Commit 6478a0ae authored by Maël Kervella's avatar Maël Kervella

Add ACL permission on API

parent 510a0c9b
from rest_framework import permissions
from re2o.acl import can_create, can_edit, can_delete, can_view_all
class DefaultACLPermission(permissions.BasePermission):
"""
Permission subclass in charge of checking the ACL to determine
if a user can access the models
"""
perms_map = {
'GET': [lambda model: model.can_view_all],
'OPTIONS': [lambda model: model.can_view_all],
'HEAD': [lambda model: model.can_view_all],
'POST': [lambda model: model.can_create],
#'PUT': [],
#'PATCH': [],
#'DELETE': [],
}
perms_obj_map = {
'GET': [lambda obj: obj.can_view],
'OPTIONS': [lambda obj: obj.can_view],
'HEAD': [lambda obj: obj.can_view],
#'POST': [],
'PUT': [lambda obj: obj.can_edit],
#'PATCH': [],
'DELETE': [lambda obj: obj.can_delete],
}
def get_required_permissions(self, method, model):
"""
Given a model and an HTTP method, return the list of acl
functions that the user is required to verify.
"""
if method not in self.perms_map:
raise exceptions.MethodNotAllowed(method)
return [perm(model) for perm in self.perms_map[method]]
def get_required_object_permissions(self, method, obj):
"""
Given an object and an HTTP method, return the list of acl
functions that the user is required to verify.
"""
if method not in self.perms_map:
raise exceptions.MethodNotAllowed(method)
return [perm(obj) for perm in self.perms_map[method]]
def _queryset(self, view):
"""
Return the queryset associated with view and raise an error
is there is none.
"""
assert hasattr(view, 'get_queryset') \
or getattr(view, 'queryset', None) is not None, (
'Cannot apply {} on a view that does not set '
'`.queryset` or have a `.get_queryset()` method.'
).format(self.__class__.__name__)
if hasattr(view, 'get_queryset'):
queryset = view.get_queryset()
assert queryset is not None, (
'{}.get_queryset() returned None'.format(view.__class__.__name__)
)
return queryset
return view.queryset
def has_permission(self, request, view):
# Workaround to ensure ACLPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True
if not request.user or not request.user.is_authenticated:
return False
queryset = self._queryset(view)
perms = self.get_required_permissions(request.method, queryset.model)
return all(perm(request.user)[0] for perm in perms)
def has_object_permission(self, request, view, obj):
# authentication checks have already executed via has_permission
queryset = self._queryset(view)
user = request.user
perms = self.get_required_object_permissions(request.method, obj)
if not all(perm(request.user)[0] for perm in perms):
# If the user does not have permissions we need to determine if
# they have read permissions to see 403, or not, and simply see
# a 404 response.
if request.method in SAFE_METHODS:
# Read permissions already checked and failed, no need
# to make another lookup.
raise Http404
read_perms = self.get_required_object_permissions('GET', obj)
if not read_perms(request.user)[0]:
raise Http404
# Has read permissions.
return False
return True
......@@ -32,6 +32,6 @@ REST_FRAMEWORK = {
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
'api.permissions.DefaultACLPermission',
)
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment