github.com/spg/deis@v1.7.3/controller/api/permissions.py (about) 1 from rest_framework import permissions 2 from django.conf import settings 3 from django.contrib.auth.models import AnonymousUser 4 5 from api import models 6 7 8 def is_app_user(request, obj): 9 if request.user.is_superuser or \ 10 isinstance(obj, models.App) and obj.owner == request.user or \ 11 hasattr(obj, 'app') and obj.app.owner == request.user: 12 return True 13 elif request.user.has_perm('use_app', obj) or \ 14 hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app): 15 return request.method != 'DELETE' 16 else: 17 return False 18 19 20 class IsAnonymous(permissions.BasePermission): 21 """ 22 View permission to allow anonymous users. 23 """ 24 25 def has_permission(self, request, view): 26 """ 27 Return `True` if permission is granted, `False` otherwise. 28 """ 29 return type(request.user) is AnonymousUser 30 31 32 class IsOwner(permissions.BasePermission): 33 """ 34 Object-level permission to allow only owners of an object to access it. 35 Assumes the model instance has an `owner` attribute. 36 """ 37 38 def has_object_permission(self, request, view, obj): 39 if hasattr(obj, 'owner'): 40 return obj.owner == request.user 41 else: 42 return False 43 44 45 class IsOwnerOrAdmin(permissions.BasePermission): 46 """ 47 Object-level permission to allow only owners of an object or administrators to access it. 48 Assumes the model instance has an `owner` attribute. 49 """ 50 def has_object_permission(self, request, view, obj): 51 if request.user.is_superuser: 52 return True 53 if hasattr(obj, 'owner'): 54 return obj.owner == request.user 55 else: 56 return False 57 58 59 class IsAppUser(permissions.BasePermission): 60 """ 61 Object-level permission to allow owners or collaborators to access 62 an app-related model. 63 """ 64 def has_object_permission(self, request, view, obj): 65 return is_app_user(request, obj) 66 67 68 class IsAdmin(permissions.BasePermission): 69 """ 70 View permission to allow only admins. 71 """ 72 73 def has_permission(self, request, view): 74 """ 75 Return `True` if permission is granted, `False` otherwise. 76 """ 77 return request.user.is_superuser 78 79 80 class IsAdminOrSafeMethod(permissions.BasePermission): 81 """ 82 View permission to allow only admins to use unsafe methods 83 including POST, PUT, DELETE. 84 85 This allows 86 """ 87 88 def has_permission(self, request, view): 89 """ 90 Return `True` if permission is granted, `False` otherwise. 91 """ 92 return request.method in permissions.SAFE_METHODS or request.user.is_superuser 93 94 95 class HasRegistrationAuth(permissions.BasePermission): 96 """ 97 Checks to see if registration is enabled 98 """ 99 def has_permission(self, request, view): 100 """ 101 If settings.REGISTRATION_MODE does not exist, such as during a test, return True 102 Return `True` if permission is granted, `False` otherwise. 103 """ 104 try: 105 if settings.REGISTRATION_MODE == 'disabled': 106 return False 107 if settings.REGISTRATION_MODE == 'enabled': 108 return True 109 elif settings.REGISTRATION_MODE == 'admin_only': 110 return request.user.is_superuser 111 else: 112 raise Exception("{} is not a valid registation mode" 113 .format(settings.REGISTRATION_MODE)) 114 except AttributeError: 115 return True 116 117 118 class HasBuilderAuth(permissions.BasePermission): 119 """ 120 View permission to allow builder to perform actions 121 with a special HTTP header 122 """ 123 124 def has_permission(self, request, view): 125 """ 126 Return `True` if permission is granted, `False` otherwise. 127 """ 128 auth_header = request.environ.get('HTTP_X_DEIS_BUILDER_AUTH') 129 if not auth_header: 130 return False 131 return auth_header == settings.BUILDER_KEY