Check permissions per request instead of per user

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

apps/note/api/serializers.py

@@ -8,7 +8,7 @@ from rest_framework.exceptions import ValidationError
 from rest_polymorphic.serializers import PolymorphicSerializer
 from member.api.serializers import MembershipSerializer
 from member.models import Membership
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 from rest_framework.utils import model_meta
 
@@ -126,7 +126,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
         """
         # If the user has no right to see the note, then we only display the note identifier
         return NotePolymorphicSerializer().to_representation(obj.note)\
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", obj.note)\
+            if PermissionBackend.check_perm(get_current_request(), "note.view_note", obj.note)\
             else dict(
             id=obj.note.id,
             name=str(obj.note),
@@ -142,7 +142,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
     def get_membership(self, obj):
         if isinstance(obj.note, NoteUser):
             memberships = Membership.objects.filter(
-                PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter(
+                PermissionBackend.filter_queryset(get_current_request(), Membership, "view")).filter(
                 user=obj.note.user,
                 club=2,  # Kfet
             ).order_by("-date_start")

apps/note/api/views.py

@@ -10,7 +10,6 @@ from rest_framework import viewsets
 from rest_framework.response import Response
 from rest_framework import status
 from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
-from note_kfet.middlewares import get_current_session
 from permission.backends import PermissionBackend
 
 from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer,\
@@ -40,12 +39,12 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
         Parse query and apply filters.
         :return: The filtered set of requested notes
         """
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        queryset = self.queryset.filter(PermissionBackend.filter_queryset(user, Note, "view")
-                                        | PermissionBackend.filter_queryset(user, NoteUser, "view")
-                                        | PermissionBackend.filter_queryset(user, NoteClub, "view")
-                                        | PermissionBackend.filter_queryset(user, NoteSpecial, "view")).distinct()
+        self.request.session.setdefault("permission_mask", 42)
+        queryset = self.queryset.filter(PermissionBackend.filter_queryset(self.request, Note, "view")
+                                        | PermissionBackend.filter_queryset(self.request, NoteUser, "view")
+                                        | PermissionBackend.filter_queryset(self.request, NoteClub, "view")
+                                        | PermissionBackend.filter_queryset(self.request, NoteSpecial, "view"))\
+            .distinct()
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
@@ -205,7 +204,6 @@ class TransactionViewSet(ReadProtectedModelViewSet):
     ordering_fields = ['created_at', 'amount', ]
 
     def get_queryset(self):
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        return self.model.objects.filter(PermissionBackend.filter_queryset(user, self.model, "view"))\
+        self.request.session.setdefault("permission_mask", 42)
+        return self.model.objects.filter(PermissionBackend.filter_queryset(self.request, self.model, "view"))\
             .order_by("created_at", "id")