src/backend/core/api/permissions.py

"""Permission handlers for the impress core app."""
from django.core import exceptions

from rest_framework import permissions


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsAuthenticatedOrSafe(IsAuthenticated):
    """Allows access to authenticated users (or anonymous users but only on safe methods)."""

    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return super().has_permission(request, view)


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsOwnedOrPublic(IsAuthenticated):
    """
    Allows access to authenticated users only for objects that are owned or not related
    to any user via the "owner" field.
    """

    def has_object_permission(self, request, view, obj):
        """Unsafe permissions are only allowed for the owner of the object."""
        if obj.owner == request.user:
            return True

        if request.method in permissions.SAFE_METHODS and obj.owner is None:
            return True

        try:
            return obj.user == request.user
        except exceptions.ObjectDoesNotExist:
            return False


class AccessPermission(permissions.BasePermission):
    """Permission class for access objects."""

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        abilities = obj.get_abilities(request.user)
        return abilities.get(view.action, False)
♻️(project) rename project from "publish" to "impress" The repository was renamed to "impress" but the code was still mentionning "publish". 2024-03-07 19:46:46 +01:00			`"""Permission handlers for the impress core app."""`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`from django.core import exceptions`

			`from rest_framework import permissions`


			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`return bool(request.auth) or request.user.is_authenticated`


			`class IsAuthenticatedOrSafe(IsAuthenticated):`
			`"""Allows access to authenticated users (or anonymous users but only on safe methods)."""`

			`def has_permission(self, request, view):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return super().has_permission(request, view)`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00

			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


			`class IsOwnedOrPublic(IsAuthenticated):`
			`"""`
			`Allows access to authenticated users only for objects that are owned or not related`
			`to any user via the "owner" field.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Unsafe permissions are only allowed for the owner of the object."""`
			`if obj.owner == request.user:`
			`return True`

			`if request.method in permissions.SAFE_METHODS and obj.owner is None:`
			`return True`

			`try:`
			`return obj.user == request.user`
			`except exceptions.ObjectDoesNotExist:`
			`return False`


♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`class AccessPermission(permissions.BasePermission):`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`"""Permission class for access objects."""`

			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`abilities = obj.get_abilities(request.user)`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`return abilities.get(view.action, False)`