From 7d91374b11bed8a329866236504a55f805808b35 Mon Sep 17 00:00:00 2001
From: Thibaud Duquennoy <thibaud@duquennoy.fr>
Date: Fri, 15 Mar 2019 18:29:57 +0100
Subject: [PATCH] update: user_permissions method
update: user_permissions method
---
djangoldp/permissions.py | 38 ++++++++++++++++++++++++--------------
djangoldp/serializers.py | 12 +++++-------
2 files changed, 29 insertions(+), 21 deletions(-)
diff --git a/djangoldp/permissions.py b/djangoldp/permissions.py
index f070a7b3..7a9b4b20 100644
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -34,7 +34,7 @@ class WACPermissions(permissions.DjangoObjectPermissions):
return super().has_permission(request, view)
# This method should be overriden by other permission classes
- def user_permissions(self, request, view, obj):
+ def user_permissions(self, request, obj):
return []
def filter_user_perms(self, request, obj, permissions):
@@ -53,26 +53,36 @@ class ObjectFilter(filters.BaseFilterBackend):
class ObjectPermission(WACPermissions):
filter_class = ObjectFilter
+
class InboxPermissions(WACPermissions):
"""
- Anonymous users: can create notifications but can't read
- Logged in users: can create notifications but can't read
- Inbox owners: can read + update all notifications
+ Everybody can create
+ Author can edit
"""
- filter_class = ObjectFilter
+ anonymous_perms = ['view', 'create']
+ authenticated_perms = ['view','create']
+ author_perms = ['view']
+
def has_permission(self, request, view):
- if view.action in ['create', 'retrieve', 'update', 'partial_update', 'destroy']:
+ if view.action in ['create', 'list', 'retrieve']:
return True
else:
return super().has_permission(request, view)
def has_object_permission(self, request, view, obj):
- if view.action == "create":
- return True
- if hasattr(obj._meta, 'auto_author'):
- if request.user == getattr(obj, obj._meta.auto_author):
- return True
- return super().has_object_permission(request, view)
+ if view.action == ['update', 'partial_update', 'destroy']:
+ return False
+ else:
+ return super().has_object_permission(request, view)
+
+ def user_permissions(self, request, obj):
+ if request.user.is_anonymous:
+ return self.anonymous_perms
+ else:
+ if hasattr(obj._meta, 'auto_author') and getattr(obj, obj._meta.auto_author) == request.user:
+ return self.author_perms
+ else:
+ return self.authenticated_perms
class AnonymousReadOnly(WACPermissions):
"""
@@ -83,7 +93,7 @@ class AnonymousReadOnly(WACPermissions):
anonymous_perms = ['view']
authenticated_perms = ['view','add']
- author_perms = ['view', 'add', 'change']
+ author_perms = ['view', 'add', 'change', 'control', 'delete']
def has_permission(self, request, view):
if view.action in ['list', 'retrieve']:
@@ -106,7 +116,7 @@ class AnonymousReadOnly(WACPermissions):
else:
return super().has_object_permission(request, view, obj)
- def user_permissions(self, request, view, obj):
+ def user_permissions(self, request, obj):
if request.user.is_anonymous:
return self.anonymous_perms
else:
diff --git a/djangoldp/serializers.py b/djangoldp/serializers.py
index 19b4fc3f..a7fea8d2 100644
--- a/djangoldp/serializers.py
+++ b/djangoldp/serializers.py
@@ -196,25 +196,23 @@ class LDPSerializer(HyperlinkedModelSerializer):
return fields + list(getattr(self.Meta, 'extra_fields', []))
def get_permissions(self, obj):
- permissions = []
+ permissions = ['view', 'add', 'change', 'control', 'delete']
for permission_class in obj._meta.permission_classes:
- perms = permission_class().filter_user_perms(self.context['request'], obj, permissions)
-
- permissions = get_perms(self.context['request'].user, obj)
-
+ permissions = permission_class().filter_user_perms(self.context['request'], obj, permissions)
+
+ permissions += get_perms(self.context['request'].user, obj)
return [{'mode': {'@type': name.split('_')[0]}} for name in permissions]
def to_representation(self, obj):
data = super().to_representation(obj)
- permissions = ['view', 'add', 'change', 'control', 'delete']
if hasattr(obj._meta, 'rdf_type'):
data['@type'] = obj._meta.rdf_type
if hasattr(obj._meta, 'rdf_context'):
data['@context'] = obj._meta.rdf_context
- data['permissions'] self.get_permissions(obj)
+ data['permissions'] = self.get_permissions(obj)
return data
--
GitLab