-
-
Save anonymous/6a12d902c042e631a6c9 to your computer and use it in GitHub Desktop.
the description for this gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class DjangoObjectPermissions(DjangoModelPermissions): | |
""" | |
The request is authenticated using Django's object-level permissions. | |
It requires an object-permissions-enabled backend, such as Django Guardian. | |
It ensures that the user is authenticated, and has the appropriate | |
`add`/`change`/`delete` permissions on the object using .has_perms. | |
This permission can only be applied against view classes that | |
provide a `.model` or `.queryset` attribute. | |
""" | |
perms_map = { | |
'GET': [], | |
'OPTIONS': [], | |
'HEAD': [], | |
'POST': ['%(app_label)s.add_%(model_name)s'], | |
'PUT': ['%(app_label)s.change_%(model_name)s'], | |
'PATCH': ['%(app_label)s.change_%(model_name)s'], | |
'DELETE': ['%(app_label)s.delete_%(model_name)s'], | |
} | |
def get_required_object_permissions(self, method, model_cls): | |
kwargs = { | |
'app_label': model_cls._meta.app_label, | |
'model_name': model_cls._meta.module_name | |
} | |
return [perm % kwargs for perm in self.perms_map[method]] | |
def has_object_permission(self, request, view, obj): | |
model_cls = getattr(view, 'model', None) | |
queryset = getattr(view, 'queryset', None) | |
if model_cls is None and queryset is not None: | |
model_cls = queryset.model | |
perms = self.get_required_object_permissions(request.method, model_cls) | |
user = request.user | |
if not user.has_perms(perms, obj): | |
# If the user does not have permissions we need to determine if | |
# they have read permissions to see 403, or not, and simply see | |
# a 404 reponse. | |
if request.method in ('GET', 'OPTIONS', 'HEAD'): | |
# Read permissions already checked and failed, no need | |
# to make another lookup. | |
raise Http404 | |
read_perms = self.get_required_object_permissions('GET', model_cls) | |
if not user.has_perms(read_perms, obj): | |
raise Http404 | |
# Has read permissions. | |
return False | |
return True |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment