src/backend/core/api/permissions.py

"""Permission handlers for the impress core app."""

from django.core import exceptions
from django.db.models import Q
from django.http import Http404

from rest_framework import permissions

from core.models import DocumentAccess, RoleChoices, get_trashbin_cutoff

ACTION_FOR_METHOD_TO_PERMISSION = {
    "versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"},
    "children": {"GET": "children_list", "POST": "children_create"},
}


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsAuthenticatedOrSafe(IsAuthenticated):
    """Allows access to authenticated users (or anonymous users but only on safe methods)."""

    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return super().has_permission(request, view)


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsOwnedOrPublic(IsAuthenticated):
    """
    Allows access to authenticated users only for objects that are owned or not related
    to any user via the "owner" field.
    """

    def has_object_permission(self, request, view, obj):
        """Unsafe permissions are only allowed for the owner of the object."""
        if obj.owner == request.user:
            return True

        if request.method in permissions.SAFE_METHODS and obj.owner is None:
            return True

        try:
            return obj.user == request.user
        except exceptions.ObjectDoesNotExist:
            return False


class CanCreateInvitationPermission(permissions.BasePermission):
    """
    Custom permission class to handle permission checks for managing invitations.
    """

    def has_permission(self, request, view):
        user = request.user

        # Ensure the user is authenticated
        if not (bool(request.auth) or request.user.is_authenticated):
            return False

        # Apply permission checks only for creation (POST requests)
        if view.action != "create":
            return True

        # Check if resource_id is passed in the context
        try:
            document_id = view.kwargs["resource_id"]
        except KeyError as exc:
            raise exceptions.ValidationError(
                "You must set a document ID in kwargs to manage document invitations."
            ) from exc

        # Check if the user has access to manage invitations (Owner/Admin roles)
        return DocumentAccess.objects.filter(
            Q(user=user) | Q(team__in=user.teams),
            document=document_id,
            role__in=[RoleChoices.OWNER, RoleChoices.ADMIN],
        ).exists()


class AccessPermission(permissions.BasePermission):
    """Permission class for access objects."""

    def has_permission(self, request, view):
        return request.user.is_authenticated or view.action != "create"

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        abilities = obj.get_abilities(request.user)
        action = view.action
        try:
            action = ACTION_FOR_METHOD_TO_PERMISSION[view.action][request.method]
        except KeyError:
            pass
        return abilities.get(action, False)


class DocumentAccessPermission(AccessPermission):
    """Subclass to handle soft deletion specificities."""

    def has_object_permission(self, request, view, obj):
        """
        Return a 404 on deleted documents
        - for which the trashbin cutoff is past
        - for which the current user is not owner of the document or one of its ancestors
        """
        if (
            deleted_at := obj.ancestors_deleted_at
        ) and deleted_at < get_trashbin_cutoff():
            raise Http404

        # Compute permission first to ensure the "user_roles" attribute is set
        has_permission = super().has_object_permission(request, view, obj)

        if obj.ancestors_deleted_at and not RoleChoices.OWNER in obj.user_roles:
            raise Http404

        return has_permission
♻️(project) rename project from "publish" to "impress" The repository was renamed to "impress" but the code was still mentionning "publish". 2024-03-07 19:46:46 +01:00			`"""Permission handlers for the impress core app."""`
🚨(backend) fix linting issues after upgrading The last upgrades introduced some linting issues. This commit fixes them. 2024-08-20 16:42:27 +02:00
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`from django.core import exceptions`
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not. 2024-10-22 00:28:16 +02:00			`from django.db.models import Q`
✨(backend) add soft delete to documents and refactor db queryset Now that we have introduced a document tree structure, it is not possible to allow deleting documents anymore as it impacts the whole subtree below the deleted document and the consequences are too big. We introduce soft delete in order to give a second thought to the document's owner (who is the only one to be allowed to delete a document). After a document is soft deleted, the owner can still see it in the trashbin (/api/v1.0/documents/trashbin). After a grace period (30 days be default) the document disappears from the trashbin and can't be restored anymore. Note that even then it is still kept in database. Cleaning the database to erase deleted documents after the grace period can be done as a maintenance script. 2025-01-02 17:20:09 +01:00			`from django.http import Http404`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
			`from rest_framework import permissions`

