mirror of
https://github.com/etesync/server
synced 2024-12-29 10:48:07 +00:00
267d749c45
Each collection now has an item and the item's UID is the collections UID. This lets us manipulate collections just like items, and as part of transactions. This is significant because it lets us change them as part of transactions!
85 lines
3.2 KiB
Python
85 lines
3.2 KiB
Python
# Copyright © 2017 Tom Hacohen
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, version 3.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from rest_framework import permissions
|
|
from django_etebase.models import Collection, AccessLevels
|
|
|
|
|
|
def is_collection_admin(collection, user):
|
|
member = collection.members.filter(user=user).first()
|
|
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
|
|
|
|
|
|
class IsCollectionAdmin(permissions.BasePermission):
|
|
"""
|
|
Custom permission to only allow owners of a collection to view it
|
|
"""
|
|
message = 'Only collection admins can perform this operation.'
|
|
code = 'admin_access_required'
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs['collection_uid']
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
return is_collection_admin(collection, request.user)
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|
|
|
|
|
|
class IsCollectionAdminOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Custom permission to only allow owners of a collection to edit it
|
|
"""
|
|
message = 'Only collection admins can edit collections.'
|
|
code = 'admin_access_required'
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs.get('collection_uid', None)
|
|
|
|
# Allow creating new collections
|
|
if collection_uid is None:
|
|
return True
|
|
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
return is_collection_admin(collection, request.user)
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|
|
|
|
|
|
class HasWriteAccessOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Custom permission to restrict write
|
|
"""
|
|
message = 'You need write access to write to this collection'
|
|
code = 'no_write_access'
|
|
|
|
def has_permission(self, request, view):
|
|
collection_uid = view.kwargs['collection_uid']
|
|
try:
|
|
collection = view.get_collection_queryset().get(main_item__uid=collection_uid)
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
else:
|
|
member = collection.members.get(user=request.user)
|
|
return member.accessLevel != AccessLevels.READ_ONLY
|
|
except Collection.DoesNotExist:
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
return True
|