You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
94 lines
3.3 KiB
Python
94 lines
3.3 KiB
Python
# Copyright © 2017 Tom Hacohen
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, version 3.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from rest_framework import permissions
|
|
from django_etebase.models import Collection, AccessLevels
|
|
|
|
|
|
def is_collection_admin(collection, user):
|
|
member = collection.members.filter(user=user).first()
|
|
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
|
|
|
|
|
|
class IsCollectionAdmin(permissions.BasePermission):
|
|
"""
|
|
Custom permission to only allow owners of a collection to view it
|
|
"""
|
|
|
|
message = {
|
|
"detail": "Only collection admins can perform this operation.",
|
|
"code": "admin_access_required",
|
|
}
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs["collection_uid"]
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
return is_collection_admin(collection, request.user)
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|
|
|
|
|
|
class IsCollectionAdminOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Custom permission to only allow owners of a collection to edit it
|
|
"""
|
|
|
|
message = {
|
|
"detail": "Only collection admins can edit collections.",
|
|
"code": "admin_access_required",
|
|
}
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs.get("collection_uid", None)
|
|
|
|
# Allow creating new collections
|
|
if collection_uid is None:
|
|
return True
|
|
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
return is_collection_admin(collection, request.user)
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|
|
|
|
|
|
class HasWriteAccessOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Custom permission to restrict write
|
|
"""
|
|
|
|
message = {
|
|
"detail": "You need write access to write to this collection",
|
|
"code": "no_write_access",
|
|
}
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs["collection_uid"]
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
else:
|
|
member = collection.members.get(user=request.user)
|
|
return member.accessLevel != AccessLevels.READ_ONLY
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|