jbdod/notes-ker-lann
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Check permissions per request instead of per user

Browse source 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2021-06-15 14:40:32 +02:00
parent 5e9f36ef1a
commit ea092803d7
No known key found for this signature in database
GPG key ID: 3A75C55819C8CF85
25 changed files with 207 additions and 203 deletions
Download patch file Download diff file Expand all files Collapse all files

19
apps/permission/signals.py
View file

@ -3,7 +3,7 @@
from django.core.exceptions import PermissionDenied
from django.utils.translation import gettext_lazy as _
from note_kfet.middlewares import get_current_authenticated_user
from note_kfet.middlewares import get_current_request
from permission.backends import PermissionBackend
@ -31,8 +31,8 @@ def pre_save_object(sender, instance, **kwargs):
if hasattr(instance, "_force_save") or hasattr(instance, "_no_signal"):
return
user = get_current_authenticated_user()
if user is None:
request = get_current_request()
if request is None:
# Action performed on shell is always granted
return
@ -45,7 +45,7 @@ def pre_save_object(sender, instance, **kwargs):
# We check if the user can change the model
# If the user has all right on a model, then OK
if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):
if PermissionBackend.check_perm(request, app_label + ".change_" + model_name, instance):
return
# In the other case, we check if he/she has the right to change one field
@ -58,7 +58,8 @@ def pre_save_object(sender, instance, **kwargs):
# If the field wasn't modified, no need to check the permissions
if old_value == new_value:
continue
if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
instance):
raise PermissionDenied(
_("You don't have the permission to change the field {field} on this instance of model"
" {app_label}.{model_name}.")
@ -66,7 +67,7 @@ def pre_save_object(sender, instance, **kwargs):
)
else:
# We check if the user has right to add the object
has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)
has_perm = PermissionBackend.check_perm(request, app_label + ".add_" + model_name, instance)
if not has_perm:
raise PermissionDenied(
@ -87,8 +88,8 @@ def pre_delete_object(instance, **kwargs):
# Don't check permissions on force-deleted objects
return
user = get_current_authenticated_user()
if user is None:
request = get_current_request()
if request is None:
# Action performed on shell is always granted
return
@ -97,7 +98,7 @@ def pre_delete_object(instance, **kwargs):
model_name = model_name_full[1]
# We check if the user has rights to delete the object
if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):
if not PermissionBackend.check_perm(request, app_label + ".delete_" + model_name, instance):
raise PermissionDenied(
_("You don't have the permission to delete this instance of model {app_label}.{model_name}.")
.format(app_label=app_label, model_name=model_name))