github.com/dustinrc/deis@v1.10.1-0.20150917223407-0894a5fb979e/controller/api/permissions.py (about)

     1  
     2  from rest_framework import exceptions
     3  from rest_framework import permissions
     4  from django.conf import settings
     5  from django.contrib.auth.models import AnonymousUser
     6  
     7  from api import models
     8  
     9  
    10  def is_app_user(request, obj):
    11      if request.user.is_superuser or \
    12              isinstance(obj, models.App) and obj.owner == request.user or \
    13              hasattr(obj, 'app') and obj.app.owner == request.user:
    14          return True
    15      elif request.user.has_perm('use_app', obj) or \
    16              hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app):
    17          return request.method != 'DELETE'
    18      else:
    19          return False
    20  
    21  
    22  class IsAnonymous(permissions.BasePermission):
    23      """
    24      View permission to allow anonymous users.
    25      """
    26  
    27      def has_permission(self, request, view):
    28          """
    29          Return `True` if permission is granted, `False` otherwise.
    30          """
    31          return type(request.user) is AnonymousUser
    32  
    33  
    34  class IsOwner(permissions.BasePermission):
    35      """
    36      Object-level permission to allow only owners of an object to access it.
    37      Assumes the model instance has an `owner` attribute.
    38      """
    39  
    40      def has_object_permission(self, request, view, obj):
    41          if hasattr(obj, 'owner'):
    42              return obj.owner == request.user
    43          else:
    44              return False
    45  
    46  
    47  class IsOwnerOrAdmin(permissions.BasePermission):
    48      """
    49      Object-level permission to allow only owners of an object or administrators to access it.
    50      Assumes the model instance has an `owner` attribute.
    51      """
    52      def has_object_permission(self, request, view, obj):
    53          if request.user.is_superuser:
    54              return True
    55          if hasattr(obj, 'owner'):
    56              return obj.owner == request.user
    57          else:
    58              return False
    59  
    60  
    61  class IsAppUser(permissions.BasePermission):
    62      """
    63      Object-level permission to allow owners or collaborators to access
    64      an app-related model.
    65      """
    66      def has_object_permission(self, request, view, obj):
    67          return is_app_user(request, obj)
    68  
    69  
    70  class IsAdmin(permissions.BasePermission):
    71      """
    72      View permission to allow only admins.
    73      """
    74  
    75      def has_permission(self, request, view):
    76          """
    77          Return `True` if permission is granted, `False` otherwise.
    78          """
    79          return request.user.is_superuser
    80  
    81  
    82  class IsAdminOrSafeMethod(permissions.BasePermission):
    83      """
    84      View permission to allow only admins to use unsafe methods
    85      including POST, PUT, DELETE.
    86  
    87      This allows
    88      """
    89  
    90      def has_permission(self, request, view):
    91          """
    92          Return `True` if permission is granted, `False` otherwise.
    93          """
    94          return request.method in permissions.SAFE_METHODS or request.user.is_superuser
    95  
    96  
    97  class HasRegistrationAuth(permissions.BasePermission):
    98      """
    99      Checks to see if registration is enabled
   100      """
   101      def has_permission(self, request, view):
   102          """
   103          If settings.REGISTRATION_MODE does not exist, such as during a test, return True
   104          Return `True` if permission is granted, `False` otherwise.
   105          """
   106          try:
   107              if settings.REGISTRATION_MODE == 'disabled':
   108                  raise exceptions.PermissionDenied('Registration is disabled')
   109              if settings.REGISTRATION_MODE == 'enabled':
   110                  return True
   111              elif settings.REGISTRATION_MODE == 'admin_only':
   112                  return request.user.is_superuser
   113              else:
   114                  raise Exception("{} is not a valid registation mode"
   115                                  .format(settings.REGISTRATION_MODE))
   116          except AttributeError:
   117              return True
   118  
   119  
   120  class HasBuilderAuth(permissions.BasePermission):
   121      """
   122      View permission to allow builder to perform actions
   123      with a special HTTP header
   124      """
   125  
   126      def has_permission(self, request, view):
   127          """
   128          Return `True` if permission is granted, `False` otherwise.
   129          """
   130          auth_header = request.environ.get('HTTP_X_DEIS_BUILDER_AUTH')
   131          if not auth_header:
   132              return False
   133          return auth_header == settings.BUILDER_KEY
   134  
   135  
   136  class CanRegenerateToken(permissions.BasePermission):
   137      """
   138      Checks if a user can regenerate a token
   139      """
   140  
   141      def has_permission(self, request, view):
   142          """
   143          Return `True` if permission is granted, `False` otherwise.
   144          """
   145          if 'username' in request.data or 'all' in request.data:
   146              return request.user.is_superuser
   147          else:
   148              return True