nk20/apps/permission/signals.py

# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

from django.core.exceptions import PermissionDenied
from django.utils.translation import gettext_lazy as _
from note_kfet.middlewares import get_current_authenticated_user
from permission.backends import PermissionBackend


EXCLUDED = [
    'cas_server.proxygrantingticket',
    'cas_server.proxyticket',
    'cas_server.serviceticket',
    'cas_server.user',
    'cas_server.userattributes',
    'contenttypes.contenttype',
    'logs.changelog',
    'migrations.migration',
    'sessions.session',
]


def pre_save_object(sender, instance, **kwargs):
    """
    Before a model get saved, we check the permissions
    """
    # noinspection PyProtectedMember
    if instance._meta.label_lower in EXCLUDED:
        return

    if hasattr(instance, "_force_save") or hasattr(instance, "_no_signal"):
        return

    user = get_current_authenticated_user()
    if user is None:
        # Action performed on shell is always granted
        return

    qs = sender.objects.filter(pk=instance.pk).all()
    model_name_full = instance._meta.label_lower.split(".")
    app_label = model_name_full[0]
    model_name = model_name_full[1]

    if qs.exists():
        # We check if the user can change the model

        # If the user has all right on a model, then OK
        if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):
            return

        # In the other case, we check if he/she has the right to change one field
        previous = qs.get()

        for field in instance._meta.fields:
            field_name = field.name
            old_value = getattr(previous, field.name)
            new_value = getattr(instance, field.name)
            # If the field wasn't modified, no need to check the permissions
            if old_value == new_value:
                continue
            if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
                raise PermissionDenied(
                    _("You don't have the permission to change the field {field} on this instance of model"
                      " {app_label}.{model_name}.")
                    .format(field=field_name, app_label=app_label, model_name=model_name, )
                )
    else:
        # We check if the user has right to add the object
        has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)

        if not has_perm:
            raise PermissionDenied(
                _("You don't have the permission to add an instance of model {app_label}.{model_name}.")
                .format(app_label=app_label, model_name=model_name, ))


def pre_delete_object(instance, **kwargs):
    """
    Before a model get deleted, we check the permissions
    """
    # noinspection PyProtectedMember
    if instance._meta.label_lower in EXCLUDED:
        return

    if hasattr(instance, "_force_delete") or hasattr(instance, "pk") and instance.pk == 0 \
            or hasattr(instance, "_no_signal"):
        # Don't check permissions on force-deleted objects
        return

    user = get_current_authenticated_user()
    if user is None:
        # Action performed on shell is always granted
        return

    model_name_full = instance._meta.label_lower.split(".")
    app_label = model_name_full[0]
    model_name = model_name_full[1]

    # We check if the user has rights to delete the object
    if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):
        raise PermissionDenied(
            _("You don't have the permission to delete this instance of model {app_label}.{model_name}.")
            .format(app_label=app_label, model_name=model_name))
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
Fix linters 2020-07-30 13:53:23 +00:00
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`from django.core.exceptions import PermissionDenied`
Custom error pages 2020-04-25 17:29:18 +00:00			`from django.utils.translation import gettext_lazy as _`
Implements permission masks 2020-03-19 15:12:52 +00:00			`from note_kfet.middlewares import get_current_authenticated_user`
Fix CI 2020-03-22 13:57:51 +00:00			`from permission.backends import PermissionBackend`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00

			`EXCLUDED = [`
			`'cas_server.proxygrantingticket',`
			`'cas_server.proxyticket',`
			`'cas_server.serviceticket',`
			`'cas_server.user',`
			`'cas_server.userattributes',`
			`'contenttypes.contenttype',`
			`'logs.changelog',`
			`'migrations.migration',`
			`'sessions.session',`
			`]`


			`def pre_save_object(sender, instance, **kwargs):`
			`"""`
			`Before a model get saved, we check the permissions`
			`"""`
			`# noinspection PyProtectedMember`
			`if instance._meta.label_lower in EXCLUDED:`
			`return`

Don't trigger signals when we add an object through a permission check 2020-09-07 12:52:37 +00:00			`if hasattr(instance, "_force_save") or hasattr(instance, "_no_signal"):`
Full membership support 2020-04-01 01:42:19 +00:00			`return`

Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`user = get_current_authenticated_user()`
			`if user is None:`
			`# Action performed on shell is always granted`
			`return`

			`qs = sender.objects.filter(pk=instance.pk).all()`
			`model_name_full = instance._meta.label_lower.split(".")`
			`app_label = model_name_full[0]`
			`model_name = model_name_full[1]`

			`if qs.exists():`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`# We check if the user can change the model`

			`# If the user has all right on a model, then OK`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`return`

Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`# In the other case, we check if he/she has the right to change one field`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`previous = qs.get()`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`for field in instance._meta.fields:`
			`field_name = field.name`
			`old_value = getattr(previous, field.name)`
			`new_value = getattr(instance, field.name)`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`# If the field wasn't modified, no need to check the permissions`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`if old_value == new_value:`
			`continue`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):`
Custom error pages 2020-04-25 17:29:18 +00:00			`raise PermissionDenied(`
			`_("You don't have the permission to change the field {field} on this instance of model"`
			`" {app_label}.{model_name}.")`
			`.format(field=field_name, app_label=app_label, model_name=model_name, )`
			`)`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`else:`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`# We check if the user has right to add the object`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00
			`if not has_perm:`
Custom error pages 2020-04-25 17:29:18 +00:00			`raise PermissionDenied(`
Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53 2020-08-13 13:20:15 +00:00			`_("You don't have the permission to add an instance of model {app_label}.{model_name}.")`
Custom error pages 2020-04-25 17:29:18 +00:00			`.format(app_label=app_label, model_name=model_name, ))`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00

Full membership support 2020-04-01 01:42:19 +00:00			`def pre_delete_object(instance, **kwargs):`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`"""`
			`Before a model get deleted, we check the permissions`
			`"""`
			`# noinspection PyProtectedMember`
			`if instance._meta.label_lower in EXCLUDED:`
			`return`

Don't trigger signals when we add an object through a permission check 2020-09-07 12:52:37 +00:00			`if hasattr(instance, "_force_delete") or hasattr(instance, "pk") and instance.pk == 0 \`
			`or hasattr(instance, "_no_signal"):`
Force delete some objects 2020-07-30 12:58:18 +00:00			`# Don't check permissions on force-deleted objects`
Full membership support 2020-04-01 01:42:19 +00:00			`return`

Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`user = get_current_authenticated_user()`
			`if user is None:`
			`# Action performed on shell is always granted`
			`return`

			`model_name_full = instance._meta.label_lower.split(".")`
			`app_label = model_name_full[0]`
			`model_name = model_name_full[1]`

Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`# We check if the user has rights to delete the object`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):`
Custom error pages 2020-04-25 17:29:18 +00:00			`raise PermissionDenied(`
			`_("You don't have the permission to delete this instance of model {app_label}.{model_name}.")`
			`.format(app_label=app_label, model_name=model_name))`