django-rest-framework/djangorestframework/permissions.py

"""
The :mod:`permissions` module bundles a set of permission classes that are used
for checking if a request passes a certain set of constraints.

Permission behavior is provided by mixing the :class:`mixins.PermissionsMixin` class into a :class:`View` class.
"""

__all__ = (
    'BasePermission',
    'FullAnonAccess',
    'IsAuthenticated',
    'IsAdminUser',
    'IsUserOrIsAnonReadOnly',
    'PerUserThrottling',
    'PerViewThrottling',
)

SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']


class BasePermission(object):
    """
    A base class from which all permission classes should inherit.
    """
    def __init__(self, view):
        """
        Permission classes are always passed the current view on creation.
        """
        self.view = view

    def check_permission(self, request, obj=None):
        """
        Should simply return, or raise an :exc:`response.ImmediateResponse`.
        """
        raise NotImplementedError(".check_permission() must be overridden.")


class IsAuthenticated(BasePermission):
    """
    Allows access only to authenticated users.
    """

    def check_permission(self, request, obj=None):
        if request.user.is_authenticated():
            return True
        return False


class IsAdminUser(BasePermission):
    """
    Allows access only to admin users.
    """

    def check_permission(self, request, obj=None):
        if request.user.is_staff:
            return True
        return False


class IsAuthenticatedOrReadOnly(BasePermission):
    """
    The request is authenticated as a user, or is a read-only request.
    """

    def check_permission(self, request, obj=None):
        if (request.user.is_authenticated() or
            request.method in SAFE_METHODS):
            return True
        return False


class DjangoModelPermissions(BasePermission):
    """
    The request is authenticated using `django.contrib.auth` permissions.
    See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions

    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the model.

    This permission should only be used on views with a `ModelResource`.
    """

    # Map methods into required permission codes.
    # Override this if you need to also provide 'read' permissions,
    # or if you want to provide custom permission codes.
    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    def get_required_permissions(self, method, model_cls):
        """
        Given a model and an HTTP method, return the list of permission
        codes that the user is required to have.
        """
        kwargs = {
            'app_label': model_cls._meta.app_label,
            'model_name':  model_cls._meta.module_name
        }
        return [perm % kwargs for perm in self.perms_map[method]]

    def check_permission(self, request, obj=None):
        model_cls = self.view.model
        perms = self.get_required_permissions(request.method, model_cls)

        if request.user.is_authenticated() and request.user.has_perms(perms, obj):
            return True
        return False
The core is now documented from the docstrings in the source. 2011-05-19 21:36:30 +04:00			`"""`
updated docs 2012-02-24 01:34:20 +04:00			The :mod:`permissions` module bundles a set of permission classes that are used
			`for checking if a request passes a certain set of constraints.`

			Permission behavior is provided by mixing the :class:`mixins.PermissionsMixin` class into a :class:`View` class.
The core is now documented from the docstrings in the source. 2011-05-19 21:36:30 +04:00			`"""`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`__all__ = (`
			`'BasePermission',`
			`'FullAnonAccess',`
			`'IsAuthenticated',`
			`'IsAdminUser',`
			`'IsUserOrIsAnonReadOnly',`
Add PerViewThrottling and PerResourceThrottling to __all__ 2011-06-14 13:31:18 +04:00			`'PerUserThrottling',`
			`'PerViewThrottling',`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`)`

`OPTIONS` is also a safe method. 2012-02-11 22:43:58 +04:00			`SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']`

Getting the API into shape 2011-05-10 13:49:28 +04:00
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`class BasePermission(object):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`A base class from which all permission classes should inherit.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`def __init__(self, view):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Permission classes are always passed the current view on creation.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`self.view = view`
Merge monseiur drummond's pagination niceness 2011-12-09 16:35:42 +04:00
Refactored throttling 2012-09-05 00:58:35 +04:00			`def check_permission(self, request, obj=None):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
cleaned a bit Response/ResponseMixin code, added some documentation + renamed ErrorResponse to ImmediateResponse 2012-02-07 15:15:30 +04:00			Should simply return, or raise an :exc:`response.ImmediateResponse`.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Refactored throttling 2012-09-05 00:58:35 +04:00			`raise NotImplementedError(".check_permission() must be overridden.")`
Getting the API into shape 2011-05-10 13:49:28 +04:00
Decouple views and resources 2011-05-04 12:21:17 +04:00
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`class IsAuthenticated(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Allows access only to authenticated users.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
Refactored throttling 2012-09-05 00:58:35 +04:00			`def check_permission(self, request, obj=None):`
			`if request.user.is_authenticated():`
			`return True`
			`return False`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
data flattening needs to go into resource 2011-05-19 11:36:55 +04:00
Most of the actual work so far has been markup really. 2011-05-19 00:13:48 +04:00			`class IsAdminUser(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Allows access only to admin users.`
			`"""`

