nk20/apps/permission/permissions.py

# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

from rest_framework.permissions import DjangoObjectPermissions

from .backends import PermissionBackend

SAFE_METHODS = ('HEAD', 'OPTIONS', )


class StrongDjangoObjectPermissions(DjangoObjectPermissions):
    """
    Default DjangoObjectPermissions grant view permission to all.
    This is a simple patch of this class that controls view access.
    """

    # The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': [],      # ['%(app_label)s.change_%(model_name)s'],
        'PATCH': [],    # ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    def get_required_object_permissions(self, method, model_cls):
        kwargs = {
            'app_label': model_cls._meta.app_label,
            'model_name': model_cls._meta.model_name
        }

        if method not in self.perms_map:
            from rest_framework import exceptions
            raise exceptions.MethodNotAllowed(method)

        return [perm % kwargs for perm in self.perms_map[method]]

    def has_object_permission(self, request, view, obj):
        # authentication checks have already executed via has_permission
        queryset = self._queryset(view)
        model_cls = queryset.model
        user = request.user

        perms = self.get_required_object_permissions(request.method, model_cls)
        # if not user.has_perms(perms, obj):
        if not all(PermissionBackend.check_perm(request, perm, obj) for perm in perms):
            # If the user does not have permissions we need to determine if
            # they have read permissions to see 403, or not, and simply see
            # a 404 response.
            from django.http import Http404

            if request.method in SAFE_METHODS:
                # Read permissions already checked and failed, no need
                # to make another lookup.
                raise Http404

            read_perms = self.get_required_object_permissions('GET', model_cls)
            if not user.has_perms(read_perms, obj):
                raise Http404

            # Has read permissions.
            return False

        return True
Update 131 files - /apps/activity/api/serializers.py - /apps/activity/api/urls.py - /apps/activity/api/views.py - /apps/activity/tests/test_activities.py - /apps/activity/__init__.py - /apps/activity/admin.py - /apps/activity/apps.py - /apps/activity/forms.py - /apps/activity/tables.py - /apps/activity/urls.py - /apps/activity/views.py - /apps/api/__init__.py - /apps/api/apps.py - /apps/api/serializers.py - /apps/api/tests.py - /apps/api/urls.py - /apps/api/views.py - /apps/api/viewsets.py - /apps/logs/signals.py - /apps/logs/apps.py - /apps/logs/__init__.py - /apps/logs/api/serializers.py - /apps/logs/api/urls.py - /apps/logs/api/views.py - /apps/member/api/serializers.py - /apps/member/api/urls.py - /apps/member/api/views.py - /apps/member/templatetags/memberinfo.py - /apps/member/__init__.py - /apps/member/admin.py - /apps/member/apps.py - /apps/member/auth.py - /apps/member/forms.py - /apps/member/hashers.py - /apps/member/signals.py - /apps/member/tables.py - /apps/member/urls.py - /apps/member/views.py - /apps/note/api/serializers.py - /apps/note/api/urls.py - /apps/note/api/views.py - /apps/note/models/__init__.py - /apps/note/static/note/js/consos.js - /apps/note/templates/note/mails/negative_balance.txt - /apps/note/templatetags/getenv.py - /apps/note/templatetags/pretty_money.py - /apps/note/tests/test_transactions.py - /apps/note/__init__.py - /apps/note/admin.py - /apps/note/apps.py - /apps/note/forms.py - /apps/note/signals.py - /apps/note/tables.py - /apps/note/urls.py - /apps/note/views.py - /apps/permission/api/serializers.py - /apps/permission/api/urls.py - /apps/permission/api/views.py - /apps/permission/templatetags/perms.py - /apps/permission/tests/test_oauth2.py - /apps/permission/tests/test_permission_denied.py - /apps/permission/tests/test_permission_queries.py - /apps/permission/tests/test_rights_page.py - /apps/permission/__init__.py - /apps/permission/admin.py - /apps/permission/backends.py - /apps/permission/apps.py - /apps/permission/decorators.py - /apps/permission/permissions.py - /apps/permission/scopes.py - /apps/permission/signals.py - /apps/permission/tables.py - /apps/permission/urls.py - /apps/permission/views.py - /apps/registration/tests/test_registration.py - /apps/registration/__init__.py - /apps/registration/apps.py - /apps/registration/forms.py - /apps/registration/tables.py - /apps/registration/tokens.py - /apps/registration/urls.py - /apps/registration/views.py - /apps/treasury/api/serializers.py - /apps/treasury/api/urls.py - /apps/treasury/api/views.py - /apps/treasury/templatetags/escape_tex.py - /apps/treasury/tests/test_treasury.py - /apps/treasury/__init__.py - /apps/treasury/admin.py - /apps/treasury/apps.py - /apps/treasury/forms.py - /apps/treasury/signals.py - /apps/treasury/tables.py - /apps/treasury/urls.py - /apps/treasury/views.py - /apps/wei/api/serializers.py - /apps/wei/api/urls.py - /apps/wei/api/views.py - /apps/wei/forms/surveys/__init__.py - /apps/wei/forms/surveys/base.py - /apps/wei/forms/surveys/wei2021.py - /apps/wei/forms/surveys/wei2022.py - /apps/wei/forms/surveys/wei2023.py - /apps/wei/forms/__init__.py - /apps/wei/forms/registration.py - /apps/wei/management/commands/export_wei_registrations.py - /apps/wei/management/commands/import_scores.py - /apps/wei/management/commands/wei_algorithm.py - /apps/wei/templates/wei/weilist_sample.tex - /apps/wei/tests/test_wei_algorithm_2021.py - /apps/wei/tests/test_wei_algorithm_2022.py - /apps/wei/tests/test_wei_algorithm_2023.py - /apps/wei/tests/test_wei_registration.py - /apps/wei/__init__.py - /apps/wei/admin.py - /apps/wei/apps.py - /apps/wei/tables.py - /apps/wei/urls.py - /apps/wei/views.py - /note_kfet/settings/__init__.py - /note_kfet/settings/base.py - /note_kfet/settings/development.py - /note_kfet/settings/secrets_example.py - /note_kfet/static/js/base.js - /note_kfet/admin.py - /note_kfet/inputs.py - /note_kfet/middlewares.py - /note_kfet/urls.py - /note_kfet/views.py - /note_kfet/wsgi.py - /entrypoint.sh 2024-02-07 01:26:49 +00:00			`# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`from rest_framework.permissions import DjangoObjectPermissions`
Fix CI (no idea of why this error happened) 2020-03-24 23:39:40 +00:00
error fixes 2020-03-24 21:13:15 +00:00			`from .backends import PermissionBackend`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00
			`SAFE_METHODS = ('HEAD', 'OPTIONS', )`


