src/backend/core/api/permissions.py

"""Permission handlers for the People core app."""

from django.core import exceptions

from rest_framework import permissions


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        """Check auth token first."""
        return bool(request.auth) if request.auth else request.user.is_authenticated


class IsSelf(IsAuthenticated):
    """
    Allows access only to user's own data.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsOwnedOrPublic(IsAuthenticated):
    """
    Allows access to authenticated users only for objects that are owned or not related
    to any user via the "owner" field.
    """

    def has_object_permission(self, request, view, obj):
        """Unsafe permissions are only allowed for the owner of the object."""
        if obj.owner == request.user:
            return True

        if request.method in permissions.SAFE_METHODS and obj.owner is None:
            return True

        try:
            return obj.user == request.user
        except exceptions.ObjectDoesNotExist:
            return False


class AccessPermission(IsAuthenticated):
    """Permission class for access objects."""

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        abilities = obj.get_abilities(request.user)
        return abilities.get(request.method.lower(), False)
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""Permission handlers for the People core app."""`
🚨(backend) follow Ruff 2024.2 style introduced in v0.3.0 We recently updated Ruff from 0.2.2 to v0.3, which introduced Ruff 2024.2 style. This new style updated Ruff formatter's behavior, making our make lint command fails. Ruff 2024.2 style add a blank line after the module docstring. Please take a look at Ruff ChangeLog to get more info. 2024-03-07 10:57:05 +01:00
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`from django.core import exceptions`

			`from rest_framework import permissions`


			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
🚨(linter) add missing docstrings Title says all there is to say… 2024-10-25 14:59:02 +02:00			`"""Check auth token first."""`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`return bool(request.auth) if request.auth else request.user.is_authenticated`


			`class IsSelf(IsAuthenticated):`
			`"""`
🚨(linter) add missing docstrings Title says all there is to say… 2024-10-25 14:59:02 +02:00			`Allows access only to user's own data.`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


			`class IsOwnedOrPublic(IsAuthenticated):`
			`"""`
🚨(pylint) make pylint work and fix issues found Pylint was not installed and wrongly configured. After making it work, we fix all the issues found so it can be added to our CI requirements. 2024-01-05 09:09:20 +01:00			`Allows access to authenticated users only for objects that are owned or not related`
			`to any user via the "owner" field.`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Unsafe permissions are only allowed for the owner of the object."""`
			`if obj.owner == request.user:`
			`return True`

			`if request.method in permissions.SAFE_METHODS and obj.owner is None:`
			`return True`

			`try:`
			`return obj.user == request.user`
			`except exceptions.ObjectDoesNotExist:`
			`return False`


			`class AccessPermission(IsAuthenticated):`
			`"""Permission class for access objects."""`

			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`abilities = obj.get_abilities(request.user)`
			`return abilities.get(request.method.lower(), False)`