Use the use_api permission to access API

2024-05-20 17:42:26 +00:00 · 2018-04-20 23:24:10 +00:00 · 2018-04-20 23:24:10 +00:00 · 0be63ad58e
parent 0c7e944b07
commit 0be63ad58e
2 changed files with 60 additions and 9 deletions
--- a/api/acl.py
+++ b/api/acl.py
@ -0,0 +1,45 @@
+# -*- mode: python; coding: utf-8 -*-
+# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
+# se veut agnostique au réseau considéré, de manière à être installable en
+# quelques clics.
+#
+# Copyright © 2018  Maël Kervella
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+"""api.acl
+
+Here are defined some functions to check acl on the application.
+"""
+
+from django.conf import settings
+
+
+def can_view(user):
+    """Check if an user can view the application.
+
+    Args:
+        user: The user who wants to view the application.
+
+    Returns:
+        A couple (allowed, msg) where allowed is a boolean which is True if
+        viewing is granted and msg is a message (can be None).
+    """
+    kwargs = {
+        'app_label': settings.API_CONTENT_TYPE_APP_LABEL,
+        'codename': settings.API_PERMISSION_CODENAME
+    }
+    can = user.has_perm('%(app_label)s.%(codename)s' % kwargs)
+    return can, None if can else "Vous ne pouvez pas voir cette application."
--- a/api/permissions.py
+++ b/api/permissions.py
@ -1,28 +1,34 @@
 from rest_framework import permissions
 from re2o.acl import can_create, can_edit, can_delete, can_view_all

+from . import acl
+
+def can_see_api(_):
+    return lambda user: acl.can_view(user)
+
+
 class DefaultACLPermission(permissions.BasePermission):
    """
    Permission subclass in charge of checking the ACL to determine
    if a user can access the models
    """
    perms_map = {
-        'GET': [lambda model: model.can_view_all],
-        'OPTIONS': [lambda model: model.can_view_all],
-        'HEAD': [lambda model: model.can_view_all],
-        'POST': [lambda model: model.can_create],
+        'GET': [can_see_api, lambda model: model.can_view_all],
+        'OPTIONS': [can_see_api, lambda model: model.can_view_all],
+        'HEAD': [can_see_api, lambda model: model.can_view_all],
+        'POST': [can_see_api, lambda model: model.can_create],
        #'PUT': [],
        #'PATCH': [],
        #'DELETE': [],
    }
    perms_obj_map = {
-        'GET': [lambda obj: obj.can_view],
-        'OPTIONS': [lambda obj: obj.can_view],
-        'HEAD': [lambda obj: obj.can_view],
+        'GET': [can_see_api, lambda obj: obj.can_view],
+        'OPTIONS': [can_see_api, lambda obj: obj.can_view],
+        'HEAD': [can_see_api, lambda obj: obj.can_view],
        #'POST': [],
-        'PUT': [lambda obj: obj.can_edit],
+        'PUT': [can_see_api, lambda obj: obj.can_edit],
        #'PATCH': [],
-        'DELETE': [lambda obj: obj.can_delete],
+        'DELETE': [can_see_api, lambda obj: obj.can_delete],
    }

    def get_required_permissions(self, method, model):