Collection/item viewsets: enforce access.
This commit is contained in:
parent
6e7fd5d0dd
commit
e159bf971b
@ -36,3 +36,49 @@ class IsCollectionAdmin(permissions.BasePermission):
|
||||
except Collection.DoesNotExist:
|
||||
# If the collection does not exist, we want to 404 later, not permission denied.
|
||||
return True
|
||||
|
||||
|
||||
class IsCollectionAdminOrReadOnly(permissions.BasePermission):
|
||||
"""
|
||||
Custom permission to only allow owners of a collection to edit it
|
||||
"""
|
||||
message = 'Only collection admins can edit collections.'
|
||||
code = 'admin_access_required'
|
||||
|
||||
def has_permission(self, request, view):
|
||||
collection_uid = view.kwargs.get('collection_uid', None)
|
||||
|
||||
# Allow creating new collections
|
||||
if collection_uid is None:
|
||||
return True
|
||||
|
||||
try:
|
||||
collection = view.get_collection_queryset().get(uid=collection_uid)
|
||||
if request.method in permissions.SAFE_METHODS:
|
||||
return True
|
||||
|
||||
return is_collection_admin(collection, request.user)
|
||||
except Collection.DoesNotExist:
|
||||
# If the collection does not exist, we want to 404 later, not permission denied.
|
||||
return True
|
||||
|
||||
|
||||
class HasWriteAccessOrReadOnly(permissions.BasePermission):
|
||||
"""
|
||||
Custom permission to restrict write
|
||||
"""
|
||||
message = 'You need write access to write to this collection'
|
||||
code = 'no_write_access'
|
||||
|
||||
def has_permission(self, request, view):
|
||||
collection_uid = view.kwargs['collection_uid']
|
||||
try:
|
||||
collection = view.get_collection_queryset().get(uid=collection_uid)
|
||||
if request.method in permissions.SAFE_METHODS:
|
||||
return True
|
||||
else:
|
||||
member = collection.members.get(user=request.user)
|
||||
return member.accessLevel != AccessLevels.READ_ONLY
|
||||
except Collection.DoesNotExist:
|
||||
# If the collection does not exist, we want to 404 later, not permission denied.
|
||||
return True
|
||||
|
@ -127,7 +127,7 @@ class BaseViewSet(viewsets.ModelViewSet):
|
||||
|
||||
class CollectionViewSet(BaseViewSet):
|
||||
allowed_methods = ['GET', 'POST', 'DELETE']
|
||||
permission_classes = BaseViewSet.permission_classes
|
||||
permission_classes = BaseViewSet.permission_classes + (permissions.IsCollectionAdminOrReadOnly, )
|
||||
queryset = Collection.objects.all()
|
||||
serializer_class = CollectionSerializer
|
||||
lookup_field = 'uid'
|
||||
@ -196,7 +196,7 @@ class CollectionViewSet(BaseViewSet):
|
||||
|
||||
class CollectionItemViewSet(BaseViewSet):
|
||||
allowed_methods = ['GET', 'POST', 'PUT']
|
||||
permission_classes = BaseViewSet.permission_classes
|
||||
permission_classes = BaseViewSet.permission_classes + (permissions.HasWriteAccessOrReadOnly, )
|
||||
queryset = CollectionItem.objects.all()
|
||||
serializer_class = CollectionItemSerializer
|
||||
lookup_field = 'uid'
|
||||
|
Loading…
Reference in New Issue
Block a user