django-rest-framework/rest_framework/permissions.py

"""
Provides a set of pluggable permission policies.
"""
from __future__ import unicode_literals
from django.http import Http404
from rest_framework.compat import get_model_name

SAFE_METHODS = ('GET', 'HEAD', 'OPTIONS')


class BasePermission(object):
    """
    A base class from which all permission classes should inherit.
    """

    def has_permission(self, request, view):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True

    def has_object_permission(self, request, view, obj):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True


class AllowAny(BasePermission):
    """
    Allow any access.
    This isn't strictly required, since you could use an empty
    permission_classes list, but it's useful because it makes the intention
    more explicit.
    """
    def has_permission(self, request, view):
        return True


class IsAuthenticated(BasePermission):
    """
    Allows access only to authenticated users.
    """

    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated()


class IsAdminUser(BasePermission):
    """
    Allows access only to admin users.
    """

    def has_permission(self, request, view):
        return request.user and request.user.is_staff


class IsAuthenticatedOrReadOnly(BasePermission):
    """
    The request is authenticated as a user, or is a read-only request.
    """

    def has_permission(self, request, view):
        return (
            request.method in SAFE_METHODS or
            request.user and
            request.user.is_authenticated()
        )


class DjangoModelPermissions(BasePermission):
    """
    The request is authenticated using `django.contrib.auth` permissions.
    See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions

    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the model.

    This permission can only be applied against view classes that
    provide a `.model` or `.queryset` attribute.
    """

    # Map methods into required permission codes.
    # Override this if you need to also provide 'view' permissions,
    # or if you want to provide custom permission codes.
    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    authenticated_users_only = True

    def get_required_permissions(self, method, model_cls):
        """
        Given a model and an HTTP method, return the list of permission
        codes that the user is required to have.
        """
        kwargs = {
            'app_label': model_cls._meta.app_label,
            'model_name': get_model_name(model_cls)
        }
        return [perm % kwargs for perm in self.perms_map[method]]

    def has_permission(self, request, view):
        # Note that `.model` attribute on views is deprecated, although we
        # enforce the deprecation on the view `get_serializer_class()` and
        # `get_queryset()` methods, rather than here.
        model_cls = getattr(view, 'model', None)
        queryset = getattr(view, 'queryset', None)

        if model_cls is None and queryset is not None:
            model_cls = queryset.model

        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
        if model_cls is None and getattr(view, '_ignore_model_permissions', False):
            return True

        assert model_cls, ('Cannot apply DjangoModelPermissions on a view that'
                           ' does not have `.model` or `.queryset` property.')

        perms = self.get_required_permissions(request.method, model_cls)

        return (
            request.user and
            (request.user.is_authenticated() or not self.authenticated_users_only) and
            request.user.has_perms(perms)
        )


class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
    """
    Similar to DjangoModelPermissions, except that anonymous users are
    allowed read-only access.
    """
    authenticated_users_only = False


class DjangoObjectPermissions(DjangoModelPermissions):
    """
    The request is authenticated using Django's object-level permissions.
    It requires an object-permissions-enabled backend, such as Django Guardian.

    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the object using .has_perms.

    This permission can only be applied against view classes that
    provide a `.model` or `.queryset` attribute.
    """

    perms_map = {
        'GET': [],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    def get_required_object_permissions(self, method, model_cls):
        kwargs = {
            'app_label': model_cls._meta.app_label,
            'model_name': get_model_name(model_cls)
        }
        return [perm % kwargs for perm in self.perms_map[method]]

    def has_object_permission(self, request, view, obj):
        model_cls = getattr(view, 'model', None)
        queryset = getattr(view, 'queryset', None)

        if model_cls is None and queryset is not None:
            model_cls = queryset.model

        perms = self.get_required_object_permissions(request.method, model_cls)
        user = request.user

        if not user.has_perms(perms, obj):
            # If the user does not have permissions we need to determine if
            # they have read permissions to see 403, or not, and simply see
            # a 404 response.

            if request.method in SAFE_METHODS:
                # Read permissions already checked and failed, no need
                # to make another lookup.
                raise Http404

            read_perms = self.get_required_object_permissions('GET', model_cls)
            if not user.has_perms(read_perms, obj):
                raise Http404

