Skip to content

permissions#

DummyView#

Helper 'View' class to allow checking permissions for a specific object.

DatasetAccessPolicy permission checks require a view that has "action" and "get_object" attributes.

Source code in src/apps/common/permissions.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
class DummyView:
    """Helper 'View' class to allow checking permissions for a specific object.

    DatasetAccessPolicy permission checks require a view that
    has "action" and "get_object" attributes.
    """

    def __init__(self, object=None, action: str = None):
        self.object = object
        self.action = action

    def get_object(self):
        return self.object

DummyRequest#

Helper 'Request' class to allow checking permissions for a specific object.

AccessPolicy permission checks require a request that has "user" and "method" attributes.

Source code in src/apps/common/permissions.py 
23
24
25
26
27
28
29
30
31
32
class DummyRequest:
    """Helper 'Request' class to allow checking permissions for a specific object.

    AccessPolicy permission checks require a request that
    has "user" and "method" attributes.
    """

    def __init__(self, user=None, method="") -> None:
        self.user = user
        self.method = method  # leave empty to avoid matching e.g. <method:get> rules

BaseAccessPolicy#

Bases: AccessPolicy

Common base access policy class.

For built-in special values that can be used in statements, see: https://rsinger86.github.io/drf-access-policy/statement_elements/

For permissions of operations that don't directly map to a view action, use custom naming that won't clash with any potential action names, e.g. action="". Permissions for custom operations can then be queried with query_object_permission.

Source code in src/apps/common/permissions.py 
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
class BaseAccessPolicy(AccessPolicy):
    """Common base access policy class.

    For built-in special values that can be used in statements, see:
    https://rsinger86.github.io/drf-access-policy/statement_elements/

    For permissions of operations that don't directly map to a view action, use custom
    naming that won't clash with any potential action names, e.g. action="<op:download>".
    Permissions for custom operations can then be queried with query_object_permission.
    """

    id = "base-policy"
    statements = [
        {"action": ["list", "retrieve", "<safe_methods>"], "principal": "*", "effect": "allow"},
        {"action": "*", "principal": "admin", "effect": "allow"},
    ]

    def is_system_creator(self, request, view, action):
        instance = view.get_object()
        return request.user == instance.system_creator

    @classmethod
    def scope_queryset(cls, request, queryset):
        if request.user.is_superuser:
            logger.debug(f"Admin access granted for : {request.user}")
            return queryset

    def query_object_permission(self, user, object, action, method=""):
        """Helper method for querying for permissions of an object for current user.

        Normally has_permissions does not allow specifying object, action, or method
        directly. This function uses fake view and request objects to check for permissions
        without having to make an actual request.
        """
        view = DummyView(object=object, action=action)
        request = DummyRequest(user=user, method=method)
        return self.has_permission(request=request, view=view)

query_object_permission(user, object, action, method='') #

Helper method for querying for permissions of an object for current user.

Normally has_permissions does not allow specifying object, action, or method directly. This function uses fake view and request objects to check for permissions without having to make an actual request.

Source code in src/apps/common/permissions.py 
62
63
64
65
66
67
68
69
70
71
def query_object_permission(self, user, object, action, method=""):
    """Helper method for querying for permissions of an object for current user.

    Normally has_permissions does not allow specifying object, action, or method
    directly. This function uses fake view and request objects to check for permissions
    without having to make an actual request.
    """
    view = DummyView(object=object, action=action)
    request = DummyRequest(user=user, method=method)
    return self.has_permission(request=request, view=view)