Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

from rest_framework import permissions 

from rest_framework.permissions import ( # noqa: F401 

BasePermission, 

IsAuthenticated as rf_IsAuthenticated, 

IsAdminUser, 

) 

 

from backend_app.utils import is_member 

 

 

class IsAuthenticated(rf_IsAuthenticated): 

def has_object_permission(self, request, view, obj): 

return self.has_permission(request, view) 

 

 

class IsStaff(IsAdminUser): 

def has_object_permission(self, request, view, obj): 

return self.has_permission(request, view) 

 

 

class IsDri(BasePermission): 

""" 

Permission to make a viewset readonly unless the request user 

is a member of the DRI group. 

""" 

 

def has_object_permission(self, request, view, obj): 

return self.has_permission(request, view) 

 

def has_permission(self, request, view): 

if request.method in permissions.SAFE_METHODS: 

return True 

else: 

return is_member("DRI", request.user) 

 

 

class IsOwner(BasePermission): 

""" 

Permission that checks that the requester is the owner of the object. 

 

The object must have an owner field that corresponds to a user, or the object 

must be the user itself. 

""" 

 

def has_object_permission(self, request, view, obj): 

try: 

return request.user == obj.owner 

except AttributeError: 

# For the user model 

return request.user == obj 

 

def has_permission(self, request, view): 

return True 

 

 

class IsFollower(BasePermission): 

""" 

Permission that checks that the requester is a follower of the object (a list of universities). 

 

The object must have a "followers" field that corresponds to a list of users. 

""" 

 

def has_object_permission(self, request, view, obj): 

return obj.followers.filter(pk=request.user.pk).exists() 

 

 

class IsPublic(BasePermission): 

""" 

Permission that checks that the object is public. 

 

The object must have a "is_public" field. 

""" 

 

def has_object_permission(self, request, view, obj): 

return obj.is_public 

 

 

class NoDelete(BasePermission): 

""" 

Permission to prevent the use of the DELETE method. 

""" 

 

def has_object_permission(self, request, view, obj): 

return self.has_permission(request, view) 

 

def has_permission(self, request, view): 

return request.method != "DELETE" 

 

 

class NoPost(BasePermission): 

""" 

Permission to disallow POST request 

""" 

 

def has_object_permission(self, request, view, obj): 

return self.has_permission(request, view) 

 

def has_permission(self, request, view): 

return request.method != "POST" 

 

 

class ReadOnly(BasePermission): 

""" 

Permission to make a viewset read-only. 

""" 

 

def has_object_permission(self, request, view, obj): 

""" 

We absolutely need this one since it is used with "OR". 

If we don't put it, the IsOwner Or ReadOnly would pass the the has_permission on IsOwner 

and then the has_object_permission on Read_only. 

""" 

return request.method in permissions.SAFE_METHODS 

 

def has_permission(self, request, view): 

return request.method in permissions.SAFE_METHODS