Add custom api filtering and permission checking

2014-07-09 16:46:38 -04:00
parent d40931ad5b
commit 021369d0db
2 changed files with 58 additions and 0 deletions
--- a/mayan/apps/rest_api/filters.py
+++ b/mayan/apps/rest_api/filters.py
@@ -0,0 +1,20 @@
+from __future__ import absolute_import
+
+from rest_framework.filters import BaseFilterBackend
+
+from acls.models import AccessEntry
+from permissions.models import Permission
+
+
+class MayanObjectPermissionsFilter(BaseFilterBackend):
+    def filter_queryset(self, request, queryset, view):
+        if hasattr(view, 'mayan_object_permissions'):
+            try:
+                Permission.objects.check_permissions(request.user, view.mayan_object_permissions)
+            except PermissionDenied:
+                return AccessEntry.objects.filter_objects_by_access(view.mayan_object_permissions[0], request.user, queryset)
+            else:
+                return queryset
+        else:
+            return queryset
+
--- a/mayan/apps/rest_api/permissions.py
+++ b/mayan/apps/rest_api/permissions.py
@@ -0,0 +1,38 @@
+from __future__ import absolute_import
+
+from rest_framework.permissions import BasePermission
+
+from acls.models import AccessEntry
+from permissions.models import Permission
+
+
+class MayanPermission(BasePermission):
+    def has_permission(self, request, view):
+        if hasattr(view, 'mayan_view_permissions'):
+            try:
+                Permission.objects.check_permissions(request.user, view.mayan_view_permissions)
+            except PermissionDenied:
+                return False
+            else:
+                return True
+        else:
+            return True
+
+    def has_object_permission(self, request, view, obj):
+        if hasattr(view, 'mayan_object_permissions'):
+            try:
+                Permission.objects.check_permissions(request.user, view.mayan_object_permissions)
+            except PermissionDenied:
+                try:
+                    if hasattr(view, 'mayan_permission_attribute_check'):
+                        AccessEntry.objects.check_accesses(view.mayan_object_permissions, request.user, getattr(obj, view.mayan_permission_attribute_check))
+                    else:
+                        AccessEntry.objects.check_accesses(view.mayan_object_permissions, request.user, obj)
+                except PermissionDenied:
+                    return False
+                else:
+                    return True
+            else:
+                return True
+        else:
+            return True