bpereto/drf-rules-permission-class-with-httpmethod-map.py

## drf-rules-permission-class-with-httpmethod-map.py
"""
Django REST Framework Permission Class for Django Rules
"""
from rest_framework import permissions, exceptions
from rest_framework.viewsets import ModelViewSet
from django.http import Http404


class DjangoRulesMethodObjectPermissions(permissions.BasePermission):
    """
    The request is authenticated using Django's object-level permissions.
    It requires an object-permissions-enabled backend, such as django-rules
    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the object using HTTP Methods
    mapped to a django rule(s).
    """

    # Map methods into required permission codes.
    # Override this if you need to also provide 'view' permissions,
    # or if you want to provide custom permission codes.
    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
    }
    object_perms_map = {}

    authenticated_users_only = True

    def get_required_permissions(self, method):
        """
        Given a HTTP method, return the list of permission
        codes that the user is required to have.
        """
        if method not in self.perms_map:
            raise exceptions.MethodNotAllowed(method)

        return [perm for perm in self.perms_map[method]]

    def get_required_object_permissions(self, method):
        """
        Given a HTTP method, return the list of permission
        codes that the user is required to have for an object

        inherit object permission from global permission if not defined
        """

        if (method not in self.object_perms_map) and \
                (method not in self.perms_map):
            raise exceptions.MethodNotAllowed(method)

        # inherit global perm if not specified in object map
        if method in self.object_perms_map:
            object_map = self.object_perms_map[method]
        else:
            object_map = self.perms_map[method]

        return [perm for perm in object_map]

    def has_permission(self, request, view):
        """
        check required perm codes with has_perms
        """

        if not request.user or \
            (not request.user.is_authenticated and self.authenticated_users_only):
            return False

        perms = self.get_required_permissions(request.method)

        return request.user.has_perms(perms)

    def has_object_permission(self, request, view, obj):
        """
        check required perm codes for a specific object with has_perms
        """
        # authentication checks have already executed via has_permission
        user = request.user

        perms = self.get_required_object_permissions(request.method)

        if not user.has_perms(perms, obj):
            # If the user does not have permissions we need to determine if
            # they have read permissions to see 403, or not, and simply see
            # a 404 response.

            if request.method in permissions.SAFE_METHODS:
                # Read permissions already checked and failed, no need
                # to make another lookup.
                raise Http404

            read_perms = self.get_required_object_permissions('GET')
            if not user.has_perms(read_perms, obj):
                raise Http404

            # Has read permissions.
            return False
        return True


"""
Django Rules
https://github.com/dfunckt/django-rules

dynamic function mapped to permission codes
"""
import rules
from rules.predicates import is_staff, is_authenticated

#  pylint: disable=invalid-name

is_foo_user = rules.is_group_member('foo')


@rules.predicate
def tree_is_big_enough(_, obj):
    """checks if a tree is big enough"""
    return obj.height > 10


rules.add_perm('tree.detail_rule_tree', is_foo_user)
rules.add_perm('tree.update_rule_tree', tree_is_big_enough)
rules.add_perm('tree.create_rule_tree', is_authenticated)
rules.add_perm('tree.delete_rule_tree', is_staff)

"""
REST API Permission Classes
"""

class TreePermission(DjangoRulesMethodObjectPermissions):
    """
    example django rules object permission class

    Hint: django checks global permission before object permission,
    therefore for ex. PUT is an empty list in the perms_map, to allow
    checking of the object permission in object_perms_map
    """

    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['tree.create_rule_tree'],
        'PATCH': [],
        'PUT': [],
        'DELETE': []
    }
    object_perms_map = {
        'GET': ['tree.detail_rule_tree'],
        'PUT': ['tree.update_rule_tree'],
        'PATCH': ['tree.update_rule_tree'],
        'DELETE': ['tree.delete_rule_tree'],
    }


class TreeViewSet(ModelViewSet):
    '''
    API endpoints for the Tree model.
    '''
    permission_classes = (TreePermission,)


