Move core auth mixins to their own file

2025-07-12 21:09:24 +00:00 · 2025-01-10 21:37:12 +01:00
parent cba915c34d
commit 0c01ad1770
34 changed files with 274 additions and 235 deletions
--- a/core/auth/api_permissions.py
+++ b/core/auth/api_permissions.py
@ -0,0 +1,138 @@
+"""Permission classes to be used within ninja-extra controllers.
+
+Some permissions are global (like `IsInGroup` or `IsRoot`),
+and some others are per-object (like `CanView` or `CanEdit`).
+
+Examples:
+    # restrict all the routes of this controller
+    # to subscribed users
+    @api_controller("/foo", permissions=[IsSubscriber])
+    class FooController(ControllerBase):
+        @route.get("/bar")
+        def bar_get(self):
+            # This route inherits the permissions of the controller
+            # ...
+
+        @route.bar("/bar/{bar_id}", permissions=[CanView])
+        def bar_get_one(self, bar_id: int):
+            # per-object permission resolution happens
+            # when calling either the `get_object_or_exception`
+            # or `get_object_or_none` method.
+            bar = self.get_object_or_exception(Counter, pk=bar_id)
+
+            # you can also call the `check_object_permission` manually
+            other_bar = Counter.objects.first()
+            self.check_object_permissions(other_bar)
+
+            # ...
+
+        # This route is restricted to counter admins and root users
+        @route.delete(
+            "/bar/{bar_id}",
+            permissions=[IsRoot | IsInGroup(settings.SITH_GROUP_COUNTER_ADMIN_ID)
+        ]
+        def bar_delete(self, bar_id: int):
+            # ...
+"""
+
+from typing import Any
+
+from django.http import HttpRequest
+from ninja_extra import ControllerBase
+from ninja_extra.permissions import BasePermission
+
+from counter.models import Counter
+
+
+class IsInGroup(BasePermission):
+    """Check that the user is in the group whose primary key is given."""
+
+    def __init__(self, group_pk: int):
+        self._group_pk = group_pk
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return request.user.is_in_group(pk=self._group_pk)
+
+
+class IsRoot(BasePermission):
+    """Check that the user is root."""
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return request.user.is_root
+
+
+class IsSubscriber(BasePermission):
+    """Check that the user is currently subscribed."""
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return request.user.is_subscribed
+
+
+class IsOldSubscriber(BasePermission):
+    """Check that the user has at least one subscription in its history."""
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return request.user.was_subscribed
+
+
+class CanView(BasePermission):
+    """Check that this user has the permission to view the object of this route.
+
+    Wrap the `user.can_view(obj)` method.
+    To see an example, look at the example in the module docstring.
+    """
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return True
+
+    def has_object_permission(
+        self, request: HttpRequest, controller: ControllerBase, obj: Any
+    ) -> bool:
+        return request.user.can_view(obj)
+
+
+class CanEdit(BasePermission):
+    """Check that this user has the permission to edit the object of this route.
+
+    Wrap the `user.can_edit(obj)` method.
+    To see an example, look at the example in the module docstring.
+    """
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return True
+
+    def has_object_permission(
+        self, request: HttpRequest, controller: ControllerBase, obj: Any
+    ) -> bool:
+        return request.user.can_edit(obj)
+
+
+class IsOwner(BasePermission):
+    """Check that this user owns the object of this route.
+
+    Wrap the `user.is_owner(obj)` method.
+    To see an example, look at the example in the module docstring.
+    """
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        return True
+
+    def has_object_permission(
+        self, request: HttpRequest, controller: ControllerBase, obj: Any
+    ) -> bool:
+        return request.user.is_owner(obj)
+
+
+class IsLoggedInCounter(BasePermission):
+    """Check that a user is logged in a counter."""
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        if "/counter/" not in request.META.get("HTTP_REFERER", ""):
+            return False
+        token = request.session.get("counter_token")
+        if not token:
+            return False
+        return Counter.objects.filter(token=token).exists()
+
+
+CanAccessLookup = IsOldSubscriber | IsRoot | IsLoggedInCounter