✨(backend) add soft delete to documents and refactor db queryset Now that we have introduced a document tree structure, it is not possible to allow deleting documents anymore as it impacts the whole subtree below the deleted document and the consequences are too big. We introduce soft delete in order to give a second thought to the document's owner (who is the only one to be allowed to delete a document). After a document is soft deleted, the owner can still see it in the trashbin (/api/v1.0/documents/trashbin). After a grace period (30 days be default) the document disappears from the trashbin and can't be restored anymore. Note that even then it is still kept in database. Cleaning the database to erase deleted documents after the grace period can be done as a maintenance script. 2025-01-02 17:20:09 +01:00			`from core.models import DocumentAccess, RoleChoices, get_trashbin_cutoff`
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not. 2024-10-22 00:28:16 +02:00
✨(documents) allow retrieving versions (list and detail) Versions are retrieved directly from object storage and served on API endpoints. We make sure a user who is given access to a document will only see versions that were created after s.he gained access. 2024-04-08 23:37:15 +02:00			`ACTION_FOR_METHOD_TO_PERMISSION = {`
✨(backend) add API endpoint to create children for a document We add a POST method to the existing children endpoint. 2024-12-18 08:44:12 +01:00			`"versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"},`
			`"children": {"GET": "children_list", "POST": "children_create"},`
✨(documents) allow retrieving versions (list and detail) Versions are retrieved directly from object storage and served on API endpoints. We make sure a user who is given access to a document will only see versions that were created after s.he gained access. 2024-04-08 23:37:15 +02:00			`}`

✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`return bool(request.auth) or request.user.is_authenticated`


			`class IsAuthenticatedOrSafe(IsAuthenticated):`
			`"""Allows access to authenticated users (or anonymous users but only on safe methods)."""`

			`def has_permission(self, request, view):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return super().has_permission(request, view)`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00

			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


			`class IsOwnedOrPublic(IsAuthenticated):`
			`"""`
			`Allows access to authenticated users only for objects that are owned or not related`
			`to any user via the "owner" field.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Unsafe permissions are only allowed for the owner of the object."""`
			`if obj.owner == request.user:`
			`return True`

			`if request.method in permissions.SAFE_METHODS and obj.owner is None:`
			`return True`

			`try:`
			`return obj.user == request.user`
			`except exceptions.ObjectDoesNotExist:`
			`return False`


🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not. 2024-10-22 00:28:16 +02:00			`class CanCreateInvitationPermission(permissions.BasePermission):`
			`"""`
			`Custom permission class to handle permission checks for managing invitations.`
			`"""`

			`def has_permission(self, request, view):`
			`user = request.user`

			`# Ensure the user is authenticated`
			`if not (bool(request.auth) or request.user.is_authenticated):`
			`return False`

			`# Apply permission checks only for creation (POST requests)`
			`if view.action != "create":`
			`return True`

			`# Check if resource_id is passed in the context`
			`try:`
			`document_id = view.kwargs["resource_id"]`
			`except KeyError as exc:`
			`raise exceptions.ValidationError(`
			`"You must set a document ID in kwargs to manage document invitations."`
			`) from exc`

			`# Check if the user has access to manage invitations (Owner/Admin roles)`
			`return DocumentAccess.objects.filter(`
			`Q(user=user) \| Q(team__in=user.teams),`
			`document=document_id,`
			`role__in=[RoleChoices.OWNER, RoleChoices.ADMIN],`
			`).exists()`


♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`class AccessPermission(permissions.BasePermission):`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`"""Permission class for access objects."""`

✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user. 2024-09-08 23:37:49 +02:00			`def has_permission(self, request, view):`
			`return request.user.is_authenticated or view.action != "create"`

✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`abilities = obj.get_abilities(request.user)`
✨(documents) allow retrieving versions (list and detail) Versions are retrieved directly from object storage and served on API endpoints. We make sure a user who is given access to a document will only see versions that were created after s.he gained access. 2024-04-08 23:37:15 +02:00			`action = view.action`
			`try:`
			`action = ACTION_FOR_METHOD_TO_PERMISSION[view.action][request.method]`
			`except KeyError:`
			`pass`
			`return abilities.get(action, False)`
✨(backend) add soft delete to documents and refactor db queryset Now that we have introduced a document tree structure, it is not possible to allow deleting documents anymore as it impacts the whole subtree below the deleted document and the consequences are too big. We introduce soft delete in order to give a second thought to the document's owner (who is the only one to be allowed to delete a document). After a document is soft deleted, the owner can still see it in the trashbin (/api/v1.0/documents/trashbin). After a grace period (30 days be default) the document disappears from the trashbin and can't be restored anymore. Note that even then it is still kept in database. Cleaning the database to erase deleted documents after the grace period can be done as a maintenance script. 2025-01-02 17:20:09 +01:00

			`class DocumentAccessPermission(AccessPermission):`
			`"""Subclass to handle soft deletion specificities."""`

			`def has_object_permission(self, request, view, obj):`
			`"""`
			`Return a 404 on deleted documents`
			`- for which the trashbin cutoff is past`
			`- for which the current user is not owner of the document or one of its ancestors`
			`"""`
			`if (`
			`deleted_at := obj.ancestors_deleted_at`
			`) and deleted_at < get_trashbin_cutoff():`
			`raise Http404`

			`# Compute permission first to ensure the "user_roles" attribute is set`
			`has_permission = super().has_object_permission(request, view, obj)`

			`if obj.ancestors_deleted_at and not RoleChoices.OWNER in obj.user_roles:`
			`raise Http404`

			`return has_permission`