Merge branch 'author_to_user' into 'master'

update: Fix permissions & add owner_field See merge request startinblox/djangoldp-packages/djangoldp!86

Merge branch 'author_to_user' into 'master'
update: Fix permissions & add owner_field See merge request startinblox/djangoldp-packages/djangoldp!86
d56827ad · Jean-Baptiste Pasquier · 800a8312 · 8f174fcb · d56827ad · d56827ad
Commit d56827ad authored 5 years ago by Jean-Baptiste Pasquier
--- a/README.md
+++ b/README.md
@@ -176,17 +176,21 @@ With inherit, Users can herit from Anons. Also Owners can herit from Users.
 Eg. with this model Anons can view, Auths can add & Owners can edit & delete.
+Note that `owner_perms` need a `owner_field` meta that point the field with owner user.
 ```python
 from djangoldp.models import Model
 class Todo(Model):
    name = models.CharField(max_length=255)
    deadline = models.DateTimeField()
+    user = models.ForeignKey(settings.AUTH_USER_MODEL)
    class Meta:
        anonymous_perms = ['view']
        authenticated_perms = ['inherit', 'add']
        owner_perms = ['inherit', 'change', 'control', 'delete']
+        owner_field = 'user'
 ```

--- a/djangoldp/__init__.py
+++ b/djangoldp/__init__.py
 from django.db.models import options
 __version__ = '0.0.0'
-options.DEFAULT_NAMES += ('lookup_field', 'rdf_type', 'rdf_context', 'auto_author', 'view_set', 'container_path', 'permission_classes', 'serializer_fields', 'nested_fields', 'depth', 'anonymous_perms', 'authenticated_perms', 'owner_perms')
+options.DEFAULT_NAMES += ('lookup_field', 'rdf_type', 'rdf_context', 'auto_author', 'owner_field', 'view_set', 'container_path', 'permission_classes', 'serializer_fields', 'nested_fields', 'depth', 'anonymous_perms', 'authenticated_perms', 'owner_perms')
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -13,21 +13,21 @@ class LDPPermissions(BasePermission):
    authenticated_perms = ['inherit']
    owner_perms = ['inherit']
-    def user_permissions(self, user, obj):
+    def user_permissions(self, user, model, obj=None):
        """
-            Filter user permissions for a given object
+            Filter user permissions for a model class
        """
        # Get Anonymous permissions from Model's Meta. If not found use default
-        anonymous_perms = getattr(obj._meta, 'anonymous_perms', self.anonymous_perms)
+        anonymous_perms = getattr(model._meta, 'anonymous_perms', self.anonymous_perms)
        # Get Auth permissions from Model's Meta. If not found use default
-        authenticated_perms = getattr(obj._meta, 'authenticated_perms', self.authenticated_perms)
+        authenticated_perms = getattr(model._meta, 'authenticated_perms', self.authenticated_perms)
        # Extend Auth if inherit is given
        if 'inherit' in authenticated_perms:
            authenticated_perms = authenticated_perms + list(set(anonymous_perms) - set(authenticated_perms))
        # Get Owner permissions from Model's Meta. If not found use default
-        owner_perms = getattr(obj._meta, 'owner_perms', self.owner_perms)
+        owner_perms = getattr(model._meta, 'owner_perms', self.owner_perms)
        # Extend Owner if inherit is given
        if 'inherit' in owner_perms:
            owner_perms = owner_perms + list(set(authenticated_perms) - set(owner_perms))
@@ -36,7 +36,7 @@ class LDPPermissions(BasePermission):
            return anonymous_perms
        else:
-            if hasattr(obj._meta, 'auto_author') and getattr(obj, getattr(obj._meta, 'auto_author')) == user:
+            if obj and hasattr(model._meta, 'owner_field') and getattr(obj, getattr(model._meta, 'owner_field')) == user:
                return owner_perms
            else:
@@ -76,10 +76,15 @@ class LDPPermissions(BasePermission):
        """
            Access to containers
        """
-        perms = self.get_permissions(request.method, view.model)
+        model = view.model
-        # A bit tricky, but feels redondant to redeclarate perms_map
+        perms = self.get_permissions(request.method, model)
+        try:
+            obj = view.model.resolve_id(request._request.path)
+        except:
+            obj = None
        for perm in perms:
-            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, view.model):
+            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, model, obj):
                return False
        return True
@@ -91,10 +96,10 @@ class LDPPermissions(BasePermission):
            User does not have permission:   403
        """
        perms = self.get_permissions(request.method, obj)
+        model = obj
-        # A bit tricky, but feels redondant to redeclarate perms_map
        for perm in perms:
-            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, obj):
+            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, model, obj):
                return False
        return True