Permission System
Enriched permissions that can be combined with REST framework’s permission classes. Use classes defined here to restrict access to different resources and create, assign and delete permissions at runtime.
Important
Administrators will always be able to perform actions on resources as they automatically inherit all permissions.
There will be some (by now only one) default permissions that can’t be created at runtime:
CanCreateUser: Used to determine whether a user can create other users
Default runtime permissions are:
Name |
Model |
HTTP Methods |
Description |
|---|---|---|---|
CanEditTeam |
|
|
Users with this permission will be able to update team related data |
CanViewTeam |
|
|
Users with this permission will be able to view team related data |
CanDeleteTeam |
|
|
Users with this permission will be able to delete a spcific team |
CanEditProject |
|
|
With this permission users are able to view and update a project |
CanDeleteProject |
|
|
Needed to delete a project |
CanEditUser |
|
|
This permission can be used to update user-data, NOT account-data |
CanDeleteUser |
|
|
Needed to delete a user |
CanEditAccount |
|
|
This permission can be used to update account-data, NOT user-data |
CanDeleteAccount |
|
|
Needed to delete an account |
CanBundleTeam |
|
|
Users with this permission will be able to update bundle related data |
CanViewBundle |
|
|
Users with this permission will be able to view bundle related data |
CanDeleteBundle |
|
|
Users with this permission will be able to delete a spcific bundle |
Classes
- class mastf.MASTF.permissions._Method(*args)[source]
A mixin that restricts access to a view based on the request method.
- Variables:
methods (list) – A list of allowed request methods.
This class should not be used directly. Instead, use one of the following class attributes to create a new instance:
Delete: Only allows
DELETErequests.Post: Only allows
POSTrequests.Patch: Only allows
PATCHrequests.Get: Only allows
GETrequests.Put: Only allows
PUTrequests.
When a new instance is created, the allowed request methods are passed as arguments. If no arguments are provided, SAFE_METHODS (which includes GET, HEAD, and OPTIONS) will be used by default.
The _Method class is made callable so that it can be used by the Django REST framework even though an instance has been created already.
- has_permission(request, view)[source]
Check if the request method is allowed.
- Parameters:
request (rest_framework.request.Request) – The incoming request.
view (rest_framework.views.APIView) – The view being accessed.
- Returns:
Trueif the request method is allowed,Falseotherwise.- Return type:
bool
- class mastf.MASTF.permissions.BoundPermission(codename: str, name: str, model: type, runtime: bool = False, mapper=None, methods=None)[source]
Class that implements an advanced permission structure for the Django Rest Framework.
BoundPermissionobjects are used withinManyToManySerializerclasses and APIView classes defined in therest.views.basemodule of this project. They integrate this utility class so that permissions will be automatically added or removed from a user.For instance, the following code creates a simple
APIViewthat assigns a permission namedCanEditArticleto a user:CanEditArticle = BoundPermission( "can_edit_article_%s", "Can modify atricles", Article, runtime=True, methods=[Patch] ) class ArticleAPIView(APIViewBase): ... # authentication related classes model = Article serializer_class = ArticleSerializer bound_permissions = [CanEditArticle]
The defined permission will be removed automatically if a
DELETErequest is made and the database object is going to be removed.- Parameters:
codename (str) – A string representing the codename of the permission.
name (str) – A string representing the name of the permission.
model (type) – A Python class representing the model that this permission is associated with.
runtime (bool, optional) – A boolean flag indicating whether this permission is created at runtime. Defaults to False.
mapper (callable, optional) – A callable object used to generate permission strings at runtime. Defaults to None.
methods (list, optional) – A list of HTTP methods allowed by this permission. Defaults to None.
- assign_to(usr: User, *args)[source]
Assigns this permission to the given user.
- Parameters:
usr (User) – the user that gets this permission
- codename: str
A string representing the codename of the permission.
- create(*args) Permission[source]
Create a new permission object with the given codename, name, and model.
- Parameters:
args (Any) – Optional arguments to substitute into the codename string.
- Returns:
The newly created Permission object.
- Return type:
Permission
- errors = {'not-found': {'detail': "You don't have enough permissions to access this resource"}}
A dictionary containing error messages raised by the permission.
- get(instance) Permission[source]
Returns the permission required to access the given object.
- Parameters:
instance (? extends Model) – the object a user wants to access
- Returns:
the required permission
- Return type:
Permission
- has_object_permission(request, view, obj)[source]
Validates whether a user as appropriate rights to access the given object.
- Parameters:
request (Request) – the HttpRequest
view (APIView) – the api view
obj (? extends Model) – the instance a user wants to have access to
- Raises:
ValidationError – if the required permission could not be found
- Returns:
Falseif pre-defined requirements could not be satisfied,Trueotherwise.- Return type:
bool
- is_runtime: bool
A boolean flag indicating whether this permission is created at runtime. Defaults to False.
- model: type
A Python class representing the model that this permission is associated with.
- name: str
A string representing the name of the permission.