/
permissions.py
114 lines (90 loc) · 3.91 KB
/
permissions.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
from rest_framework.permissions import BasePermission
from core.common.constants import ACCESS_TYPE_EDIT, ACCESS_TYPE_VIEW
class IsSuperuser(BasePermission):
"""
The request is authenticated, and the user is a superuser
"""
def has_object_permission(self, request, view, obj):
return request.user.is_superuser
class HasPrivateAccess(BasePermission):
"""
Current user is authenticated as a staff user, or is designated as the referenced object's owner,
or belongs to an organization that is designated as the referenced object's owner.
"""
def has_object_permission(self, request, view, obj):
if request.user.is_staff:
return True
if request.user.is_authenticated:
user = request.user
if hasattr(obj, 'parent') and user == obj.parent:
return True
if user.organizations.filter(id=obj.id):
return True
if hasattr(obj, 'parent_id') and user.organizations.filter(id=obj.parent_id):
return True
return False
class HasOwnership(BasePermission):
"""
The request is authenticated, and the user is a member of the referenced organization
"""
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_staff or user.is_superuser:
return True
if user.is_authenticated:
from core.users.models import UserProfile
from core.orgs.models import Organization
if isinstance(obj, UserProfile):
return obj == user
if isinstance(obj, Organization):
return obj.is_member(user)
return True
return False
class CanViewConceptDictionary(HasPrivateAccess):
"""
The user can view this source
"""
def has_object_permission(self, request, view, obj):
if obj.public_access in [ACCESS_TYPE_EDIT, ACCESS_TYPE_VIEW]:
return True
return super().has_object_permission(request, view, obj)
class CanEditConceptDictionary(HasPrivateAccess):
"""
The request is authenticated as a user, and the user can edit this source
"""
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated and ACCESS_TYPE_EDIT == obj.public_access:
return True
return super().has_object_permission(request, view, obj)
class HasAccessToVersionedObject(BasePermission):
"""
Current user is authenticated as a staff user, or is designated as the owner of the object
that is versioned by the referenced object, or is a member of an organization
that is designated as the owner of the object that is versioned by the referenced object.
"""
def has_object_permission(self, request, view, obj):
if request.user.is_staff:
return True
versioned_object = obj.head
from core.users.models import UserProfile
if isinstance(versioned_object.parent, UserProfile) and request.user.id == versioned_object.parent_id:
return True
if request.user.is_authenticated:
return request.user.organizations.filter(id=versioned_object.parent_id).exists()
return False
class CanViewConceptDictionaryVersion(HasAccessToVersionedObject):
"""
The user can view this source
"""
def has_object_permission(self, request, view, obj):
if obj.public_access in [ACCESS_TYPE_EDIT, ACCESS_TYPE_VIEW]:
return True
return super().has_object_permission(request, view, obj)
class CanEditConceptDictionaryVersion(HasAccessToVersionedObject):
"""
The request is authenticated as a user, and the user can edit this source
"""
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated() and ACCESS_TYPE_EDIT == obj.public_access:
return True
return super().has_object_permission(request, view, obj)