Python rest_framework.permissions.SAFE_METHODS Examples

The following are 30 code examples of rest_framework.permissions.SAFE_METHODS(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module rest_framework.permissions , or try the search function .
Example #1
Source File: views.py    From peering-manager with Apache License 2.0 6 votes vote down vote up
def configure(self, request, pk=None):
        router = self.get_object()

        # Check if the router runs on a supported platform
        if not router.platform:
            raise ServiceUnavailable("Unsupported router platform.")

        # Check user permission first
        if not request.user.has_perm("peering.deploy_configuration_router"):
            return HttpResponseForbidden()

        # Commit changes only if not using a GET request
        error, changes = router.set_napalm_configuration(
            router.generate_configuration(), commit=(request.method not in SAFE_METHODS)
        )
        return Response({"changed": not error, "changes": changes, "error": error}) 
Example #2
Source File: OrganizationPermissions.py    From tfrs with Apache License 2.0 6 votes vote down vote up
def has_object_permission(self, request, view, obj):
        """Check permissions When an object does exist (PUT, GET)"""
        if request.user.has_perm('EDIT_FUEL_SUPPLIERS'):
            return True

        # Users can always see themselves
        if obj.id == request.user.id and \
                request.method in permissions.SAFE_METHODS:
            return True

        if request.method == 'GET' and \
                request.user.has_perm('VIEW_FUEL_SUPPLIERS'):
            return True

        if obj.id == request.user.organization.id and \
                request.user.has_perm('EDIT_FUEL_SUPPLIER'):
            return True

        # not authorized
        return False 
Example #3
Source File: openshift_all_access.py    From koku with GNU Affero General Public License v3.0 6 votes vote down vote up
def has_permission(self, request, view):
        """Check permission to view OCP-on-ALL data."""
        if request.user.admin:
            return True

        resource_access = request.user.access
        if resource_access is None or not isinstance(resource_access, dict):
            return False

        read_access = []
        if request.method in permissions.SAFE_METHODS:
            # Check permissions for read-only request
            for resource_type in RESOURCE_TYPES:
                res_type_access = resource_access.get(resource_type, {})
                read_access.extend(res_type_access.get("read", []))
            return len(read_access) > 0

        return False 
Example #4
Source File: aws_access.py    From koku with GNU Affero General Public License v3.0 6 votes vote down vote up
def has_permission(self, request, view):
        """Check permission to view AWS data."""
        if request.user.admin:
            return True

        resource_access = request.user.access
        if resource_access is None or not isinstance(resource_access, dict):
            return False

        res_type_access = resource_access.get(AwsAccessPermission.resource_type, {})
        if request.method in permissions.SAFE_METHODS:
            # Check permissions for read-only request
            read_access = res_type_access.get("read", [])
            return len(read_access) > 0

        return False 
Example #5
Source File: azure_access.py    From koku with GNU Affero General Public License v3.0 6 votes vote down vote up
def has_permission(self, request, view):
        """Check permission to view Azure data."""
        if request.user.admin:
            return True

        resource_access = request.user.access
        if resource_access is None or not isinstance(resource_access, dict):
            return False

        res_type_access = resource_access.get(AzureAccessPermission.resource_type, {})
        if request.method in permissions.SAFE_METHODS:
            # Check permissions for read-only request
            read_access = res_type_access.get("read", [])
            return len(read_access) > 0

        return False 
Example #6
Source File: views.py    From SchoolIdolAPI with Apache License 2.0 6 votes vote down vote up
def get_queryset(self):
        queryset = models.Activity.objects.all()
        if self.request.method not in permissions.SAFE_METHODS:
            # To check for permission
            queryset = queryset.select_related('account', 'account__owner')
        if 'expand_account' in self.request.query_params:
            queryset = queryset.select_related('account')
        if 'expand_liked_by' in self.request.query_params:
            queryset = queryset.prefetch_related(Prefetch('likes', to_attr='liked_by'))
            queryset = queryset.select_related('account', 'account__owner')
        ordering = self.request.query_params.get('ordering', '')
        if ('expand_total_likes' in self.request.query_params and 'expand_liked_by' not in self.request.query_params) or 'total_likes' in ordering:
            queryset = queryset.annotate(total_likes=Count('likes'))
        if ('expand_liked' in self.request.query_params and self.request.user.is_authenticated()
            and 'expand_liked_by' not in self.request.query_params):
            queryset = queryset.extra(select={'liked': 'SELECT COUNT(*) FROM api_activity_likes WHERE activity_id=api_activity.id AND user_id={}'.format(self.request.user.id) })
        return queryset 
Example #7
Source File: cost_models_access.py    From koku with GNU Affero General Public License v3.0 6 votes vote down vote up
def has_permission(self, request, view):
        """Check permission based on the defined access."""
        if request.user.admin:
            return True

