diff options
| author | Jamie Matthews | 2012-09-26 13:05:21 +0100 |
|---|---|---|
| committer | Jamie Matthews | 2012-09-26 13:05:21 +0100 |
| commit | 01770c53cd9045e6ea054f32b1e40b5d2ff7fe44 (patch) | |
| tree | 657cb66f92d78add3b2f587754387832043168e6 /djangorestframework/permissions.py | |
| parent | f6488cb0589d3b11fb8d831e00d1389f3fff74b6 (diff) | |
| parent | 09a445b257532be69ffab69a3f62b84bfa90463d (diff) | |
| download | django-rest-framework-01770c53cd9045e6ea054f32b1e40b5d2ff7fe44.tar.bz2 | |
Merge branch 'restframework2' of git://github.com/tomchristie/django-rest-framework into improved-view-decorators
* 'restframework2' of git://github.com/tomchristie/django-rest-framework: (56 commits)
Bits of cleanup
Add request.QUERY_PARAMS
Add readonly 'id' field
Tweak browseable API
Don't display readonly fields
Fix some bits of serialization
Add csrf note
Fix incorrect bit of tutorial
Added tox.ini
Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing
Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing
Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing
Clean up bits of templates etc
Hack out bunch of unneccesary private methods on View class
Clean up template tags
Remove dumbass __all__ variables
Remove old 'djangorestframework directories
Change package name: djangorestframework -> rest_framework
Dont strip final '/'
Use get_script_prefix to play nicely if not installed at the root.
...
Conflicts:
rest_framework/decorators.py
Diffstat (limited to 'djangorestframework/permissions.py')
| -rw-r--r-- | djangorestframework/permissions.py | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py deleted file mode 100644 index 3a669822..00000000 --- a/djangorestframework/permissions.py +++ /dev/null @@ -1,116 +0,0 @@ -""" -The :mod:`permissions` module bundles a set of permission classes that are used -for checking if a request passes a certain set of constraints. - -Permission behavior is provided by mixing the :class:`mixins.PermissionsMixin` class into a :class:`View` class. -""" - -__all__ = ( - 'BasePermission', - 'FullAnonAccess', - 'IsAuthenticated', - 'IsAdminUser', - 'IsUserOrIsAnonReadOnly', - 'PerUserThrottling', - 'PerViewThrottling', -) - -SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS'] - - -class BasePermission(object): - """ - A base class from which all permission classes should inherit. - """ - def __init__(self, view): - """ - Permission classes are always passed the current view on creation. - """ - self.view = view - - def has_permission(self, request, obj=None): - """ - Should simply return, or raise an :exc:`response.ImmediateResponse`. - """ - raise NotImplementedError(".has_permission() must be overridden.") - - -class IsAuthenticated(BasePermission): - """ - Allows access only to authenticated users. - """ - - def has_permission(self, request, obj=None): - if request.user and request.user.is_authenticated(): - return True - return False - - -class IsAdminUser(BasePermission): - """ - Allows access only to admin users. - """ - - def has_permission(self, request, obj=None): - if request.user and request.user.is_staff: - return True - return False - - -class IsAuthenticatedOrReadOnly(BasePermission): - """ - The request is authenticated as a user, or is a read-only request. - """ - - def has_permission(self, request, obj=None): - if (request.method in SAFE_METHODS or - request.user and - request.user.is_authenticated()): - return True - return False - - -class DjangoModelPermissions(BasePermission): - """ - The request is authenticated using `django.contrib.auth` permissions. - See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions - - It ensures that the user is authenticated, and has the appropriate - `add`/`change`/`delete` permissions on the model. - - This permission should only be used on views with a `ModelResource`. - """ - - # Map methods into required permission codes. - # Override this if you need to also provide 'view' permissions, - # or if you want to provide custom permission codes. - perms_map = { - 'GET': [], - 'OPTIONS': [], - 'HEAD': [], - 'POST': ['%(app_label)s.add_%(model_name)s'], - 'PUT': ['%(app_label)s.change_%(model_name)s'], - 'PATCH': ['%(app_label)s.change_%(model_name)s'], - 'DELETE': ['%(app_label)s.delete_%(model_name)s'], - } - - def get_required_permissions(self, method, model_cls): - """ - Given a model and an HTTP method, return the list of permission - codes that the user is required to have. - """ - kwargs = { - 'app_label': model_cls._meta.app_label, - 'model_name': model_cls._meta.module_name - } - return [perm % kwargs for perm in self.perms_map[method]] - - def has_permission(self, request, obj=None): - model_cls = self.view.model - perms = self.get_required_permissions(request.method, model_cls) - - if (request.user and - request.user.is_authenticated() and - request.user.has_perms(perms, obj)): - return True - return False |