From bc80eb266f071e0c090fcf882722d4dd056ccf61 Mon Sep 17 00:00:00 2001 From: Camille Harang Date: Sat, 11 Feb 2012 01:49:28 +0100 Subject: [PATCH 1/3] DjangoModelPermisson --- djangorestframework/permissions.py | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py index dfe55ce94..100a976e1 100644 --- a/djangorestframework/permissions.py +++ b/djangorestframework/permissions.py @@ -89,6 +89,46 @@ class IsUserOrIsAnonReadOnly(BasePermission): raise _403_FORBIDDEN_RESPONSE +class DjangoModelPermisson(BasePermission): + """ + """ + + def check_permission(self, user): + + # GET-style methods are always allowed. + if self.view.request.method in ('GET', 'OPTIONS', 'HEAD',): + return + + # User must be logged in to check permissions. + if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated(): + raise _403_FORBIDDEN_RESPONSE + + klass = self.view.resource.model + + # If it doesn't look like a model, we can't check permissions. + if not klass or not getattr(klass, '_meta', None): + return + + permission_map = { + 'POST': ['%s.add_%s'], + 'PUT': ['%s.change_%s'], + 'DELETE': ['%s.delete_%s'], + 'PATCH': ['%s.add_%s', '%s.change_%s', '%s.delete_%s'], + } + permission_codes = [] + + # If we don't recognize the HTTP method, we don't know what + # permissions to check. Deny. + if self.view.request.method not in permission_map: + raise _403_FORBIDDEN_RESPONSE + + for perm in permission_map[self.view.request.method]: + permission_codes.append(perm % (klass._meta.app_label, klass._meta.module_name)) + + if not self.view.request.user.has_perms(permission_codes): + raise _403_FORBIDDEN_RESPONSE + + class BaseThrottle(BasePermission): """ Rate throttling of requests. From b236241982b95a35cdb251e5020004050fb6567a Mon Sep 17 00:00:00 2001 From: Camille Harang Date: Sat, 11 Feb 2012 01:54:28 +0100 Subject: [PATCH 2/3] check authentication after checking ModelResource --- djangorestframework/permissions.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py index 100a976e1..92e90fc38 100644 --- a/djangorestframework/permissions.py +++ b/djangorestframework/permissions.py @@ -99,16 +99,16 @@ class DjangoModelPermisson(BasePermission): if self.view.request.method in ('GET', 'OPTIONS', 'HEAD',): return - # User must be logged in to check permissions. - if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated(): - raise _403_FORBIDDEN_RESPONSE - klass = self.view.resource.model # If it doesn't look like a model, we can't check permissions. if not klass or not getattr(klass, '_meta', None): return + # User must be logged in to check permissions. + if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated(): + raise _403_FORBIDDEN_RESPONSE + permission_map = { 'POST': ['%s.add_%s'], 'PUT': ['%s.change_%s'], From 963d2ecccbe30ca231621f85681049983248d08d Mon Sep 17 00:00:00 2001 From: Camille Harang Date: Sat, 11 Feb 2012 02:02:42 +0100 Subject: [PATCH 3/3] DjangoModelPermisson's desc --- djangorestframework/permissions.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py index 92e90fc38..cf556dd69 100644 --- a/djangorestframework/permissions.py +++ b/djangorestframework/permissions.py @@ -91,6 +91,8 @@ class IsUserOrIsAnonReadOnly(BasePermission): class DjangoModelPermisson(BasePermission): """ + The request is authenticated against the Django user's permissions on the + `Resource`'s `Model`, if the resource is a `ModelResource`. """ def check_permission(self, user):