From 0be63ad58e200e7f760dbffc068038d7cd414ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Kervella?= Date: Fri, 20 Apr 2018 23:24:10 +0000 Subject: [PATCH] Use the use_api permission to access API --- api/acl.py | 45 +++++++++++++++++++++++++++++++++++++++++++++ api/permissions.py | 24 +++++++++++++++--------- 2 files changed, 60 insertions(+), 9 deletions(-) create mode 100644 api/acl.py diff --git a/api/acl.py b/api/acl.py new file mode 100644 index 00000000..da0c9a29 --- /dev/null +++ b/api/acl.py @@ -0,0 +1,45 @@ +# -*- mode: python; coding: utf-8 -*- +# Re2o est un logiciel d'administration développé initiallement au rezometz. Il +# se veut agnostique au réseau considéré, de manière à être installable en +# quelques clics. +# +# Copyright © 2018 Maël Kervella +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +"""api.acl + +Here are defined some functions to check acl on the application. +""" + +from django.conf import settings + + +def can_view(user): + """Check if an user can view the application. + + Args: + user: The user who wants to view the application. + + Returns: + A couple (allowed, msg) where allowed is a boolean which is True if + viewing is granted and msg is a message (can be None). + """ + kwargs = { + 'app_label': settings.API_CONTENT_TYPE_APP_LABEL, + 'codename': settings.API_PERMISSION_CODENAME + } + can = user.has_perm('%(app_label)s.%(codename)s' % kwargs) + return can, None if can else "Vous ne pouvez pas voir cette application." diff --git a/api/permissions.py b/api/permissions.py index 6ede9491..a1d79b21 100644 --- a/api/permissions.py +++ b/api/permissions.py @@ -1,28 +1,34 @@ from rest_framework import permissions from re2o.acl import can_create, can_edit, can_delete, can_view_all +from . import acl + +def can_see_api(_): + return lambda user: acl.can_view(user) + + class DefaultACLPermission(permissions.BasePermission): """ Permission subclass in charge of checking the ACL to determine if a user can access the models """ perms_map = { - 'GET': [lambda model: model.can_view_all], - 'OPTIONS': [lambda model: model.can_view_all], - 'HEAD': [lambda model: model.can_view_all], - 'POST': [lambda model: model.can_create], + 'GET': [can_see_api, lambda model: model.can_view_all], + 'OPTIONS': [can_see_api, lambda model: model.can_view_all], + 'HEAD': [can_see_api, lambda model: model.can_view_all], + 'POST': [can_see_api, lambda model: model.can_create], #'PUT': [], #'PATCH': [], #'DELETE': [], } perms_obj_map = { - 'GET': [lambda obj: obj.can_view], - 'OPTIONS': [lambda obj: obj.can_view], - 'HEAD': [lambda obj: obj.can_view], + 'GET': [can_see_api, lambda obj: obj.can_view], + 'OPTIONS': [can_see_api, lambda obj: obj.can_view], + 'HEAD': [can_see_api, lambda obj: obj.can_view], #'POST': [], - 'PUT': [lambda obj: obj.can_edit], + 'PUT': [can_see_api, lambda obj: obj.can_edit], #'PATCH': [], - 'DELETE': [lambda obj: obj.can_delete], + 'DELETE': [can_see_api, lambda obj: obj.can_delete], } def get_required_permissions(self, method, model):