django-rest-framework/djangorestframework/permissions.py

"""
The :mod:`permissions` module bundles a set of  permission classes that are used 
for checking if a request passes a certain set of constraints. You can assign a permision 
class to your view by setting your View's :attr:`permissions` class attribute.
"""

from django.core.cache import cache
from djangorestframework import status
from djangorestframework.response import ErrorResponse
import time

__all__ = (
    'BasePermission',
    'FullAnonAccess',
    'IsAuthenticated',
    'IsAdminUser',
    'IsUserOrIsAnonReadOnly',
    'PerUserThrottling'
)


_403_FORBIDDEN_RESPONSE = ErrorResponse(
    status.HTTP_403_FORBIDDEN,
    {'detail': 'You do not have permission to access this resource. ' +
               'You may need to login or otherwise authenticate the request.'})

_503_THROTTLED_RESPONSE = ErrorResponse(
    status.HTTP_503_SERVICE_UNAVAILABLE,
    {'detail': 'request was throttled'})


class BasePermission(object):
    """
    A base class from which all permission classes should inherit.
    """
    def __init__(self, view):
        """
        Permission classes are always passed the current view on creation.
        """
        self.view = view
    
    def check_permission(self, auth):
        """
        Should simply return, or raise an :exc:`response.ErrorResponse`.
        """
        pass


class FullAnonAccess(BasePermission):
    """
    Allows full access.
    """

    def check_permission(self, user):
        pass


class IsAuthenticated(BasePermission):
    """
    Allows access only to authenticated users.
    """

    def check_permission(self, user):
        if not user.is_authenticated():
            raise _403_FORBIDDEN_RESPONSE 


class IsAdminUser(BasePermission):
    """
    Allows access only to admin users.
    """

    def check_permission(self, user):
        if not user.is_admin():
            raise _403_FORBIDDEN_RESPONSE


class IsUserOrIsAnonReadOnly(BasePermission):
    """
    The request is authenticated as a user, or is a read-only request.
    """

    def check_permission(self, user): 
        if (not user.is_authenticated() and
            self.view.method != 'GET' and
            self.view.method != 'HEAD'):
            raise _403_FORBIDDEN_RESPONSE


class PerUserThrottling(BasePermission):
    """
    Rate throttling of requests on a per-user basis.

    The rate (requests / seconds) is set by a :attr:`throttle` attribute on the ``View`` class.
    The attribute is a two tuple of the form (number of requests, duration in seconds).

    The user id will be used as a unique identifier if the user is authenticated.
    For anonymous requests, the IP address of the client will be used.

    Previous request information used for throttling is stored in the cache.
    """

    def check_permission(self, user):
        (num_requests, duration) = getattr(self.view, 'throttle', (0, 0))

        if user.is_authenticated():
            ident = str(auth)
        else:
            ident = self.view.request.META.get('REMOTE_ADDR', None)

        key = 'throttle_%s' % ident
        history = cache.get(key, [])
        now = time.time()
        
        # Drop any requests from the history which have now passed the throttle duration
        while history and history[0] < now - duration:
            history.pop()

        if len(history) >= num_requests:
            raise _503_THROTTLED_RESPONSE

        history.insert(0, now)
        cache.set(key, history, duration)
The core is now documented from the docstrings in the source. 2011-05-19 21:36:30 +04:00			`"""`
			The :mod:`permissions` module bundles a set of permission classes that are used
			`for checking if a request passes a certain set of constraints. You can assign a permision`
			class to your view by setting your View's :attr:`permissions` class attribute.
			`"""`

Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`from django.core.cache import cache`
			`from djangorestframework import status`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`from djangorestframework.response import ErrorResponse`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`import time`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`__all__ = (`
			`'BasePermission',`
			`'FullAnonAccess',`
			`'IsAuthenticated',`
			`'IsAdminUser',`
			`'IsUserOrIsAnonReadOnly',`
			`'PerUserThrottling'`
			`)`


			`_403_FORBIDDEN_RESPONSE = ErrorResponse(`
			`status.HTTP_403_FORBIDDEN,`
			`{'detail': 'You do not have permission to access this resource. ' +`
			`'You may need to login or otherwise authenticate the request.'})`

			`_503_THROTTLED_RESPONSE = ErrorResponse(`
			`status.HTTP_503_SERVICE_UNAVAILABLE,`
			`{'detail': 'request was throttled'})`


Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
			`class BasePermission(object):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`A base class from which all permission classes should inherit.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`def __init__(self, view):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Permission classes are always passed the current view on creation.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`self.view = view`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`def check_permission(self, auth):`
			`"""`
The core is now documented from the docstrings in the source. 2011-05-19 21:36:30 +04:00			Should simply return, or raise an :exc:`response.ErrorResponse`.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`pass`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
Decouple views and resources 2011-05-04 12:21:17 +04:00
			`class FullAnonAccess(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Allows full access.`
			`"""`

			`def check_permission(self, user):`
			`pass`

Decouple views and resources 2011-05-04 12:21:17 +04:00
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`class IsAuthenticated(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Allows access only to authenticated users.`
			`"""`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
Getting the API into shape 2011-05-10 13:49:28 +04:00			`def check_permission(self, user):`
			`if not user.is_authenticated():`
			`raise _403_FORBIDDEN_RESPONSE`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
data flattening needs to go into resource 2011-05-19 11:36:55 +04:00
Most of the actual work so far has been markup really. 2011-05-19 00:13:48 +04:00			`class IsAdminUser(BasePermission):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Allows access only to admin users.`
			`"""`

			`def check_permission(self, user):`
			`if not user.is_admin():`
			`raise _403_FORBIDDEN_RESPONSE`


			`class IsUserOrIsAnonReadOnly(BasePermission):`
			`"""`
			`The request is authenticated as a user, or is a read-only request.`
			`"""`

			`def check_permission(self, user):`
			`if (not user.is_authenticated() and`
			`self.view.method != 'GET' and`
			`self.view.method != 'HEAD'):`
			`raise _403_FORBIDDEN_RESPONSE`


			`class PerUserThrottling(BasePermission):`
			`"""`
			`Rate throttling of requests on a per-user basis.`

Most of the actual work so far has been markup really. 2011-05-19 00:13:48 +04:00			The rate (requests / seconds) is set by a :attr:`throttle` attribute on the ``View`` class.
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`The attribute is a two tuple of the form (number of requests, duration in seconds).`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`The user id will be used as a unique identifier if the user is authenticated.`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`For anonymous requests, the IP address of the client will be used.`

			`Previous request information used for throttling is stored in the cache.`
			`"""`
Getting the API into shape 2011-05-10 13:49:28 +04:00
			`def check_permission(self, user):`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`(num_requests, duration) = getattr(self.view, 'throttle', (0, 0))`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`if user.is_authenticated():`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00			`ident = str(auth)`
			`else:`
			`ident = self.view.request.META.get('REMOTE_ADDR', None)`

			`key = 'throttle_%s' % ident`
			`history = cache.get(key, [])`
			`now = time.time()`

			`# Drop any requests from the history which have now passed the throttle duration`
			`while history and history[0] < now - duration:`
			`history.pop()`

			`if len(history) >= num_requests:`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`raise _503_THROTTLED_RESPONSE`
Inital pass at generic permissions, throttling etc. 2011-04-27 21:08:32 +04:00
			`history.insert(0, now)`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`cache.set(key, history, duration)`