        if not request.user.access:
            return False

        if request.method in permissions.SAFE_METHODS:
            rates_read = request.user.access.get("rate", {}).get("read", [])
            if rates_read:
                return True
        else:
            rates_write = request.user.access.get("rate", {}).get("write", [])
            if "*" in rates_write:
                return True
            if self.get_uuid_from_url(request) in rates_write:
                return True
        return False 
Example #8
Source File: permissions.py    From drf-tutorial with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        if request.method in SAFE_METHODS:
            return True

        return request.user.is_staff 
Example #9
Source File: ComplianceReport.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        """Check permissions When an object does exist (PUT, GET)"""

        # Users can only update their own compliance reports
        if obj.organization == request.user.organization:
            return True

        if request.user.is_government_user:
            # Government users can see compliance reports
            if request.method in permissions.SAFE_METHODS:
                return True

            # Government users can manage compliance report statuses
            if request.user.has_perm(
                    'ANALYST_RECOMMEND_ACCEPTANCE_COMPLIANCE_REPORT'
            ) or request.user.has_perm(
                'ANALYST_RECOMMEND_REJECTION_COMPLIANCE_REPORT'
            ) or request.user.has_perm(
                'MANAGER_RECOMMEND_ACCEPTANCE_COMPLIANCE_REPORT'
            ) or request.user.has_perm(
                'MANAGER_RECOMMEND_REJECTION_COMPLIANCE_REPORT'
            ) or request.user.has_perm(
                'APPROVE_CREDIT_TRANSFER'  # Director
            ):
                return True

        return False 
Example #10
Source File: permissions.py    From controller with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return request.method in permissions.SAFE_METHODS or request.user.is_superuser 
Example #11
Source File: CompliancePeriod.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def has_permission(self, request, view):
        """Check permissions When an object does not yet exist (POST)"""

        if request.method in permissions.SAFE_METHODS:
            return True

        return request.user.has_perm('EDIT_COMPLIANCE_PERIODS') 
Example #12
Source File: permissions.py    From drf-tutorial with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True

        return obj.created_by == request.user 
Example #13
Source File: auth.py    From openduty with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        return (
            request.method not in SAFE_METHODS or
            request.user and
            request.user.is_authenticated()
        ) 
Example #14
Source File: permissions.py    From semillas_platform with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj == request.user 
Example #15
Source File: permissions.py    From Project-Dashboard-with-Django with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        if request.method in SAFE_METHODS:
            return True
        if request.method == "POST":
            return True

        return request.user and request.user.is_superuser 
Example #16
Source File: permissions.py    From Project-Dashboard-with-Django with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        if request.method in SAFE_METHODS:
            return True

        return request.user and request.user.is_superuser 
Example #17
Source File: permissions.py    From python-sample-tweeterapp with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            # Allow read only permissions to any user
            # to view the tweet
            return True
        else:
            # Check that the request user owns the object
            # being edited
            return obj.user == request.user 
Example #18
Source File: permissions.py    From SchoolIdolAPI with Apache License 2.0 5 votes vote down vote up
def has_object_permission(self, request, view, obj=None):
        return (
            request.method in permissions.SAFE_METHODS
            or (request.user.is_authenticated() and request.user.is_staff)
        ) 
Example #19
Source File: DocumentComment.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        """Check permissions When an object does exist (PUT, GET)"""

