
'HEAD': 'read',
|
|
'POST': 'write',
|
|
'PUT': 'write',
|
|
'PATCH': 'write',
|
|
'DELETE': 'write',
|
|
}
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
method_check = self.perms_map[request.method]
|
|
owner_checks = getattr(view, 'owner_checks', ['read', 'write'])
|
|
if method_check not in owner_checks:
|
|
# check not enabled
|
|
return True
|
|
|
|
owner_field = getattr(view, 'owner_field', 'user')
|
|
owner = operator.attrgetter(owner_field)(obj)
|
|
if owner != request.user:
|
|
raise Http404
|
|
return True
|