src/backend/core/api/permissions.py

"""Permission handlers for the impress core app."""

from django.core import exceptions

from rest_framework import permissions

ACTION_FOR_METHOD_TO_PERMISSION = {
    "versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}
}


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsAuthenticatedOrSafe(IsAuthenticated):
    """Allows access to authenticated users (or anonymous users but only on safe methods)."""

    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return super().has_permission(request, view)


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsOwnedOrPublic(IsAuthenticated):
    """
    Allows access to authenticated users only for objects that are owned or not related
    to any user via the "owner" field.
    """

    def has_object_permission(self, request, view, obj):
        """Unsafe permissions are only allowed for the owner of the object."""
        if obj.owner == request.user:
            return True

        if request.method in permissions.SAFE_METHODS and obj.owner is None:
            return True

        try:
            return obj.user == request.user
        except exceptions.ObjectDoesNotExist:
            return False


class AccessPermission(permissions.BasePermission):
    """Permission class for access objects."""

    def has_permission(self, request, view):
        return request.user.is_authenticated or view.action != "create"

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        abilities = obj.get_abilities(request.user)
        action = view.action
        try:
            action = ACTION_FOR_METHOD_TO_PERMISSION[view.action][request.method]
        except KeyError:
            pass
        return abilities.get(action, False)
♻️(project) rename project from "publish" to "impress" The repository was renamed to "impress" but the code was still mentionning "publish". 2024-03-07 19:46:46 +01:00			`"""Permission handlers for the impress core app."""`
🚨(backend) fix linting issues after upgrading The last upgrades introduced some linting issues. This commit fixes them. 2024-08-20 16:42:27 +02:00
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`from django.core import exceptions`

			`from rest_framework import permissions`

✨(documents) allow retrieving versions (list and detail) Versions are retrieved directly from object storage and served on API endpoints. We make sure a user who is given access to a document will only see versions that were created after s.he gained access. 2024-04-08 23:37:15 +02:00			`ACTION_FOR_METHOD_TO_PERMISSION = {`
			`"versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}`
			`}`

✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`return bool(request.auth) or request.user.is_authenticated`


			`class IsAuthenticatedOrSafe(IsAuthenticated):`
			`"""Allows access to authenticated users (or anonymous users but only on safe methods)."""`

			`def has_permission(self, request, view):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return super().has_permission(request, view)`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00

			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


			`class IsOwnedOrPublic(IsAuthenticated):`
			`"""`
			`Allows access to authenticated users only for objects that are owned or not related`
			`to any user via the "owner" field.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Unsafe permissions are only allowed for the owner of the object."""`
			`if obj.owner == request.user:`
			`return True`

			`if request.method in permissions.SAFE_METHODS and obj.owner is None:`
			`return True`

			`try:`
			`return obj.user == request.user`
			`except exceptions.ObjectDoesNotExist:`
			`return False`


♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`class AccessPermission(permissions.BasePermission):`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`"""Permission class for access objects."""`

✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user. 2024-09-08 23:37:49 +02:00			`def has_permission(self, request, view):`
			`return request.user.is_authenticated or view.action != "create"`

✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`abilities = obj.get_abilities(request.user)`
✨(documents) allow retrieving versions (list and detail) Versions are retrieved directly from object storage and served on API endpoints. We make sure a user who is given access to a document will only see versions that were created after s.he gained access. 2024-04-08 23:37:15 +02:00			`action = view.action`
			`try:`
			`action = ACTION_FOR_METHOD_TO_PERMISSION[view.action][request.method]`
			`except KeyError:`
			`pass`
			`return abilities.get(action, False)`