Commit 15d39d21 authored by Thibaud's avatar Thibaud

Proposal for permission management

A brief usage description has been included in the README.md
parent 79175989
......@@ -141,6 +141,64 @@ class MyModel(models.Model):
class Meta:
auto_author = 'author_user'
```
## permissions
This allows you to add permissions for AnonymousUser, logged in user, author ... in the url:
Currently, there are 3 choices :
* PublicPostPermissions
* PrivateProjectPermissions
* NotificationsPermissions
Specific permissin classes can be developed to fit special needs.
PublicPostPermissions gives these permissions:
* Anonymous users: can read all posts
* Logged in users: can read all posts + create new posts
* Author: can read all posts + create new posts + update their own
```
from django.conf.urls import url
from djangoldp.views import LDPViewSet
from djangoldp.permissions import PublicPostPermissions
urlpatterns = [
url(r'^projects/', ProjectViewSet.urls(permission_classes=(PublicPostPermissions,))),
url(r'^customers/', LDPViewSet.urls(model=Customer)),
]
```
PrivateProjectPermissions provides the following
* Anonymous users: no permissions
* Logged in users: can read projects if they're in the team
* Users of group Partners: can see all projects + update all projects
```
from django.conf.urls import url
from djangoldp.views import LDPViewSet
from djangoldp.permissions import PrivateProjectPermissions
urlpatterns = [
url(r'^projects/', ProjectViewSet.urls(permission_classes=(PrivateProjectPermissions,))),
url(r'^customers/', LDPViewSet.urls(model=Customer)),
]
```
NotificationsPermissions is used for, well, notifications:
* Anonymous users: can create notifications but can't read
* Logged in users: can create notifications but can't read
* Inbox owners: can read + update all notifications
```
from django.conf.urls import url
from djangoldp.views import LDPViewSet
from djangoldp.permissions import NotificationsPermissions
urlpatterns = [
url(r'^projects/', ProjectViewSet.urls(permission_classes=(NotificationsPermissions,))),
url(r'^customers/', LDPViewSet.urls(model=Customer)),
]
```
Important note:
If you need to give permissions to owner's object, don't forget to add auto_author in model's meta
## License
......
from rest_framework import permissions
"""
Liste des actions passées dans views selon le protocole REST :
list
create
retrieve
update, partial update
destroy
Pour chacune de ces actions, on va définir si on accepte la requête (True) ou non (False)
"""
class PublicPostPermissions(permissions.BasePermission):
"""
Anonymous users: can read all posts
Logged in users: can read all posts + create new posts
Author: can read all posts + create new posts + update their own
"""
def has_permission(self, request, view):
if view.action == "list":
return True
if not request.user.is_authenticated():
return False
elif view.action == 'create':
return True
elif view.action in ['retrieve', 'update', 'partial_update', 'destroy']:
return True
else:
return False
def has_object_permission(self, request, view, obj):
if view.action == "create":
return True
elif view.action in ['retrieve', 'update', 'partial_update', 'destroy']:
if hasattr(obj._meta, 'auto_author'):
auth = getattr(obj, obj._meta.auto_author)
if auth == request.user:
return True
else:
return False
class PrivateProjectPermissions(permissions.BasePermission):
"""
Anonymous users: no permissions
Logged in users: can read projects if they're in the team
Users of group Partners: can see all projects + update all projects
"""
def has_permission(self, request, view):
if not request.user.is_authenticated():
return False
if view.action == "list":
return True
elif view.action == 'create':
return True
elif view.action in ['retrieve', 'update', 'partial_update', 'destroy']:
return True
else:
return False
def has_object_permission(self, request, view, obj):
if view.action in ['retrieve']:
# Is user in the team ?
for t in obj.team.all():
if request.user == t:
return True
elif view.action in ['update', 'partial_update', 'destroy']:
if request.user.groups.filter(name='Partners').exists():
return True
return False
class NotificationsPermissions(permissions.BasePermission):
"""
Anonymous users: can create notifications but can't read
Logged in users: can create notifications but can't read
Inbox owners: can read + update all notifications
"""
def has_permission(self, request, view):
if view.action == "list":
return False
elif view.action == 'create':
return True
elif view.action in ['retrieve', 'update', 'partial_update', 'destroy']:
return True
else:
return False
def has_object_permission(self, request, view, obj):
if view.action in ["retrieve", 'update', 'partial_update', 'destroy']:
if hasattr(obj._meta, 'auto_author'):
auth = getattr(obj, obj._meta.auto_author)
if auth == request.user:
return True
else:
return False
if view.action == "create":
if request.user == "AnonymousUser" or request.user.is_authenticated():
return True
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment