django-rest-framework/rest_framework/permissions.py

"""
Provides a set of pluggable permission policies.
"""
from __future__ import unicode_literals

SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']


class BasePermission(object):
    """
    A base class from which all permission classes should inherit.
    """

    def has_permission(self, request, view, obj=None):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        raise NotImplementedError(".has_permission() must be overridden.")


class AllowAny(BasePermission):
    """
    Allow any access.
    This isn't strictly required, since you could use an empty
    permission_classes list, but it's useful because it makes the intention
    more explicit.
    """
    def has_permission(self, request, view, obj=None):
        return True


class IsAuthenticated(BasePermission):
    """
    Allows access only to authenticated users.
    """

    def has_permission(self, request, view, obj=None):
        if request.user and request.user.is_authenticated():
            return True
        return False


class IsAdminUser(BasePermission):
    """
    Allows access only to admin users.
    """

    def has_permission(self, request, view, obj=None):
        if request.user and request.user.is_staff:
            return True
        return False


class IsAuthenticatedOrReadOnly(BasePermission):
    """
    The request is authenticated as a user, or is a read-only request.
    """

    def has_permission(self, request, view, obj=None):
        if (request.method in SAFE_METHODS or
            request.user and
            request.user.is_authenticated()):
            return True
        return False


class DjangoModelPermissions(BasePermission):
    """
    The request is authenticated using `django.contrib.auth` permissions.
    See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions

    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the model.

    This permission will only be applied against view classes that
    provide a `.model` attribute, such as the generic class-based views.
    """

    # Map methods into required permission codes.
    # Override this if you need to also provide 'view' permissions,
    # or if you want to provide custom permission codes.
    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    def get_required_permissions(self, method, model_cls):
        """
        Given a model and an HTTP method, return the list of permission
        codes that the user is required to have.
        """
        kwargs = {
            'app_label': model_cls._meta.app_label,
            'model_name': model_cls._meta.module_name
        }
        return [perm % kwargs for perm in self.perms_map[method]]

    def has_permission(self, request, view, obj=None):
        model_cls = getattr(view, 'model', None)
        if not model_cls:
            return True

        perms = self.get_required_permissions(request.method, model_cls)

        if (request.user and
            request.user.is_authenticated() and
            request.user.has_perms(perms, obj)):
            return True
        return False
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`Provides a set of pluggable permission policies.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Cleanup imports Mostly adding `from __future__ import unicode_literals` everywhere. 2013-02-05 00:55:35 +04:00			`from __future__ import unicode_literals`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
			`SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']`


			`class BasePermission(object):`
			`"""`
			`A base class from which all permission classes should inherit.`
			`"""`

Permissions and throttles no longer have a view attribute on self. Explicitly passed to .has_permissions(request, view, obj=None) / .allow_request(request, view) 2012-10-10 13:02:37 +04:00			`def has_permission(self, request, view, obj=None):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			Return `True` if permission is granted, `False` otherwise.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
			`raise NotImplementedError(".has_permission() must be overridden.")`


Add AllowAny class 2012-10-27 23:17:49 +04:00			`class AllowAny(BasePermission):`
			`"""`
			`Allow any access.`
			`This isn't strictly required, since you could use an empty`
			`permission_classes list, but it's useful because it makes the intention`
			`more explicit.`
			`"""`
			`def has_permission(self, request, view, obj=None):`
			`return True`


Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`class IsAuthenticated(BasePermission):`
			`"""`
			`Allows access only to authenticated users.`
			`"""`

Permissions and throttles no longer have a view attribute on self. Explicitly passed to .has_permissions(request, view, obj=None) / .allow_request(request, view) 2012-10-10 13:02:37 +04:00			`def has_permission(self, request, view, obj=None):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`if request.user and request.user.is_authenticated():`
			`return True`
			`return False`


			`class IsAdminUser(BasePermission):`
			`"""`
			`Allows access only to admin users.`
			`"""`

Permissions and throttles no longer have a view attribute on self. Explicitly passed to .has_permissions(request, view, obj=None) / .allow_request(request, view) 2012-10-10 13:02:37 +04:00			`def has_permission(self, request, view, obj=None):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`if request.user and request.user.is_staff:`
			`return True`
			`return False`


			`class IsAuthenticatedOrReadOnly(BasePermission):`
			`"""`
			`The request is authenticated as a user, or is a read-only request.`
			`"""`

Permissions and throttles no longer have a view attribute on self. Explicitly passed to .has_permissions(request, view, obj=None) / .allow_request(request, view) 2012-10-10 13:02:37 +04:00			`def has_permission(self, request, view, obj=None):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`if (request.method in SAFE_METHODS or`
			`request.user and`
			`request.user.is_authenticated()):`
			`return True`
			`return False`


			`class DjangoModelPermissions(BasePermission):`
			`"""`
			The request is authenticated using `django.contrib.auth` permissions.
			`See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions`

			`It ensures that the user is authenticated, and has the appropriate`
			`add`/`change`/`delete` permissions on the model.

Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`This permission will only be applied against view classes that`
			provide a `.model` attribute, such as the generic class-based views.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`

			`# Map methods into required permission codes.`
			`# Override this if you need to also provide 'view' permissions,`
			`# or if you want to provide custom permission codes.`
			`perms_map = {`
			`'GET': [],`
			`'OPTIONS': [],`
			`'HEAD': [],`
			`'POST': ['%(app_label)s.add_%(model_name)s'],`
			`'PUT': ['%(app_label)s.change_%(model_name)s'],`
			`'PATCH': ['%(app_label)s.change_%(model_name)s'],`
			`'DELETE': ['%(app_label)s.delete_%(model_name)s'],`
			`}`

			`def get_required_permissions(self, method, model_cls):`
			`"""`
			`Given a model and an HTTP method, return the list of permission`
			`codes that the user is required to have.`
			`"""`
			`kwargs = {`
			`'app_label': model_cls._meta.app_label,`
pep8 2012-10-27 13:32:49 +04:00			`'model_name': model_cls._meta.module_name`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`}`
			`return [perm % kwargs for perm in self.perms_map[method]]`

Permissions and throttles no longer have a view attribute on self. Explicitly passed to .has_permissions(request, view, obj=None) / .allow_request(request, view) 2012-10-10 13:02:37 +04:00			`def has_permission(self, request, view, obj=None):`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`model_cls = getattr(view, 'model', None)`
			`if not model_cls:`
			`return True`

Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`perms = self.get_required_permissions(request.method, model_cls)`

			`if (request.user and`
			`request.user.is_authenticated() and`
Version 2.1.6. AKA: I am a doofus. 2012-11-23 17:21:18 +04:00			`request.user.has_perms(perms, obj)):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`return True`
			`return False`