2020-03-18 13:42:35 +00:00
|
|
|
# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
|
|
|
|
from django.core.exceptions import PermissionDenied
|
2020-03-19 15:12:52 +00:00
|
|
|
from note_kfet.middlewares import get_current_authenticated_user
|
2020-03-22 13:57:51 +00:00
|
|
|
from permission.backends import PermissionBackend
|
2020-03-18 13:42:35 +00:00
|
|
|
|
|
|
|
|
|
|
|
EXCLUDED = [
|
|
|
|
'cas_server.proxygrantingticket',
|
|
|
|
'cas_server.proxyticket',
|
|
|
|
'cas_server.serviceticket',
|
|
|
|
'cas_server.user',
|
|
|
|
'cas_server.userattributes',
|
|
|
|
'contenttypes.contenttype',
|
|
|
|
'logs.changelog',
|
|
|
|
'migrations.migration',
|
|
|
|
'sessions.session',
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
def pre_save_object(sender, instance, **kwargs):
|
|
|
|
"""
|
|
|
|
Before a model get saved, we check the permissions
|
|
|
|
"""
|
|
|
|
# noinspection PyProtectedMember
|
|
|
|
if instance._meta.label_lower in EXCLUDED:
|
|
|
|
return
|
|
|
|
|
2020-04-01 22:30:22 +00:00
|
|
|
if hasattr(instance, "_force_save"):
|
2020-04-01 01:42:19 +00:00
|
|
|
return
|
|
|
|
|
2020-03-18 13:42:35 +00:00
|
|
|
user = get_current_authenticated_user()
|
|
|
|
if user is None:
|
|
|
|
# Action performed on shell is always granted
|
|
|
|
return
|
|
|
|
|
|
|
|
qs = sender.objects.filter(pk=instance.pk).all()
|
|
|
|
model_name_full = instance._meta.label_lower.split(".")
|
|
|
|
app_label = model_name_full[0]
|
|
|
|
model_name = model_name_full[1]
|
|
|
|
|
|
|
|
if qs.exists():
|
2020-03-19 23:06:28 +00:00
|
|
|
# We check if the user can change the model
|
|
|
|
|
|
|
|
# If the user has all right on a model, then OK
|
2020-04-02 12:50:28 +00:00
|
|
|
if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):
|
2020-03-18 13:42:35 +00:00
|
|
|
return
|
|
|
|
|
2020-03-19 23:06:28 +00:00
|
|
|
# In the other case, we check if he/she has the right to change one field
|
2020-03-18 13:42:35 +00:00
|
|
|
previous = qs.get()
|
|
|
|
for field in instance._meta.fields:
|
|
|
|
field_name = field.name
|
|
|
|
old_value = getattr(previous, field.name)
|
|
|
|
new_value = getattr(instance, field.name)
|
2020-03-19 23:06:28 +00:00
|
|
|
# If the field wasn't modified, no need to check the permissions
|
2020-03-18 13:42:35 +00:00
|
|
|
if old_value == new_value:
|
|
|
|
continue
|
2020-04-02 12:50:28 +00:00
|
|
|
if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
|
2020-03-18 13:42:35 +00:00
|
|
|
raise PermissionDenied
|
|
|
|
else:
|
2020-03-19 23:06:28 +00:00
|
|
|
# We check if the user has right to add the object
|
2020-04-02 12:50:28 +00:00
|
|
|
has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)
|
2020-03-19 23:06:28 +00:00
|
|
|
|
|
|
|
if not has_perm:
|
2020-03-18 13:42:35 +00:00
|
|
|
raise PermissionDenied
|
|
|
|
|
|
|
|
|
2020-04-01 01:42:19 +00:00
|
|
|
def pre_delete_object(instance, **kwargs):
|
2020-03-18 13:42:35 +00:00
|
|
|
"""
|
|
|
|
Before a model get deleted, we check the permissions
|
|
|
|
"""
|
|
|
|
# noinspection PyProtectedMember
|
|
|
|
if instance._meta.label_lower in EXCLUDED:
|
|
|
|
return
|
|
|
|
|
2020-04-01 22:30:22 +00:00
|
|
|
if hasattr(instance, "_force_delete"):
|
2020-04-01 01:42:19 +00:00
|
|
|
return
|
|
|
|
|
2020-03-18 13:42:35 +00:00
|
|
|
user = get_current_authenticated_user()
|
|
|
|
if user is None:
|
|
|
|
# Action performed on shell is always granted
|
|
|
|
return
|
|
|
|
|
|
|
|
model_name_full = instance._meta.label_lower.split(".")
|
|
|
|
app_label = model_name_full[0]
|
|
|
|
model_name = model_name_full[1]
|
|
|
|
|
2020-03-19 23:06:28 +00:00
|
|
|
# We check if the user has rights to delete the object
|
2020-04-02 12:50:28 +00:00
|
|
|
if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):
|
2020-03-18 13:42:35 +00:00
|
|
|
raise PermissionDenied
|