src/backend/core/api/permissions.py

"""Permission handlers for the Meet core app."""

from rest_framework import permissions

from ..models import RoleChoices

ACTION_FOR_METHOD_TO_PERMISSION = {
    "versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}
}


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsAuthenticatedOrSafe(IsAuthenticated):
    """Allows access to authenticated users (or anonymous users but only on safe methods)."""

    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return super().has_permission(request, view)


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class RoomPermissions(permissions.BasePermission):
    """
    Permissions applying to the room API endpoint.
    """

    def has_permission(self, request, view):
        """Only allow authenticated users for unsafe methods."""
        if request.method in permissions.SAFE_METHODS:
            return True

        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        """Object permissions are only given to administrators of the room."""

        if request.method in permissions.SAFE_METHODS:
            return True

        user = request.user

        if request.method == "DELETE":
            return obj.is_owner(user)

        return obj.is_administrator(user)


class ResourceAccessPermission(IsAuthenticated):
    """
    Permissions for a room that can only be updated by room administrators.
    """

    def has_object_permission(self, request, view, obj):
        """
        Check that the logged-in user is administrator of the linked room.
        """
        user = request.user
        if request.method == "DELETE" and obj.role == RoleChoices.OWNER:
            return obj.user == user

        return obj.resource.is_administrator(user)


class HasAbilityPermission(IsAuthenticated):
    """Permission class for access objects."""

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        return obj.get_abilities(request.user).get(view.action, False)
🚚(backend) rename Impress to Meet I have updated all references of "Impress" to "Meet". Migrations were manually updated and not regenerated. Never-mind, they all will be squashed before the first release. I have also searched for reference to "Magnify", and replaced them by "Meet". While updating the backend sources, I have also fixed other parts of the project, namely: - Compose file - Github documentation and CI - Makefile commands 2024-07-01 18:10:40 +02:00			`"""Permission handlers for the Meet core app."""`
🚨(backend) fix linter warnings Recent updates of dev/ruff and dev/pylint dependencies led to new linting warnings. Pylint 3.2.0 introduced a new check `possibly-used-before-assignment`, which ensures variables are defined regardless of conditional statements. Some if/else branches were missing defaults. These have been fixed. 2024-07-30 16:48:26 +02:00
✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`from rest_framework import permissions`

✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00			`from ..models import RoleChoices`

✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`ACTION_FOR_METHOD_TO_PERMISSION = {`
			`"versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}`
			`}`


			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
			`return bool(request.auth) or request.user.is_authenticated`


			`class IsAuthenticatedOrSafe(IsAuthenticated):`
			`"""Allows access to authenticated users (or anonymous users but only on safe methods)."""`

			`def has_permission(self, request, view):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return super().has_permission(request, view)`


			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`
✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00

			`class RoomPermissions(permissions.BasePermission):`
			`"""`
			`Permissions applying to the room API endpoint.`
			`"""`

			`def has_permission(self, request, view):`
			`"""Only allow authenticated users for unsafe methods."""`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`

			`return request.user.is_authenticated`

			`def has_object_permission(self, request, view, obj):`
			`"""Object permissions are only given to administrators of the room."""`

			`if request.method in permissions.SAFE_METHODS:`
			`return True`

			`user = request.user`

			`if request.method == "DELETE":`
			`return obj.is_owner(user)`

			`return obj.is_administrator(user)`


✨(backend) add minimal Recording viewset for room recordings Implements routes to manage recordings within rooms, following the patterns established in Impress. The viewset exposes targeted endpoints rather than full CRUD operations, with recordings being created (soon) through room-specific routes (e.g. room/123/start-recording). The implementation draws from @sampaccoud's initial work and advices. Review focus areas: - Permission implementation choices - Serializer design and structure Credit: Initial work by @sampaccoud 2024-11-06 17:00:23 +01:00			`class ResourceAccessPermission(IsAuthenticated):`
✨(project) add CRUD API endpoints for Rooms and ResourceAccess models Introduce CRUD API endpoints for the Rooms and ResourceAccess models. The code follows the Magnify logic, with the exception that token generation has been removed and replaced by a TODO item with a mocked value. Proper integration of LiveKit will be added in future commits. With the removal of group logic, some complex query sets can be simplified. Previously, we checked for both direct and indirect access to a room. Indirect access meant a room was shared with a group, and the user was a member of that group. I haven’t simplified those query set, as I preferred isolate changes in dedicated commits. Additionally, all previous tests are still passing, although tests related to groups have been removed. 2024-06-25 00:21:36 +02:00			`"""`
			`Permissions for a room that can only be updated by room administrators.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""`
			`Check that the logged-in user is administrator of the linked room.`
			`"""`
			`user = request.user`
			`if request.method == "DELETE" and obj.role == RoleChoices.OWNER:`
			`return obj.user == user`

			`return obj.resource.is_administrator(user)`
✨(backend) add minimal Recording viewset for room recordings Implements routes to manage recordings within rooms, following the patterns established in Impress. The viewset exposes targeted endpoints rather than full CRUD operations, with recordings being created (soon) through room-specific routes (e.g. room/123/start-recording). The implementation draws from @sampaccoud's initial work and advices. Review focus areas: - Permission implementation choices - Serializer design and structure Credit: Initial work by @sampaccoud 2024-11-06 17:00:23 +01:00

			`class HasAbilityPermission(IsAuthenticated):`
			`"""Permission class for access objects."""`

			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`return obj.get_abilities(request.user).get(view.action, False)`