Skip to content
Snippets Groups Projects
Commit 7d91374b authored by Thibaud Duquennoy's avatar Thibaud Duquennoy
Browse files

update: user_permissions method 

update: user_permissions method
parent 4eba0e2e
No related branches found
No related tags found
1 merge request!36Resolve "auto_author gives permission to everybody???"
Pipeline #836 failed
Hide whitespace changes
Inline Side-by-side
djangoldp/permissions.py
+ 24
14
View file @ 7d91374b
...@@ -34,7 +34,7 @@ class WACPermissions(permissions.DjangoObjectPermissions): ...@@ -34,7 +34,7 @@ class WACPermissions(permissions.DjangoObjectPermissions):
return super().has_permission(request, view) return super().has_permission(request, view)
# This method should be overriden by other permission classes # This method should be overriden by other permission classes
def user_permissions(self, request, view, obj): def user_permissions(self, request, obj):
return [] return []
def filter_user_perms(self, request, obj, permissions): def filter_user_perms(self, request, obj, permissions):
...@@ -53,26 +53,36 @@ class ObjectFilter(filters.BaseFilterBackend): ...@@ -53,26 +53,36 @@ class ObjectFilter(filters.BaseFilterBackend):
class ObjectPermission(WACPermissions): class ObjectPermission(WACPermissions):
filter_class = ObjectFilter filter_class = ObjectFilter
class InboxPermissions(WACPermissions): class InboxPermissions(WACPermissions):
""" """
Anonymous users: can create notifications but can't read Everybody can create
Logged in users: can create notifications but can't read Author can edit
Inbox owners: can read + update all notifications
""" """
filter_class = ObjectFilter anonymous_perms = ['view', 'create']
authenticated_perms = ['view','create']
author_perms = ['view']
def has_permission(self, request, view): def has_permission(self, request, view):
if view.action in ['create', 'retrieve', 'update', 'partial_update', 'destroy']: if view.action in ['create', 'list', 'retrieve']:
return True return True
else: else:
return super().has_permission(request, view) return super().has_permission(request, view)
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if view.action == "create": if view.action == ['update', 'partial_update', 'destroy']:
return True return False
if hasattr(obj._meta, 'auto_author'): else:
if request.user == getattr(obj, obj._meta.auto_author): return super().has_object_permission(request, view)
return True
return super().has_object_permission(request, view) def user_permissions(self, request, obj):
if request.user.is_anonymous:
return self.anonymous_perms
else:
if hasattr(obj._meta, 'auto_author') and getattr(obj, obj._meta.auto_author) == request.user:
return self.author_perms
else:
return self.authenticated_perms
class AnonymousReadOnly(WACPermissions): class AnonymousReadOnly(WACPermissions):
""" """
...@@ -83,7 +93,7 @@ class AnonymousReadOnly(WACPermissions): ...@@ -83,7 +93,7 @@ class AnonymousReadOnly(WACPermissions):
anonymous_perms = ['view'] anonymous_perms = ['view']
authenticated_perms = ['view','add'] authenticated_perms = ['view','add']
author_perms = ['view', 'add', 'change'] author_perms = ['view', 'add', 'change', 'control', 'delete']
def has_permission(self, request, view): def has_permission(self, request, view):
if view.action in ['list', 'retrieve']: if view.action in ['list', 'retrieve']:
...@@ -106,7 +116,7 @@ class AnonymousReadOnly(WACPermissions): ...@@ -106,7 +116,7 @@ class AnonymousReadOnly(WACPermissions):
else: else:
return super().has_object_permission(request, view, obj) return super().has_object_permission(request, view, obj)
def user_permissions(self, request, view, obj): def user_permissions(self, request, obj):
if request.user.is_anonymous: if request.user.is_anonymous:
return self.anonymous_perms return self.anonymous_perms
else: else:
......
djangoldp/serializers.py
+ 5
7
View file @ 7d91374b
...@@ -196,25 +196,23 @@ class LDPSerializer(HyperlinkedModelSerializer): ...@@ -196,25 +196,23 @@ class LDPSerializer(HyperlinkedModelSerializer):
return fields + list(getattr(self.Meta, 'extra_fields', [])) return fields + list(getattr(self.Meta, 'extra_fields', []))
def get_permissions(self, obj): def get_permissions(self, obj):
permissions = [] permissions = ['view', 'add', 'change', 'control', 'delete']
for permission_class in obj._meta.permission_classes: for permission_class in obj._meta.permission_classes:
perms = permission_class().filter_user_perms(self.context['request'], obj, permissions) permissions = permission_class().filter_user_perms(self.context['request'], obj, permissions)
permissions = get_perms(self.context['request'].user, obj) permissions += get_perms(self.context['request'].user, obj)
return [{'mode': {'@type': name.split('_')[0]}} for name in permissions] return [{'mode': {'@type': name.split('_')[0]}} for name in permissions]
def to_representation(self, obj): def to_representation(self, obj):
data = super().to_representation(obj) data = super().to_representation(obj)
permissions = ['view', 'add', 'change', 'control', 'delete']
if hasattr(obj._meta, 'rdf_type'): if hasattr(obj._meta, 'rdf_type'):
data['@type'] = obj._meta.rdf_type data['@type'] = obj._meta.rdf_type
if hasattr(obj._meta, 'rdf_context'): if hasattr(obj._meta, 'rdf_context'):
data['@context'] = obj._meta.rdf_context data['@context'] = obj._meta.rdf_context
data['permissions'] self.get_permissions(obj) data['permissions'] = self.get_permissions(obj)
return data return data
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment