From 4eba0e2e067e3f1450e01d6c8d5f4333729a7661 Mon Sep 17 00:00:00 2001
From: Sylvain Le Bon <sylvain@happy-dev.fr>
Date: Fri, 15 Mar 2019 16:52:11 +0000
Subject: [PATCH] bugfix: added missing permissions
---
djangoldp/permissions.py | 20 +++++++-------------
djangoldp/serializers.py | 24 ++++++++++++++----------
2 files changed, 21 insertions(+), 23 deletions(-)
diff --git a/djangoldp/permissions.py b/djangoldp/permissions.py
index 47ec7ab7..f070a7b3 100644
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -37,6 +37,9 @@ class WACPermissions(permissions.DjangoObjectPermissions):
def user_permissions(self, request, view, obj):
return []
+ def filter_user_perms(self, request, obj, permissions):
+ return [perm for perm in permissions if perm in self.user_permissions(request, obj)]
+
class ObjectFilter(filters.BaseFilterBackend):
def filter_queryset(self, request, queryset, view):
@@ -78,9 +81,9 @@ class AnonymousReadOnly(WACPermissions):
Author: can read all posts + create new posts + update their own
"""
- anonymous_perms = [{'mode': {'@type': 'view'}}]
- authenticated_perms = [{'mode': {'@type': 'view'}}, {'mode': {'@type': 'add'}}]
- author_perms = [{'mode': {'@type': 'view'}}, {'mode': {'@type': 'add'}}, {'mode': {'@type': 'change'}}]
+ anonymous_perms = ['view']
+ authenticated_perms = ['view','add']
+ author_perms = ['view', 'add', 'change']
def has_permission(self, request, view):
if view.action in ['list', 'retrieve']:
@@ -110,13 +113,4 @@ class AnonymousReadOnly(WACPermissions):
if hasattr(obj._meta, 'auto_author') and getattr(obj, obj._meta.auto_author) == request.user:
return self.author_perms
else:
- return self.authenticated_perms
-
- def filter_user_perms(self, request, obj, permissions):
- if request.user.is_anonymous:
- return [perm for perm in permissions if perm in self.anonymous_perms]
- else:
- if hasattr(obj._meta, 'auto_author') and getattr(obj, obj._meta.auto_author) == request.user:
- return [perm for perm in permissions if perm in self.author_perms]
- else:
- return [perm for perm in permissions if perm in self.authenticated_perms]
\ No newline at end of file
+ return self.authenticated_perms
\ No newline at end of file
diff --git a/djangoldp/serializers.py b/djangoldp/serializers.py
index 9768a803..19b4fc3f 100644
--- a/djangoldp/serializers.py
+++ b/djangoldp/serializers.py
@@ -195,23 +195,27 @@ class LDPSerializer(HyperlinkedModelSerializer):
pass
return fields + list(getattr(self.Meta, 'extra_fields', []))
+ def get_permissions(self, obj):
+ permissions = []
+
+ for permission_class in obj._meta.permission_classes:
+ perms = permission_class().filter_user_perms(self.context['request'], obj, permissions)
+
+ permissions = get_perms(self.context['request'].user, obj)
+
+ return [{'mode': {'@type': name.split('_')[0]}} for name in permissions]
+
def to_representation(self, obj):
data = super().to_representation(obj)
- permissions = [{'mode': {'@type': 'view'}}, {'mode': {'@type': 'add'}}, {'mode': {'@type': 'change'}}, {'mode': {'@type': ''}}]
+ permissions = ['view', 'add', 'change', 'control', 'delete']
if hasattr(obj._meta, 'rdf_type'):
data['@type'] = obj._meta.rdf_type
-
- data['permissions'] = [{'mode': {'@type': name.split('_')[0]}} for name in
- get_perms(self.context['request'].user, obj)]
-
- for permission_class in obj._meta.permission_classes:
- perms = permission_class().filter_user_perms(self.context['request'], obj, permissions)
- data['permissions'] += perms
-
if hasattr(obj._meta, 'rdf_context'):
data['@context'] = obj._meta.rdf_context
-
+
+ data['permissions'] self.get_permissions(obj)
+
return data
def build_standard_field(self, field_name, model_field):
--
GitLab