Handle permissions (and it seems working!)

2025-06-21 01:48:21 +02:00 · 2020-03-18 14:42:35 +01:00
parent 112d4b6c5a
commit 057f42fdb6
19 changed files with 357 additions and 57 deletions
--- a/apps/member/api/views.py
+++ b/apps/member/api/views.py
@ -1,14 +1,14 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from rest_framework import viewsets
 from rest_framework.filters import SearchFilter

+from api.viewsets import ReadProtectedModelViewSet
 from .serializers import ProfileSerializer, ClubSerializer, RoleSerializer, MembershipSerializer
 from ..models import Profile, Club, Role, Membership


-class ProfileViewSet(viewsets.ModelViewSet):
+class ProfileViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `Profile` objects, serialize it to JSON with the given serializer,
@ -18,7 +18,7 @@ class ProfileViewSet(viewsets.ModelViewSet):
    serializer_class = ProfileSerializer


-class ClubViewSet(viewsets.ModelViewSet):
+class ClubViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `Club` objects, serialize it to JSON with the given serializer,
@ -30,7 +30,7 @@ class ClubViewSet(viewsets.ModelViewSet):
    search_fields = ['$name', ]


-class RoleViewSet(viewsets.ModelViewSet):
+class RoleViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `Role` objects, serialize it to JSON with the given serializer,
@ -42,7 +42,7 @@ class RoleViewSet(viewsets.ModelViewSet):
    search_fields = ['$name', ]


-class MembershipViewSet(viewsets.ModelViewSet):
+class MembershipViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `Membership` objects, serialize it to JSON with the given serializer,
--- a/apps/member/backends.py
+++ b/apps/member/backends.py
@ -1,7 +1,12 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from member.models import Club, Membership, RolePermissions
+from django.contrib.auth.models import User
+from django.core.exceptions import PermissionDenied
+from django.db.models import Q, F
+
+from note.models import Note, NoteUser, NoteClub, NoteSpecial
+from .models import Membership, RolePermissions, Club
 from django.contrib.auth.backends import ModelBackend


@ -14,21 +19,61 @@ class PermissionBackend(ModelBackend):
        for membership in Membership.objects.filter(user=user).all():
            if not membership.valid() or membership.roles is None:
                continue
+
            for role_permissions in RolePermissions.objects.filter(role=membership.roles).all():
                for permission in role_permissions.permissions.all():
-                    permission = permission.about(user=user, club=membership.club)
+                    permission = permission.about(
+                        user=user,
+                        club=membership.club,
+                        User=User,
+                        Club=Club,
+                        Membership=Membership,
+                        Note=Note,
+                        NoteUser=NoteUser,
+                        NoteClub=NoteClub,
+                        NoteSpecial=NoteSpecial,
+                        F=F,
+                        Q=Q
+                    )
                    yield permission

+    def filter_queryset(self, user, model, type, field=None):
+        """
+        Filter a queryset by considering the permissions of a given user.
+        :param user: The owner of the permissions that are fetched
+        :param model: The concerned model of the queryset
+        :param type: The type of modification (view, add, change, delete)
+        :param field: The field of the model to test, if concerned
+        :return: A query that corresponds to the filter to give to a queryset
+        """
+
+        if user.is_superuser:
+            # Superusers have all rights
+            return Q()
+
+        # Never satisfied
+        query = Q(pk=-1)
+        for perm in self.permissions(user):
+            if field and field != perm.field:
+                continue
+            if perm.model != model or perm.type != type:
+                continue
+            query = query | perm.query
+        return query
+
    def has_perm(self, user_obj, perm, obj=None):
        if user_obj.is_superuser:
            return True

        if obj is None:
-            return False
-        perm = perm.split('_', 3)
-        perm_type = perm[1]
+            return True
+
+        perm = perm.split('.')[-1].split('_', 2)
+        perm_type = perm[0]
        perm_field = perm[2] if len(perm) == 3 else None
-        return any(permission.applies(obj, perm_type, perm_field) for permission in self.permissions(user_obj))
+        if any(permission.applies(obj, perm_type, perm_field) for permission in self.permissions(user_obj)):
+            return True
+        return False

    def has_module_perms(self, user_obj, app_label):
        return False
--- a/apps/member/views.py
+++ b/apps/member/views.py
@ -203,7 +203,6 @@ class DeleteAliasView(LoginRequiredMixin, DeleteView):
        return HttpResponseRedirect(self.get_success_url())

    def get_success_url(self):
-        print(self.request)
        return reverse_lazy('member:user_alias', kwargs={'pk': self.object.note.user.pk})

    def get(self, request, *args, **kwargs):