Refactored throttling 2012-09-05 00:58:35 +04:00			`def check_permission(self, request, obj=None):`
			`if request.user.is_staff:`
			`return True`
			`return False`
Getting the API into shape 2011-05-10 13:49:28 +04:00

Refactored throttling 2012-09-05 00:58:35 +04:00			`class IsAuthenticatedOrReadOnly(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`The request is authenticated as a user, or is a read-only request.`
			`"""`

Refactored throttling 2012-09-05 00:58:35 +04:00			`def check_permission(self, request, obj=None):`
			`if (request.user.is_authenticated() or`
			`request.method in SAFE_METHODS):`
			`return True`
			`return False`
Getting the API into shape 2011-05-10 13:49:28 +04:00
Bits of cleaning up for the throttling 2011-06-14 14:08:29 +04:00
Minor name change 2012-02-11 21:48:35 +04:00			`class DjangoModelPermissions(BasePermission):`
DjangoModelPermisson 2012-02-11 04:49:28 +04:00			`"""`
Improve docstring on DjangoModelPermissions, and also ensure the user is authenticated. 2012-02-11 22:29:24 +04:00			The request is authenticated using `django.contrib.auth` permissions.
			`See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions`
DjangoModelPermisson 2012-02-11 04:49:28 +04:00
Improve docstring on DjangoModelPermissions, and also ensure the user is authenticated. 2012-02-11 22:29:24 +04:00			`It ensures that the user is authenticated, and has the appropriate`
			`add`/`change`/`delete` permissions on the model.

			This permission should only be used on views with a `ModelResource`.
Fix up DjangoModelPermissions. 2012-02-11 17:00:38 +04:00			`"""`
check authentication after checking ModelResource 2012-02-11 04:54:28 +04:00
Fix up DjangoModelPermissions. 2012-02-11 17:00:38 +04:00			`# Map methods into required permission codes.`
			`# Override this if you need to also provide 'read' permissions,`
Fix typo. 2012-02-12 01:15:06 +04:00			`# or if you want to provide custom permission codes.`
Fix up DjangoModelPermissions. 2012-02-11 17:00:38 +04:00			`perms_map = {`
			`'GET': [],`
			`'OPTIONS': [],`
			`'HEAD': [],`
			`'POST': ['%(app_label)s.add_%(model_name)s'],`
			`'PUT': ['%(app_label)s.change_%(model_name)s'],`
			`'PATCH': ['%(app_label)s.change_%(model_name)s'],`
			`'DELETE': ['%(app_label)s.delete_%(model_name)s'],`
			`}`

			`def get_required_permissions(self, method, model_cls):`
			`"""`
			`Given a model and an HTTP method, return the list of permission`
			`codes that the user is required to have.`
			`"""`
			`kwargs = {`
			`'app_label': model_cls._meta.app_label,`
Improve docstring on DjangoModelPermissions, and also ensure the user is authenticated. 2012-02-11 22:29:24 +04:00			`'model_name': model_cls._meta.module_name`
DjangoModelPermisson 2012-02-11 04:49:28 +04:00			`}`
Removing 403 immediate response 2012-08-25 16:43:28 +04:00			`return [perm % kwargs for perm in self.perms_map[method]]`
DjangoModelPermisson 2012-02-11 04:49:28 +04:00
Refactored throttling 2012-09-05 00:58:35 +04:00			`def check_permission(self, request, obj=None):`
			`model_cls = self.view.model`
			`perms = self.get_required_permissions(request.method, model_cls)`
* implemented Tom's nice config string for the trotlle rate e.g. '3/sec' * We now have per-user, per-view and per-resource throttling * Added a new exxception class as a convenience to detect pointless throttles * refactored 2011-06-11 22:34:54 +04:00
Refactored throttling 2012-09-05 00:58:35 +04:00			`if request.user.is_authenticated() and request.user.has_perms(perms, obj):`
			`return True`
			`return False`