"""
GNU General Public License v2
"""
	"""
	Django REST Framework Permission Class for Django Rules
	"""
	from rest_framework import permissions, exceptions
	from rest_framework.viewsets import ModelViewSet
	from django.http import Http404


	class DjangoRulesMethodObjectPermissions(permissions.BasePermission):
	"""
	The request is authenticated using Django's object-level permissions.
	It requires an object-permissions-enabled backend, such as django-rules
	It ensures that the user is authenticated, and has the appropriate
	`add`/`change`/`delete` permissions on the object using HTTP Methods
	mapped to a django rule(s).
	"""

	# Map methods into required permission codes.
	# Override this if you need to also provide 'view' permissions,
	# or if you want to provide custom permission codes.
	perms_map = {
	'GET': [],
	'OPTIONS': [],
	'HEAD': [],
	}
	object_perms_map = {}

	authenticated_users_only = True

	def get_required_permissions(self, method):
	"""
	Given a HTTP method, return the list of permission
	codes that the user is required to have.
	"""
	if method not in self.perms_map:
	raise exceptions.MethodNotAllowed(method)

	return [perm for perm in self.perms_map[method]]

	def get_required_object_permissions(self, method):
	"""
	Given a HTTP method, return the list of permission
	codes that the user is required to have for an object

	inherit object permission from global permission if not defined
	"""

	if (method not in self.object_perms_map) and \
	(method not in self.perms_map):
	raise exceptions.MethodNotAllowed(method)

	# inherit global perm if not specified in object map
	if method in self.object_perms_map:
	object_map = self.object_perms_map[method]
	else:
	object_map = self.perms_map[method]

	return [perm for perm in object_map]

	def has_permission(self, request, view):
	"""
	check required perm codes with has_perms
	"""

	if not request.user or \
	(not request.user.is_authenticated and self.authenticated_users_only):
	return False

	perms = self.get_required_permissions(request.method)

	return request.user.has_perms(perms)

	def has_object_permission(self, request, view, obj):
	"""
	check required perm codes for a specific object with has_perms
	"""
	# authentication checks have already executed via has_permission
	user = request.user

	perms = self.get_required_object_permissions(request.method)

	if not user.has_perms(perms, obj):
	# If the user does not have permissions we need to determine if
	# they have read permissions to see 403, or not, and simply see
	# a 404 response.

	if request.method in permissions.SAFE_METHODS:
	# Read permissions already checked and failed, no need
	# to make another lookup.
	raise Http404

	read_perms = self.get_required_object_permissions('GET')
	if not user.has_perms(read_perms, obj):
	raise Http404

	# Has read permissions.
	return False
	return True


	"""
	Django Rules
	https://github.com/dfunckt/django-rules

	dynamic function mapped to permission codes
	"""
	import rules
	from rules.predicates import is_staff, is_authenticated

	# pylint: disable=invalid-name

	is_foo_user = rules.is_group_member('foo')


	@rules.predicate
	def tree_is_big_enough(_, obj):
	"""checks if a tree is big enough"""
	return obj.height > 10


	rules.add_perm('tree.detail_rule_tree', is_foo_user)
	rules.add_perm('tree.update_rule_tree', tree_is_big_enough)
	rules.add_perm('tree.create_rule_tree', is_authenticated)
	rules.add_perm('tree.delete_rule_tree', is_staff)

	"""
	REST API Permission Classes
	"""

	class TreePermission(DjangoRulesMethodObjectPermissions):
	"""
	example django rules object permission class

	Hint: django checks global permission before object permission,
	therefore for ex. PUT is an empty list in the perms_map, to allow
	checking of the object permission in object_perms_map
	"""

	perms_map = {
	'GET': [],
	'OPTIONS': [],
	'HEAD': [],
	'POST': ['tree.create_rule_tree'],
	'PATCH': [],
	'PUT': [],
	'DELETE': []
	}
	object_perms_map = {
	'GET': ['tree.detail_rule_tree'],
	'PUT': ['tree.update_rule_tree'],
	'PATCH': ['tree.update_rule_tree'],
	'DELETE': ['tree.delete_rule_tree'],
	}


	class TreeViewSet(ModelViewSet):
	'''
	API endpoints for the Tree model.
	'''
	permission_classes = (TreePermission,)


	"""
	GNU General Public License v2
	"""