            # Has read permissions.
            return False

        return True
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`Provides a set of pluggable permission policies.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Cleanup imports Mostly adding `from __future__ import unicode_literals` everywhere. 2013-02-05 00:55:35 +04:00			`from __future__ import unicode_literals`
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00			`from django.http import Http404`
Moved OAuth support out of DRF and into a separate package, per #1767 2014-09-06 02:30:01 +04:00			`from rest_framework.compat import get_model_name`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
use SAFE_METHODS and make tuple 2015-03-17 08:13:07 +03:00			`SAFE_METHODS = ('GET', 'HEAD', 'OPTIONS')`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class BasePermission(object):`
			`"""`
			`A base class from which all permission classes should inherit.`
			`"""`

New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			Return `True` if permission is granted, `False` otherwise.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
New style object-level permission checks 2013-02-11 16:47:56 +04:00			`return True`

			`def has_object_permission(self, request, view, obj):`
			`"""`
			Return `True` if permission is granted, `False` otherwise.
			`"""`
			`return True`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

Add AllowAny class 2012-10-27 23:17:49 +04:00			`class AllowAny(BasePermission):`
			`"""`
			`Allow any access.`
			`This isn't strictly required, since you could use an empty`
			`permission_classes list, but it's useful because it makes the intention`
			`more explicit.`
			`"""`
New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Add AllowAny class 2012-10-27 23:17:49 +04:00			`return True`


Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`class IsAuthenticated(BasePermission):`
			`"""`
			`Allows access only to authenticated users.`
			`"""`

New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Simplified some functions 2013-12-22 15:39:47 +04:00			`return request.user and request.user.is_authenticated()`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class IsAdminUser(BasePermission):`
			`"""`
			`Allows access only to admin users.`
			`"""`

New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Simplified some functions 2013-12-22 15:39:47 +04:00			`return request.user and request.user.is_staff`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class IsAuthenticatedOrReadOnly(BasePermission):`
			`"""`
			`The request is authenticated as a user, or is a read-only request.`
			`"""`

New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Code linting and added runtests.py 2014-08-19 16:28:07 +04:00			`return (`
			`request.method in SAFE_METHODS or`
			`request.user and`
			`request.user.is_authenticated()`
			`)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class DjangoModelPermissions(BasePermission):`
			`"""`
			The request is authenticated using `django.contrib.auth` permissions.
			`See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions`

			`It ensures that the user is authenticated, and has the appropriate`
			`add`/`change`/`delete` permissions on the model.

Add DjangoModelPermissionsOrAnonReadOnly 2013-04-30 17:34:28 +04:00			`This permission can only be applied against view classes that`
			provide a `.model` or `.queryset` attribute.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`

			`# Map methods into required permission codes.`
			`# Override this if you need to also provide 'view' permissions,`
			`# or if you want to provide custom permission codes.`
			`perms_map = {`
			`'GET': [],`
			`'OPTIONS': [],`
			`'HEAD': [],`
			`'POST': ['%(app_label)s.add_%(model_name)s'],`
			`'PUT': ['%(app_label)s.change_%(model_name)s'],`
			`'PATCH': ['%(app_label)s.change_%(model_name)s'],`
			`'DELETE': ['%(app_label)s.delete_%(model_name)s'],`
			`}`

Neater override hooks and more docs for DjangoModelPermissions. Refs #702. 2013-03-09 03:42:20 +04:00			`authenticated_users_only = True`

Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`def get_required_permissions(self, method, model_cls):`
			`"""`
			`Given a model and an HTTP method, return the list of permission`
			`codes that the user is required to have.`
			`"""`
			`kwargs = {`
			`'app_label': model_cls._meta.app_label,`
Address pending deprecation of Model._meta.module_name in Django 1.6 2013-09-23 19:48:25 +04:00			`'model_name': get_model_name(model_cls)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`}`
			`return [perm % kwargs for perm in self.perms_map[method]]`

New style object-level permission checks 2013-02-11 16:47:56 +04:00			`def has_permission(self, request, view):`
Deprecate .model in related routers/permissions 2014-08-20 20:15:46 +04:00			# Note that `.model` attribute on views is deprecated, although we
			# enforce the deprecation on the view `get_serializer_class()` and
			# `get_queryset()` methods, rather than here.
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`model_cls = getattr(view, 'model', None)`
Neater override hooks and more docs for DjangoModelPermissions. Refs #702. 2013-03-09 03:42:20 +04:00			`queryset = getattr(view, 'queryset', None)`

