Make HasPerm work with ApiKeyAuth

2025-06-07 03:35:18 +00:00 · 2025-05-20 18:16:14 +02:00 · 2025-05-20 18:16:14 +02:00 · f72a93a673
commit f72a93a673
parent 1ccd24b69a
1 changed files with 10 additions and 1 deletions
--- a/core/auth/api_permissions.py
+++ b/core/auth/api_permissions.py
@ -96,7 +96,16 @@ class HasPerm(BasePermission):
        self._perms = perms

    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
-        return reduce(self._operator, (request.user.has_perm(p) for p in self._perms))
+        # if the request has the `auth` property,
+        # it means that the user has been explicitly authenticated
+        # using a django-ninja authentication backend
+        # (whether it is SessionAuth or ApiKeyAuth).
+        # If not, this authentication has not been done, but the user may
+        # still be implicitly authenticated through AuthenticationMiddleware
+        user = request.auth if hasattr(request, "auth") else request.user
+        # `user` may either be a `core.User` or an `apikey.ApiClient` ;
+        # they are not the same model, but they both implement the `has_perm` method
+        return reduce(self._operator, (user.has_perm(p) for p in self._perms))


 class IsRoot(BasePermission):