src/backend/core/api/permissions.py

"""Permission handlers for the People core app."""
from django.core import exceptions

from rest_framework import permissions


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) if request.auth else request.user.is_authenticated


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsOwnedOrPublic(IsAuthenticated):
    """
    Allows access to authenticated users only for objects that are owned or not related to any user via*
    the "owner" field.
    """

    def has_object_permission(self, request, view, obj):
        """Unsafe permissions are only allowed for the owner of the object."""
        if obj.owner == request.user:
            return True

        if request.method in permissions.SAFE_METHODS and obj.owner is None:
            return True

        try:
            return obj.user == request.user
        except exceptions.ObjectDoesNotExist:
            return False


class AccessPermission(IsAuthenticated):
    """Permission class for access objects."""

    def has_object_permission(self, request, view, obj):
        """Check permission for a given object."""
        abilities = obj.get_abilities(request.user)
        return abilities.get(request.method.lower(), False)
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""Permission handlers for the People core app."""`
			`from django.core import exceptions`

			`from rest_framework import permissions`


			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
			`return bool(request.auth) if request.auth else request.user.is_authenticated`


			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


			`class IsOwnedOrPublic(IsAuthenticated):`
			`"""`
			`Allows access to authenticated users only for objects that are owned or not related to any user via*`
			`the "owner" field.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Unsafe permissions are only allowed for the owner of the object."""`
			`if obj.owner == request.user:`
			`return True`

			`if request.method in permissions.SAFE_METHODS and obj.owner is None:`
			`return True`

			`try:`
			`return obj.user == request.user`
			`except exceptions.ObjectDoesNotExist:`
			`return False`


			`class AccessPermission(IsAuthenticated):`
			`"""Permission class for access objects."""`

			`def has_object_permission(self, request, view, obj):`
			`"""Check permission for a given object."""`
			`abilities = obj.get_abilities(request.user)`
			`return abilities.get(request.method.lower(), False)`