arno
/
etesync-server
mirror of https://github.com/etesync/server
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f1bfb0a9a0'
${ noResults }
etesync-server/django_etesync/permissions.py

66 lines
2.3 KiB
Raw Blame History

# Copyright © 2017 Tom Hacohen
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, version 3.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from rest_framework import permissions
from journal.models import Journal, JournalMember
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.owner == request.user
class IsJournalOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of a journal to view it
"""
def has_permission(self, request, view):
journal_uid = view.kwargs['journal_uid']
try:
journal = view.get_journal_queryset().get(uid=journal_uid)
return journal.owner == request.user
except Journal.DoesNotExist:
# If the journal does not exist, we want to 404 later, not permission denied.
return True
class IsMemberReadOnly(permissions.BasePermission):
"""
Custom permission to make a journal read only if a read only member
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True
journal_uid = view.kwargs['journal_uid']
try:
journal = view.get_journal_queryset().get(uid=journal_uid)
member = journal.members.get(user=request.user)
return not member.readOnly
except Journal.DoesNotExist:
# If the journal does not exist, we want to 404 later, not permission denied.
return True
except JournalMember.DoesNotExist:
# Not being a member means we are the owner.
return True
Reference in new issue View Git Blame Copy Permalink