adapt CanAccessLookup to api key auth

2025-07-10 20:09:25 +00:00 · 2025-05-20 21:04:49 +02:00
parent b5d65133f3
commit 52e53da9ef
10 changed files with 75 additions and 9 deletions
--- a/core/api.py
+++ b/core/api.py
@ -5,11 +5,13 @@ from django.conf import settings
 from django.db.models import F
 from django.http import HttpResponse
 from ninja import File, Query
+from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import PermissionDenied
 from ninja_extra.pagination import PageNumberPaginationExtra
 from ninja_extra.schemas import PaginatedResponseSchema

+from apikey.auth import ApiKeyAuth
 from club.models import Mailing
 from core.auth.api_permissions import CanAccessLookup, CanView, HasPerm
 from core.models import Group, QuickUploadImage, SithFile, User
@ -90,6 +92,7 @@ class SithFileController(ControllerBase):
    @route.get(
        "/search",
        response=PaginatedResponseSchema[SithFileSchema],
+        auth=[SessionAuth(), ApiKeyAuth()],
        permissions=[CanAccessLookup],
    )
    @paginate(PageNumberPaginationExtra, page_size=50)
@ -102,6 +105,7 @@ class GroupController(ControllerBase):
    @route.get(
        "/search",
        response=PaginatedResponseSchema[GroupSchema],
+        auth=[SessionAuth(), ApiKeyAuth()],
        permissions=[CanAccessLookup],
    )
    @paginate(PageNumberPaginationExtra, page_size=50)
--- a/core/auth/api_permissions.py
+++ b/core/auth/api_permissions.py
@ -189,4 +189,4 @@ class IsLoggedInCounter(BasePermission):
        return Counter.objects.filter(token=token).exists()


-CanAccessLookup = IsOldSubscriber | IsRoot | IsLoggedInCounter
+CanAccessLookup = IsLoggedInCounter | HasPerm("core.access_lookup")
--- a/core/management/commands/populate.py
+++ b/core/management/commands/populate.py
@ -805,6 +805,8 @@ class Command(BaseCommand):
                        "add_peoplepicturerelation",
                        "add_page",
                        "add_quickuploadimage",
+                        "view_club",
+                        "access_lookup",
                    ]
                )
            )
--- a/core/migrations/0046_permissionrights.py
+++ b/core/migrations/0046_permissionrights.py
@ -0,0 +1,28 @@
+# Generated by Django 5.2 on 2025-05-20 17:50
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0045_quickuploadimage")]
+
+    operations = [
+        migrations.CreateModel(
+            name="GlobalPermissionRights",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+            ],
+            options={
+                "permissions": [("access_lookup", "Can access any lookup in the sith")],
+                "managed": False,
+                "default_permissions": [],
+            },
+        ),
+    ]
--- a/core/models.py
+++ b/core/models.py
@ -754,6 +754,23 @@ class UserBan(models.Model):
        return f"Ban of user {self.user.id}"


+class GlobalPermissionRights(models.Model):
+    """Little hack to have permissions not linked to a specific db table."""
+
+    class Meta:
+        # No database table creation or deletion
+        # operations will be performed for this model.
+        managed = False
+
+        # disable "add", "change", "delete" and "view" default permissions
+        default_permissions = []
+
+        permissions = [("access_lookup", "Can access any lookup in the sith")]
+
+    def __str__(self):
+        return self.__class__.__name__
+
+
 class Preferences(models.Model):
    user = models.OneToOneField(
        User, related_name="_preferences", on_delete=models.CASCADE