src/backend/core/api/permissions.py

"""Permission handlers for the calendars core app."""

import logging

from rest_framework import permissions

from core.entitlements import EntitlementsUnavailableError, get_user_entitlements

logger = logging.getLogger(__name__)


class IsAuthenticated(permissions.BasePermission):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_permission(self, request, view):
        return bool(request.auth) or request.user.is_authenticated


class IsSelf(IsAuthenticated):
    """
    Allows access only to authenticated users. Alternative method checking the presence
    of the auth token to avoid hitting the database.
    """

    def has_object_permission(self, request, view, obj):
        """Write permissions are only allowed to the user itself."""
        return obj == request.user


class IsEntitledToAccess(IsAuthenticated):
    """Allows access only to users with can_access entitlement.

    Fail-closed: denies access when the entitlements service is
    unavailable and no cached value exists.
    """

    def has_permission(self, request, view):
        if not super().has_permission(request, view):
            return False
        try:
            entitlements = get_user_entitlements(request.user.sub, request.user.email)
            return entitlements.get("can_access", False)
        except EntitlementsUnavailableError:
            logger.warning(
                "Entitlements unavailable, denying access for user %s",
                request.user.pk,
            )
            return False


class IsOrgAdmin(IsAuthenticated):
    """Allows access only to users with can_admin entitlement.

    Fail-closed: denies access when the entitlements service is
    unavailable and no cached value exists.
    """

    def has_permission(self, request, view):
        if not super().has_permission(request, view):
            return False
        try:
            entitlements = get_user_entitlements(request.user.sub, request.user.email)
            return entitlements.get("can_admin", False)
        except EntitlementsUnavailableError:
            logger.warning(
                "Entitlements unavailable, denying admin for user %s",
                request.user.pk,
            )
            return False
🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00			`"""Permission handlers for the calendars core app."""`

✨(entitlements) add Entitlements backend with Deploy Center support (#31) This checks if the user has access to the app and can create calendars. 2026-03-06 02:47:03 +01:00			`import logging`

🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00			`from rest_framework import permissions`

✨(entitlements) add Entitlements backend with Deploy Center support (#31) This checks if the user has access to the app and can create calendars. 2026-03-06 02:47:03 +01:00			`from core.entitlements import EntitlementsUnavailableError, get_user_entitlements`

			`logger = logging.getLogger(__name__)`

🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00
			`class IsAuthenticated(permissions.BasePermission):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_permission(self, request, view):`
			`return bool(request.auth) or request.user.is_authenticated`


			`class IsSelf(IsAuthenticated):`
			`"""`
			`Allows access only to authenticated users. Alternative method checking the presence`
			`of the auth token to avoid hitting the database.`
			`"""`

			`def has_object_permission(self, request, view, obj):`
			`"""Write permissions are only allowed to the user itself."""`
			`return obj == request.user`


✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`class IsEntitledToAccess(IsAuthenticated):`
✨(entitlements) add Entitlements backend with Deploy Center support (#31) This checks if the user has access to the app and can create calendars. 2026-03-06 02:47:03 +01:00			`"""Allows access only to users with can_access entitlement.`

			`Fail-closed: denies access when the entitlements service is`
			`unavailable and no cached value exists.`
			`"""`

			`def has_permission(self, request, view):`
			`if not super().has_permission(request, view):`
			`return False`
			`try:`
			`entitlements = get_user_entitlements(request.user.sub, request.user.email)`
✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`return entitlements.get("can_access", False)`
✨(entitlements) add Entitlements backend with Deploy Center support (#31) This checks if the user has access to the app and can create calendars. 2026-03-06 02:47:03 +01:00			`except EntitlementsUnavailableError:`
✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`logger.warning(`
			`"Entitlements unavailable, denying access for user %s",`
			`request.user.pk,`
			`)`
✨(entitlements) add Entitlements backend with Deploy Center support (#31) This checks if the user has access to the app and can create calendars. 2026-03-06 02:47:03 +01:00			`return False`


✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`class IsOrgAdmin(IsAuthenticated):`
			`"""Allows access only to users with can_admin entitlement.`
🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00
✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`Fail-closed: denies access when the entitlements service is`
			`unavailable and no cached value exists.`
			`"""`
🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00
✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`def has_permission(self, request, view):`
			`if not super().has_permission(request, view):`
			`return False`
🎉(all) bootstrap the Calendars project This repository was forked from Drive in late December 2025 and boostraped as a minimal demo of backend+caldav server+frontend integration. There is much left to do and to fix! 2026-01-09 00:51:25 +01:00			`try:`
✨(all) add organizations, resources, channels, and infra migration (#34) Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV. 2026-03-09 09:09:34 +01:00			`entitlements = get_user_entitlements(request.user.sub, request.user.email)`
			`return entitlements.get("can_admin", False)`
			`except EntitlementsUnavailableError:`
			`logger.warning(`
			`"Entitlements unavailable, denying admin for user %s",`
			`request.user.pk,`
			`)`
			`return False`