        # Users can always see and edit their own comments
        if obj.create_user == request.user:
            return True

        # And see but not edit those from their others in their own
        # organization
        if obj.create_user.organization == request.user.organization and \
                request.method in permissions.SAFE_METHODS:
            return True

        # Government roles can always view comments
        # and can view or edit privileged comments with correct permission
        if request.user.is_government_user:
            # read
            if request.method in permissions.SAFE_METHODS:
                if obj.privileged_access:
                    return request.user.has_perm('DOCUMENTS_VIEW')
                return True

            # write
            if request.method not in permissions.SAFE_METHODS:
                if obj.privileged_access:
                    return request.user.has_perm('DOCUMENTS_GOVERNMENT_REVIEW')
                return True

        # not authorized
        return False 
Example #20
Source File: CreditTradeComment.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        """Check permissions When an object does exist (PUT, GET)"""
        # Users can always see and edit their own comments
        if obj.create_user == request.user:
            return True

        # And see but not edit those from their others in their own
        # organization
        if obj.create_user.organization == request.user.organization and \
                request.method in permissions.SAFE_METHODS:
            return True

        # Government roles can always view comments
        # and can view or edit privileged comments with correct permission
        if request.user.is_government_user:
            # read
            if request.method in permissions.SAFE_METHODS:
                if obj.privileged_access:
                    return request.user.has_perm('VIEW_PRIVILEGED_COMMENTS')
                return True

            # write
            if request.method not in permissions.SAFE_METHODS:
                if obj.privileged_access:
                    return request.user.has_perm('EDIT_PRIVILEGED_COMMENTS')
                return True

        # not authorized
        return False 
Example #21
Source File: permissions.py    From course-discovery with GNU Affero General Public License v3.0 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        else:
            return CourseEditor.is_course_editable(request.user, obj.course) 
Example #22
Source File: views.py    From CTF_AWD_Platform with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):

        if request.method in permissions.SAFE_METHODS:  # SAFE_METHODS = ('GET', 'HEAD', 'OPTIONS')
            return True
        if request.method == 'PUT' or request.method == 'PATCH' or request.method == 'DELETE':
            '''
            只有队长可以删除修改
            '''
            return (obj.team_captain.id == request.user.id)
        if request.method == 'POST':
            '''
            任何auth的人都可以创建队伍
            '''
            return True 
Example #23
Source File: permissions.py    From CTF_AWD_Platform with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        '''
        object级别权限(后判断这个)  与这个设置相关联:mixins.RetrieveModelMixin
        :param request:
        :param view:
        :param obj:
        :return:
        '''
        if request.method in permissions.SAFE_METHODS:  #SAFE_METHODS = ('GET', 'HEAD', 'OPTIONS')
            return True
        # return (obj.id == request.user.id)
        return True 
Example #24
Source File: permissions.py    From elmer with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        return obj.commenter == request.user 
Example #25
Source File: permissions.py    From elmer with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        return obj.author == request.user 
Example #26
Source File: permissions.py    From elmer with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        if request.user in obj.admins.all():
            return True 
Example #27
Source File: permissions.py    From volontulo with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        user = request.user
        return request.method in permissions.SAFE_METHODS or (
            user.is_authenticated() and (
                user.userprofile.is_administrator or
                obj in user.userprofile.organizations.all()
            )
        ) 
Example #28
Source File: permissions.py    From volontulo with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        """We are accepting safe methods, post an put methods only for
        authenticated users """
        return request.method in permissions.SAFE_METHODS or (
            request.method in ('POST', 'PUT') and
            request.user.is_authenticated()
        ) 
Example #29
Source File: permissions.py    From volontulo with MIT License 5 votes vote down vote up
def has_object_permission(self, request, view, obj):
        user = request.user
        return request.method in permissions.SAFE_METHODS or (
            user.is_authenticated() and (
                user.userprofile.is_administrator or
                obj.organization in user.userprofile.organizations.all()
            )
        ) 
Example #30
Source File: permissions.py    From volontulo with MIT License 5 votes vote down vote up
def has_permission(self, request, view):
        """We are accepting only safe methods for now."""
        return request.method in permissions.SAFE_METHODS or (
            request.method in ('POST', 'PUT') and
            request.user.is_authenticated()
        )