4a9c95b44e
* fix API permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix group member remove notification label Signed-off-by: Jens Langhammer <jens@goauthentik.io> * consistent naming assign vs grant Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only set table search query when searching is enabled Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix hidden object permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * replace checkmark/cross with fa icons Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests and fix permission bug Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix migrations Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
39 lines
1.5 KiB
Python
39 lines
1.5 KiB
Python
"""RBAC Permissions"""
|
|
|
|
from django.db.models import Model
|
|
from rest_framework.permissions import BasePermission, DjangoObjectPermissions
|
|
from rest_framework.request import Request
|
|
|
|
|
|
class ObjectPermissions(DjangoObjectPermissions):
|
|
"""RBAC Permissions"""
|
|
|
|
def has_permission(self, request: Request, view) -> bool:
|
|
"""Always grant permission for object-specific requests
|
|
as view permission checking is done by `ObjectFilter`,
|
|
and write permission checking is done by `has_object_permission`"""
|
|
lookup = getattr(view, "lookup_url_kwarg", None) or getattr(view, "lookup_field", None)
|
|
if lookup and lookup in view.kwargs:
|
|
return True
|
|
return super().has_permission(request, view)
|
|
|
|
def has_object_permission(self, request: Request, view, obj: Model) -> bool:
|
|
queryset = self._queryset(view)
|
|
model_cls = queryset.model
|
|
perms = self.get_required_object_permissions(request.method, model_cls)
|
|
# Rank global permissions higher than per-object permissions
|
|
if request.user.has_perms(perms):
|
|
return True
|
|
return super().has_object_permission(request, view, obj)
|
|
|
|
|
|
def HasPermission(*perm: str) -> type[BasePermission]:
|
|
"""Permission checker for any non-object permissions, returns
|
|
a BasePermission class that can be used with rest_framework"""
|
|
|
|
class checker(BasePermission):
|
|
def has_permission(self, request: Request, view):
|
|
return bool(request.user and request.user.has_perms(perm))
|
|
|
|
return checker
|