			`if model_cls is None and queryset is not None:`
			`model_cls = queryset.model`

Version 2.3.3 2013-05-16 18:08:12 +04:00			`# Workaround to ensure DjangoModelPermissions are not applied`
			`# to the root view when using DefaultRouter.`
Don't raise AttributeError on views with no model or queryset, when using DjangoModelPermissions 2013-06-18 14:10:56 +04:00			`if model_cls is None and getattr(view, '_ignore_model_permissions', False):`
Version 2.3.3 2013-05-16 18:08:12 +04:00			`return True`

Neater override hooks and more docs for DjangoModelPermissions. Refs #702. 2013-03-09 03:42:20 +04:00			`assert model_cls, ('Cannot apply DjangoModelPermissions on a view that'`
			' does not have `.model` or `.queryset` property.')
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`perms = self.get_required_permissions(request.method, model_cls)`

Code linting and added runtests.py 2014-08-19 16:28:07 +04:00			`return (`
			`request.user and`
Neater override hooks and more docs for DjangoModelPermissions. Refs #702. 2013-03-09 03:42:20 +04:00			`(request.user.is_authenticated() or not self.authenticated_users_only) and`
Code linting and added runtests.py 2014-08-19 16:28:07 +04:00			`request.user.has_perms(perms)`
			`)`
Add TokenHasReadWriteScope class for permissions based on scopes 2013-03-10 17:08:29 +04:00

Add DjangoModelPermissionsOrAnonReadOnly 2013-04-30 17:34:28 +04:00			`class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):`
			`"""`
			`Similar to DjangoModelPermissions, except that anonymous users are`
			`allowed read-only access.`
			`"""`
			`authenticated_users_only = False`


Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`class DjangoObjectPermissions(DjangoModelPermissions):`
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00			`"""`
Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`The request is authenticated using Django's object-level permissions.`
			`It requires an object-permissions-enabled backend, such as Django Guardian.`
better doc for object permissions, drop redundant has_permission call 2013-09-09 20:32:29 +04:00
			`It ensures that the user is authenticated, and has the appropriate`
			`add`/`change`/`delete` permissions on the object using .has_perms.

			`This permission can only be applied against view classes that`
			provide a `.model` or `.queryset` attribute.
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00			`"""`

Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`perms_map = {`
			`'GET': [],`
			`'OPTIONS': [],`
			`'HEAD': [],`
			`'POST': ['%(app_label)s.add_%(model_name)s'],`
			`'PUT': ['%(app_label)s.change_%(model_name)s'],`
			`'PATCH': ['%(app_label)s.change_%(model_name)s'],`
			`'DELETE': ['%(app_label)s.delete_%(model_name)s'],`
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00			`}`

removed unnecessary guardian req and view.action parsing 2013-09-09 19:39:09 +04:00			`def get_required_object_permissions(self, method, model_cls):`
			`kwargs = {`
Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`'app_label': model_cls._meta.app_label,`
Address pending deprecation of Model._meta.module_name in Django 1.6 2013-09-23 19:48:25 +04:00			`'model_name': get_model_name(model_cls)`
removed unnecessary guardian req and view.action parsing 2013-09-09 19:39:09 +04:00			`}`
Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`return [perm % kwargs for perm in self.perms_map[method]]`
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00
			`def has_object_permission(self, request, view, obj):`
removed unnecessary guardian req and view.action parsing 2013-09-09 19:39:09 +04:00			`model_cls = getattr(view, 'model', None)`
			`queryset = getattr(view, 'queryset', None)`

			`if model_cls is None and queryset is not None:`
			`model_cls = queryset.model`
first pass at object level permissions and tests 2013-09-08 08:18:52 +04:00
removed unnecessary guardian req and view.action parsing 2013-09-09 19:39:09 +04:00			`perms = self.get_required_object_permissions(request.method, model_cls)`
switch to a dedicated filter for read list object permissions 2013-09-08 08:48:03 +04:00			`user = request.user`

Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`if not user.has_perms(perms, obj):`
			`# If the user does not have permissions we need to determine if`
			`# they have read permissions to see 403, or not, and simply see`
Removed unused imports, pep8 fixes, typo fixes 2014-12-05 02:29:28 +03:00			`# a 404 response.`
Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00
use SAFE_METHODS and make tuple 2015-03-17 08:13:07 +03:00			`if request.method in SAFE_METHODS:`
Tweaks and docs to object-level model permissions. 2013-09-11 00:00:13 +04:00			`# Read permissions already checked and failed, no need`
			`# to make another lookup.`
			`raise Http404`

			`read_perms = self.get_required_object_permissions('GET', model_cls)`
			`if not user.has_perms(read_perms, obj):`
			`raise Http404`

			`# Has read permissions.`
			`return False`

			`return True`