			`class StrongDjangoObjectPermissions(DjangoObjectPermissions):`
Comment code 2020-03-20 14:58:14 +00:00			`"""`
			`Default DjangoObjectPermissions grant view permission to all.`
			`This is a simple patch of this class that controls view access.`
			`"""`

Users can see every API page since querysets are filtered and modifications are protected 2020-09-09 20:27:07 +00:00			`# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`perms_map = {`
Authenticate correctly users that connect with an authorization token 2020-09-10 07:31:27 +00:00			`'GET': ['%(app_label)s.view_%(model_name)s'],`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`'OPTIONS': [],`
			`'HEAD': [],`
			`'POST': ['%(app_label)s.add_%(model_name)s'],`
Treasurers can of course click on buttons. Fix PATCH requests on the API 2020-07-29 10:25:53 +00:00			`'PUT': [], # ['%(app_label)s.change_%(model_name)s'],`
			`'PATCH': [], # ['%(app_label)s.change_%(model_name)s'],`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`'DELETE': ['%(app_label)s.delete_%(model_name)s'],`
			`}`

			`def get_required_object_permissions(self, method, model_cls):`
			`kwargs = {`
			`'app_label': model_cls._meta.app_label,`
			`'model_name': model_cls._meta.model_name`
			`}`

			`if method not in self.perms_map:`
			`from rest_framework import exceptions`
			`raise exceptions.MethodNotAllowed(method)`

			`return [perm % kwargs for perm in self.perms_map[method]]`

			`def has_object_permission(self, request, view, obj):`
			`# authentication checks have already executed via has_permission`
			`queryset = self._queryset(view)`
			`model_cls = queryset.model`
			`user = request.user`

			`perms = self.get_required_object_permissions(request.method, model_cls)`
check permission with PermissionBackend. taking connection permission mask into account. 2020-03-24 19:16:56 +00:00			`# if not user.has_perms(perms, obj):`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`if not all(PermissionBackend.check_perm(request, perm, obj) for perm in perms):`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`# If the user does not have permissions we need to determine if`
			`# they have read permissions to see 403, or not, and simply see`
			`# a 404 response.`
			`from django.http import Http404`

			`if request.method in SAFE_METHODS:`
			`# Read permissions already checked and failed, no need`
			`# to make another lookup.`
			`raise Http404`

			`read_perms = self.get_required_object_permissions('GET', model_cls)`
			`if not user.has_perms(read_perms, obj):`
			`raise Http404`

			`# Has read permissions.`
			`return False`

			`return True`