1
0
mirror of https://gitlab.crans.org/bde/nk20 synced 2024-11-27 02:43:01 +00:00

Anonymous users have no right

This commit is contained in:
Yohann D'ANELLO 2020-03-20 18:22:20 +01:00
parent d494a3e7fa
commit e2d2d2cc99

View File

@ -2,15 +2,15 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
from django.contrib.auth.backends import ModelBackend from django.contrib.auth.backends import ModelBackend
from django.contrib.auth.models import User from django.contrib.auth.models import User, AnonymousUser
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from django.db.models import Q, F from django.db.models import Q, F
from note.models import Note, NoteUser, NoteClub, NoteSpecial from note.models import Note, NoteUser, NoteClub, NoteSpecial
from note_kfet.middlewares import get_current_session from note_kfet.middlewares import get_current_session
from permission.models import Permission
from member.models import Membership, Club from member.models import Membership, Club
from .models import Permission
class PermissionBackend(ModelBackend): class PermissionBackend(ModelBackend):
""" """
@ -66,6 +66,10 @@ class PermissionBackend(ModelBackend):
:return: A query that corresponds to the filter to give to a queryset :return: A query that corresponds to the filter to give to a queryset
""" """
if user is None or isinstance(user, AnonymousUser):
# Anonymous users can't do anything
return Q(pk=-1)
if user.is_superuser and get_current_session().get("permission_mask", 0) >= 42: if user.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
# Superusers have all rights # Superusers have all rights
return Q() return Q()
@ -86,6 +90,9 @@ class PermissionBackend(ModelBackend):
return query return query
def has_perm(self, user_obj, perm, obj=None): def has_perm(self, user_obj, perm, obj=None):
if user_obj is None or isinstance(user_obj, AnonymousUser):
return False
if user_obj.is_superuser and get_current_session().get("permission_mask", 0) >= 42: if user_obj.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
return True return True