Source code for api.permissions
from rest_framework import permissions
from django.conf import settings
from django.contrib.auth.models import AnonymousUser
from api import models
[docs]def is_app_user(request, obj):
if request.user.is_superuser or \
isinstance(obj, models.App) and obj.owner == request.user or \
hasattr(obj, 'app') and obj.app.owner == request.user:
return True
elif request.user.has_perm('use_app', obj) or \
hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app):
return request.method != 'DELETE'
else:
return False
[docs]class IsAnonymous(permissions.BasePermission):
"""
View permission to allow anonymous users.
"""
[docs] def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return type(request.user) is AnonymousUser
[docs]class IsOwner(permissions.BasePermission):
"""
Object-level permission to allow only owners of an object to access it.
Assumes the model instance has an `owner` attribute.
"""
[docs] def has_object_permission(self, request, view, obj):
if hasattr(obj, 'owner'):
return obj.owner == request.user
else:
return False
[docs]class IsOwnerOrAdmin(permissions.BasePermission):
"""
Object-level permission to allow only owners of an object or administrators to access it.
Assumes the model instance has an `owner` attribute.
"""
[docs] def has_object_permission(self, request, view, obj):
if request.user.is_superuser:
return True
if hasattr(obj, 'owner'):
return obj.owner == request.user
else:
return False
[docs]class IsAppUser(permissions.BasePermission):
"""
Object-level permission to allow owners or collaborators to access
an app-related model.
"""
[docs] def has_object_permission(self, request, view, obj):
return is_app_user(request, obj)
[docs]class IsAdmin(permissions.BasePermission):
"""
View permission to allow only admins.
"""
[docs] def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return request.user.is_superuser
[docs]class IsAdminOrSafeMethod(permissions.BasePermission):
"""
View permission to allow only admins to use unsafe methods
including POST, PUT, DELETE.
This allows
"""
[docs] def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return request.method in permissions.SAFE_METHODS or request.user.is_superuser
[docs]class HasRegistrationAuth(permissions.BasePermission):
"""
Checks to see if registration is enabled
"""
[docs] def has_permission(self, request, view):
"""
If settings.REGISTRATION_MODE does not exist, such as during a test, return True
Return `True` if permission is granted, `False` otherwise.
"""
try:
if settings.REGISTRATION_MODE == 'disabled':
return False
if settings.REGISTRATION_MODE == 'enabled':
return True
elif settings.REGISTRATION_MODE == 'admin_only':
return request.user.is_superuser
else:
raise Exception("{} is not a valid registation mode"
.format(settings.REGISTRATION_MODE))
except AttributeError:
return True
[docs]class HasBuilderAuth(permissions.BasePermission):
"""
View permission to allow builder to perform actions
with a special HTTP header
"""
[docs] def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
auth_header = request.environ.get('HTTP_X_DEIS_BUILDER_AUTH')
if not auth_header:
return False
return auth_header == settings.BUILDER_KEY
[docs]class CanRegenerateToken(permissions.BasePermission):
"""
Checks if a user can regenerate a token
"""
[docs] def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
if 'username' in request.data or 'all' in request.data:
return request.user.is_superuser
else:
return True
