src/backend/core/api/permissions.py

"""Permission handlers for the Meet core app."""

from django.conf import settings

from rest_framework import permissions

from ..models import RoleChoices

ACTION_FOR_METHOD_TO_PERMISSION = {
    "versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}
}


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsAuthenticatedOrSafe(IsAuthenticated):
    """Allows access to authenticated users (or anonymous users but only on safe methods)."""

    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return super().has_permission(request, view)


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class RoomPermissions(permissions.BasePermission):
    """
    Permissions applying to the room API endpoint.
    """

    def has_permission(self, request, view):
        """Only allow authenticated users for unsafe methods."""
        if request.method in permissions.SAFE_METHODS:
            return True

        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        """Object permissions are only given to administrators of the room."""

        if request.method in permissions.SAFE_METHODS:
            return True

        user = request.user

        if request.method == "DELETE":
            return obj.is_owner(user)

        return obj.is_administrator_or_owner(user)


class ResourceAccessPermission(IsAuthenticated):
    """
    Permissions for a room that can only be updated by room administrators.
    """

    def has_object_permission(self, request, view, obj):
        """
        Check that the logged-in user is administrator of the linked room.
        """
        user = request.user
        if request.method == "DELETE" and obj.role == RoleChoices.OWNER:
            return obj.user == user

        return obj.resource.is_administrator_or_owner(user)


class HasAbilityPermission(IsAuthenticated):
    """Permission class for access objects."""

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        return obj.get_abilities(request.user).get(view.action, False)


class HasPrivilegesOnRoom(IsAuthenticated):
    """Check if user has privileges on a given room."""

    message = "You must have privileges on room to perform this action."

    def has_object_permission(self, request, view, obj):
        """Determine if user has privileges on room."""
        return obj.is_administrator_or_owner(request.user)


class IsRecordingEnabled(permissions.BasePermission):
    """Check if the recording feature is enabled."""

    message = "Access denied, recording is disabled."

    def has_permission(self, request, view):
        """Determine if access is allowed based on settings."""
        return settings.RECORDING_ENABLE


class IsStorageEventEnabled(permissions.BasePermission):
    """Check if the storage event feature is enabled."""

    message = "Access denied, storage event is disabled."

    def has_permission(self, request, view):
        """Determine if access is allowed based on settings."""
        return settings.RECORDING_STORAGE_EVENT_ENABLE
🚚(backend) rename Impress to Meet I have updated all references of "Impress" to "Meet". Migrations were manually updated and not regenerated. Never-mind, they all will be squashed before the first release. I have also searched for reference to "Magnify", and replaced them by "Meet". While updating the backend sources, I have also fixed other parts of the project, namely: - Compose file - Github documentation and CI - Makefile commands 2024-07-01 18:10:40 +02:00			`"""Permission handlers for the Meet core app."""`
🚨(backend) fix linter warnings Recent updates of dev/ruff and dev/pylint dependencies led to new linting warnings. Pylint 3.2.0 introduced a new check `possibly-used-before-assignment`, which ensures variables are defined regardless of conditional statements. Some if/else branches were missing defaults. These have been fixed. 2024-07-30 16:48:26 +02:00
✨(backend) add two new endpoints to start and stop a recording The LiveKit egress worker interactions are proxied through the backend for security reasons. Allowing clients to directly use tokens with sufficient grants to start recordings could lead to misuse, enabling users to spam the egress worker API and potentially initiate a DDOS attack on the egress service. To prevent this, only users with room-specific privileges can initiate recordings. We make sure only one recording at the time can be made on a room. The requested recording mode is stored so it can be referenced later when the recording is saved, triggering a callback action as needed. A feature flag was also introduced for this capability; while this is a simple approach, a more robust system for managing feature flags could be valuable long-term. For now, KISS (Keep It Simple, Stupid) applies. The viewset endpoints were designed to be as straightforward as possible— let me know if anything can be improved. 2024-11-08 10:32:50 +01:00			`from django.conf import settings`

✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`from rest_framework import permissions`

✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00			`from ..models import RoleChoices`

✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`ACTION_FOR_METHOD_TO_PERMISSION = {`
			`"versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}`
			`}`


			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
			`return bool(request.auth) or request.user.is_authenticated`


			`class IsAuthenticatedOrSafe(IsAuthenticated):`
			`"""Allows access to authenticated users (or anonymous users but only on safe methods)."""`

			`def has_permission(self, request, view):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return super().has_permission(request, view)`


			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`
✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00

			`class RoomPermissions(permissions.BasePermission):`
			`"""`
			`Permissions applying to the room API endpoint.`
			`"""`

			`def has_permission(self, request, view):`
			`"""Only allow authenticated users for unsafe methods."""`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`

			`return request.user.is_authenticated`

			`def has_object_permission(self, request, view, obj):`
			`"""Object permissions are only given to administrators of the room."""`

			`if request.method in permissions.SAFE_METHODS:`
			`return True`

			`user = request.user`

			`if request.method == "DELETE":`
			`return obj.is_owner(user)`

🔒️(backend) clarify administrator role checking function names Rename vague functions to explicitly indicate administrator permission checks, or owner ones. Prevents developer confusion and potential security misuse per auditor recommendations. 2025-06-23 17:17:02 +02:00			`return obj.is_administrator_or_owner(user)`
✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00

