From db815c9e0ce37dc836d946ba926ba2a0ee252d1d Mon Sep 17 00:00:00 2001
From: Thibaud Duquennoy <thibaud@duquennoy.fr>
Date: Tue, 5 Mar 2019 14:54:13 +0100
Subject: [PATCH] update permissions and serializer
update: permissions and its serializer
---
djangoldp/permissions.py | 25 +++++++------------------
djangoldp/serializers.py | 23 ++++++++++++-----------
2 files changed, 19 insertions(+), 29 deletions(-)
diff --git a/djangoldp/permissions.py b/djangoldp/permissions.py
index 8ee9a441..04502e21 100644
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -27,22 +27,11 @@ class WACPermissions(permissions.DjangoObjectPermissions):
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
- # All LDP permissions must extnd WACPermissions. Otherwise there
- # will be problems when view is nons.
-
def has_permission(self, request, view):
if request.method == 'OPTIONS':
return True
- elif view:
- return super().has_permission(request, view)
else:
- return False
-
- def has_object_permission(self, request, view, obj):
- if view:
- return super().has_object_permission(request, view, obj)
- else:
- return False
+ return super().has_permission(request, view)
class ObjectFilter(filters.BaseFilterBackend):
@@ -85,20 +74,20 @@ class AnonymousReadOnly(WACPermissions):
Author: can read all posts + create new posts + update their own
"""
def has_permission(self, request, view):
- if request.method == "GET":
+ if view.action in ['list', 'retrieve']:
return True
else:
return super().has_permission(request, view)
- return False
def has_object_permission(self, request, view, obj):
- if request.method == "GET":
+ if view.action == "create" and request.user.is_authenticated():
return True
- elif request.method == "POST" and request.user.is_authenticated():
+ elif view.action == "retrieve":
return True
- elif request.method in ('PUT', 'PATCH'):
+ elif view.action in ['update', 'partial_update', 'destroy']:
if hasattr(obj._meta, 'auto_author'):
author = getattr(obj, obj._meta.auto_author)
if author == request.user:
return True
- return False
\ No newline at end of file
+ else:
+ return super().has_object_permission(request, view, obj)
\ No newline at end of file
diff --git a/djangoldp/serializers.py b/djangoldp/serializers.py
index 9ea4d717..5d61766e 100644
--- a/djangoldp/serializers.py
+++ b/djangoldp/serializers.py
@@ -200,24 +200,25 @@ class LDPSerializer(HyperlinkedModelSerializer):
get_perms(self.context['request'].user, obj)]
if hasattr(obj._meta, 'permission_classes'):
+ currentView = self.context['view']
currentRequest = self.context['request']
permList = obj._meta.permission_classes
if permList:
for perm in permList:
if issubclass (perm, permissions.WACPermissions):
- allowed = perm.has_permission(perm, currentRequest, None)
+ allowed = perm.has_permission(perm, currentRequest, currentView)
- if allowed:
- allowed = perm.has_object_permission(perm, currentRequest, None, obj)
-
- if allowed and currentRequest.method == 'GET':
+ if allowed and currentView.action == 'list' or currentView.action == 'retrieve':
data['permissions'] += [{'mode': {'@type': 'view'}}]
- elif allowed and currentRequest.method == 'POST':
- data['permissions'] += [{'mode': {'@type': 'add'}}]
- elif allowed and currentRequest.method == 'PUT':
- data['permissions'] += [{'mode': {'@type': 'change'}}]
- elif allowed and currentRequest.method == 'PATCH':
- data['permissions'] += [{'mode': {'@type': 'change'}}]
+ elif allowed and currentView.action == 'create':
+ if perm.has_object_permission(perm, currentRequest, currentView, obj):
+ data['permissions'] += [{'mode': {'@type': 'add'}}]
+ elif allowed and currentView.action == 'update':
+ if perm.has_object_permission(perm, currentRequest, currentView, obj):
+ data['permissions'] += [{'mode': {'@type': 'change'}}]
+ elif allowed and currentView.action == 'partial_update':
+ if perm.has_object_permission(perm, currentRequest, currentView, obj):
+ data['permissions'] += [{'mode': {'@type': 'change'}}]
if hasattr(obj._meta, 'rdf_context'):
data['@context'] = obj._meta.rdf_context
--
GitLab