Merge branch 'restframework2' of git://github.com/tomchristie/django-rest-framework into improved-view-decorators

* 'restframework2' of git://github.com/tomchristie/django-rest-framework: (56 commits) Bits of cleanup Add request.QUERY_PARAMS Add readonly 'id' field Tweak browseable API Don't display readonly fields Fix some bits of serialization Add csrf note Fix incorrect bit of tutorial Added tox.ini Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing Tweak media_type -> accepted_media_type. Need to document, but marginally less confusing Clean up bits of templates etc Hack out bunch of unneccesary private methods on View class Clean up template tags Remove dumbass __all__ variables Remove old 'djangorestframework directories Change package name: djangorestframework -> rest_framework Dont strip final '/' Use get_script_prefix to play nicely if not installed at the root. ... Conflicts: rest_framework/decorators.py
author: Jamie Matthews 2012-09-26 13:05:21 +0100
committer: Jamie Matthews 2012-09-26 13:05:21 +0100
commit: 01770c53cd9045e6ea054f32b1e40b5d2ff7fe44 (patch)
tree: 657cb66f92d78add3b2f587754387832043168e6 /rest_framework/permissions.py
parent: f6488cb0589d3b11fb8d831e00d1389f3fff74b6 (diff)
parent: 09a445b257532be69ffab69a3f62b84bfa90463d (diff)
download: django-rest-framework-01770c53cd9045e6ea054f32b1e40b5d2ff7fe44.tar.bz2
1 files changed, 107 insertions, 0 deletions
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
new file mode 100644
index 00000000..51837a01
--- /dev/null
+++ b/rest_framework/permissions.py
@@ -0,0 +1,107 @@
+"""
+The :mod:`permissions` module bundles a set of permission classes that are used
+for checking if a request passes a certain set of constraints.
+
+Permission behavior is provided by mixing the :class:`mixins.PermissionsMixin` class into a :class:`View` class.
+"""
+
+
+SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
+
+
+class BasePermission(object):
+    """
+    A base class from which all permission classes should inherit.
+    """
+    def __init__(self, view):
+        """
+        Permission classes are always passed the current view on creation.
+        """
+        self.view = view
+
+    def has_permission(self, request, obj=None):
+        """
+        Should simply return, or raise an :exc:`response.ImmediateResponse`.
+        """
+        raise NotImplementedError(".has_permission() must be overridden.")
+
+
+class IsAuthenticated(BasePermission):
+    """
+    Allows access only to authenticated users.
+    """
+
+    def has_permission(self, request, obj=None):
+        if request.user and request.user.is_authenticated():
+            return True
+        return False
+
+
+class IsAdminUser(BasePermission):
+    """
+    Allows access only to admin users.
+    """
+
+    def has_permission(self, request, obj=None):
+        if request.user and request.user.is_staff:
+            return True
+        return False
+
+
+class IsAuthenticatedOrReadOnly(BasePermission):
+    """
+    The request is authenticated as a user, or is a read-only request.
+    """
+
+    def has_permission(self, request, obj=None):
+        if (request.method in SAFE_METHODS or
+            request.user and
+            request.user.is_authenticated()):
+            return True
+        return False
+
+
+class DjangoModelPermissions(BasePermission):
+    """
+    The request is authenticated using `django.contrib.auth` permissions.
+    See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions
+
+    It ensures that the user is authenticated, and has the appropriate
+    `add`/`change`/`delete` permissions on the model.
+
+    This permission should only be used on views with a `ModelResource`.
+    """
+
+    # Map methods into required permission codes.
+    # Override this if you need to also provide 'view' permissions,
+    # or if you want to provide custom permission codes.
+    perms_map = {
+        'GET': [],
+        'OPTIONS': [],
+        'HEAD': [],
+        'POST': ['%(app_label)s.add_%(model_name)s'],
+        'PUT': ['%(app_label)s.change_%(model_name)s'],
+        'PATCH': ['%(app_label)s.change_%(model_name)s'],
+        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+    }
+
+    def get_required_permissions(self, method, model_cls):
+        """
+        Given a model and an HTTP method, return the list of permission
+        codes that the user is required to have.
+        """
+        kwargs = {
+            'app_label': model_cls._meta.app_label,
+            'model_name':  model_cls._meta.module_name
+        }
+        return [perm % kwargs for perm in self.perms_map[method]]
+
+    def has_permission(self, request, obj=None):
+        model_cls = self.view.model
+        perms = self.get_required_permissions(request.method, model_cls)
+
+        if (request.user and
+            request.user.is_authenticated() and
+            request.user.has_perms(perms, obj)):
+            return True
+        return False
author	Jamie Matthews	2012-09-26 13:05:21 +0100
committer	Jamie Matthews	2012-09-26 13:05:21 +0100
commit	01770c53cd9045e6ea054f32b1e40b5d2ff7fe44 (patch)
tree	657cb66f92d78add3b2f587754387832043168e6 /rest_framework/permissions.py
parent	f6488cb0589d3b11fb8d831e00d1389f3fff74b6 (diff)
parent	09a445b257532be69ffab69a3f62b84bfa90463d (diff)
download	django-rest-framework-01770c53cd9045e6ea054f32b1e40b5d2ff7fe44.tar.bz2