✨(backend) add minimal Recording viewset for room recordings Implements routes to manage recordings within rooms, following the patterns established in Impress. The viewset exposes targeted endpoints rather than full CRUD operations, with recordings being created (soon) through room-specific routes (e.g. room/123/start-recording). The implementation draws from @sampaccoud's initial work and advices. Review focus areas: - Permission implementation choices - Serializer design and structure Credit: Initial work by @sampaccoud 2024-11-06 17:00:23 +01:00			`class ResourceAccessPermission(IsAuthenticated):`
✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00			`"""`
			`Permissions for a room that can only be updated by room administrators.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""`
			`Check that the logged-in user is administrator of the linked room.`
			`"""`
			`user = request.user`
			`if request.method == "DELETE" and obj.role == RoleChoices.OWNER:`
			`return obj.user == user`

🔒️(backend) clarify administrator role checking function names Rename vague functions to explicitly indicate administrator permission checks, or owner ones. Prevents developer confusion and potential security misuse per auditor recommendations. 2025-06-23 17:17:02 +02:00			`return obj.resource.is_administrator_or_owner(user)`
✨(backend) add minimal Recording viewset for room recordings Implements routes to manage recordings within rooms, following the patterns established in Impress. The viewset exposes targeted endpoints rather than full CRUD operations, with recordings being created (soon) through room-specific routes (e.g. room/123/start-recording). The implementation draws from @sampaccoud's initial work and advices. Review focus areas: - Permission implementation choices - Serializer design and structure Credit: Initial work by @sampaccoud 2024-11-06 17:00:23 +01:00

			`class HasAbilityPermission(IsAuthenticated):`
			`"""Permission class for access objects."""`

			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`return obj.get_abilities(request.user).get(view.action, False)`
✨(backend) add two new endpoints to start and stop a recording The LiveKit egress worker interactions are proxied through the backend for security reasons. Allowing clients to directly use tokens with sufficient grants to start recordings could lead to misuse, enabling users to spam the egress worker API and potentially initiate a DDOS attack on the egress service. To prevent this, only users with room-specific privileges can initiate recordings. We make sure only one recording at the time can be made on a room. The requested recording mode is stored so it can be referenced later when the recording is saved, triggering a callback action as needed. A feature flag was also introduced for this capability; while this is a simple approach, a more robust system for managing feature flags could be valuable long-term. For now, KISS (Keep It Simple, Stupid) applies. The viewset endpoints were designed to be as straightforward as possible— let me know if anything can be improved. 2024-11-08 10:32:50 +01:00

			`class HasPrivilegesOnRoom(IsAuthenticated):`
			`"""Check if user has privileges on a given room."""`

🩹(backend) update HasPrivilegesOnRoom permission error message Generalize error message in HasPrivilegesOnRoom permission class to reflect its broader usage beyond just recording contexts. Improves clarity when this permission check fails in various application scenarios. 2025-04-16 10:10:07 +02:00			`message = "You must have privileges on room to perform this action."`
✨(backend) add two new endpoints to start and stop a recording The LiveKit egress worker interactions are proxied through the backend for security reasons. Allowing clients to directly use tokens with sufficient grants to start recordings could lead to misuse, enabling users to spam the egress worker API and potentially initiate a DDOS attack on the egress service. To prevent this, only users with room-specific privileges can initiate recordings. We make sure only one recording at the time can be made on a room. The requested recording mode is stored so it can be referenced later when the recording is saved, triggering a callback action as needed. A feature flag was also introduced for this capability; while this is a simple approach, a more robust system for managing feature flags could be valuable long-term. For now, KISS (Keep It Simple, Stupid) applies. The viewset endpoints were designed to be as straightforward as possible— let me know if anything can be improved. 2024-11-08 10:32:50 +01:00
			`def has_object_permission(self, request, view, obj):`
			`"""Determine if user has privileges on room."""`
🔒️(backend) clarify administrator role checking function names Rename vague functions to explicitly indicate administrator permission checks, or owner ones. Prevents developer confusion and potential security misuse per auditor recommendations. 2025-06-23 17:17:02 +02:00			`return obj.is_administrator_or_owner(request.user)`
✨(backend) add two new endpoints to start and stop a recording The LiveKit egress worker interactions are proxied through the backend for security reasons. Allowing clients to directly use tokens with sufficient grants to start recordings could lead to misuse, enabling users to spam the egress worker API and potentially initiate a DDOS attack on the egress service. To prevent this, only users with room-specific privileges can initiate recordings. We make sure only one recording at the time can be made on a room. The requested recording mode is stored so it can be referenced later when the recording is saved, triggering a callback action as needed. A feature flag was also introduced for this capability; while this is a simple approach, a more robust system for managing feature flags could be valuable long-term. For now, KISS (Keep It Simple, Stupid) applies. The viewset endpoints were designed to be as straightforward as possible— let me know if anything can be improved. 2024-11-08 10:32:50 +01:00

			`class IsRecordingEnabled(permissions.BasePermission):`
			`"""Check if the recording feature is enabled."""`

			`message = "Access denied, recording is disabled."`

			`def has_permission(self, request, view):`
			`"""Determine if access is allowed based on settings."""`
			`return settings.RECORDING_ENABLE`
✨(backend) offer an endpoint to save recording I've protected this endpoint with a feature flag, and an authentication class, as it will be exposed on the public internet. I've tried to keep the viewset logic as minimal as possible, I've to ship smth and will continue iterating on this piece of code. At some point, abstracting webhook endpoint and authentication class might be beneficial for the project. YAGNI as of today. 2024-11-08 17:01:25 +01:00

			`class IsStorageEventEnabled(permissions.BasePermission):`
			`"""Check if the storage event feature is enabled."""`

			`message = "Access denied, storage event is disabled."`

			`def has_permission(self, request, view):`
			`"""Determine if access is allowed based on settings."""`
			`return settings.RECORDING_STORAGE_EVENT_ENABLE`