Handle permissions (and it seems working!)

2025-06-21 01:48:21 +02:00 · 2020-03-18 14:42:35 +01:00
parent 112d4b6c5a
commit 057f42fdb6
19 changed files with 357 additions and 57 deletions
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@ -0,0 +1,75 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.core.exceptions import PermissionDenied
+from logs.middlewares import get_current_authenticated_user
+
+
+EXCLUDED = [
+    'cas_server.proxygrantingticket',
+    'cas_server.proxyticket',
+    'cas_server.serviceticket',
+    'cas_server.user',
+    'cas_server.userattributes',
+    'contenttypes.contenttype',
+    'logs.changelog',
+    'migrations.migration',
+    'sessions.session',
+]
+
+
+def pre_save_object(sender, instance, **kwargs):
+    """
+    Before a model get saved, we check the permissions
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    user = get_current_authenticated_user()
+    if user is None:
+        # Action performed on shell is always granted
+        return
+
+    qs = sender.objects.filter(pk=instance.pk).all()
+    model_name_full = instance._meta.label_lower.split(".")
+    app_label = model_name_full[0]
+    model_name = model_name_full[1]
+
+    if qs.exists():
+        if user.has_perm(app_label + ".change_" + model_name, instance):
+            return
+
+        previous = qs.get()
+        for field in instance._meta.fields:
+            field_name = field.name
+            old_value = getattr(previous, field.name)
+            new_value = getattr(instance, field.name)
+            if old_value == new_value:
+                continue
+            if not user.has_perm(app_label + ".change_" + model_name + "_" + field_name, instance):
+                raise PermissionDenied
+    else:
+        if not user.has_perm(app_label + ".add_" + model_name, instance):
+            raise PermissionDenied
+
+
+def pre_delete_object(sender, instance, **kwargs):
+    """
+    Before a model get deleted, we check the permissions
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    user = get_current_authenticated_user()
+    if user is None:
+        # Action performed on shell is always granted
+        return
+
+    model_name_full = instance._meta.label_lower.split(".")
+    app_label = model_name_full[0]
+    model_name = model_name_full[1]
+
+    if not user.has_perm(app_label + ".delete_" + model_name, instance):
+        raise PermissionDenied