libretime/api/libretime_api/permissions.py

from secrets import compare_digest

from django.conf import settings
from rest_framework.permissions import BasePermission
from rest_framework.request import Request

from .core.models import Role

REQUEST_PERMISSION_TYPE_MAP = {
    "GET": "view",
    "HEAD": "view",
    "OPTIONS": "view",
    "POST": "change",
    "PUT": "change",
    "DELETE": "delete",
    "PATCH": "change",
}


def get_own_obj(request, view):
    user = request.user
    if user is None or user.role != Role.HOST:
        return ""
    if request.method == "GET":
        return ""
    qs = view.queryset.all()
    try:
        model_owners = []
        for model in qs:
            owner = model.get_owner()
            if owner not in model_owners:
                model_owners.append(owner)
        if len(model_owners) == 1 and user in model_owners:
            return "own_"
    except AttributeError:
        return ""
    return ""


def get_permission_for_view(request, view):
    try:
        permission_type = REQUEST_PERMISSION_TYPE_MAP[request.method]
        if view.__class__.__name__ == "APIRootView":
            return f"{permission_type}_apiroot"
        model = view.model_permission_name
        own_obj = get_own_obj(request, view)
        return f"{permission_type}_{own_obj}{model}"
    except AttributeError:
        return None


def check_authorization_header(request: Request):
    auth_header = request.headers.get("authorization", "")
    if auth_header.startswith("Api-Key"):
        token = auth_header.split()[1]
        return compare_digest(token, settings.CONFIG.general.api_key)
    return False


class IsAdminOrOwnUser(BasePermission):
    """
    Implements Django Rest Framework permissions. This is separate from
    Django's standard permission system. For details see
    https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
    """

    def has_permission(self, request, view):
        if request.user.is_superuser():
            return True
        return False

    def has_object_permission(self, request, view, obj):
        if request.user.is_superuser():
            return True
        return obj.username == request.user


class IsSystemTokenOrUser(BasePermission):
    """
    Implements Django Rest Framework permissions. This is separate from
    Django's standard permission system. For details see
    https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions

    This permission allows services (liquidsoap, 3rd-party, etc) to connect with
    an API-Key header. All standard-users (i.e. not using the API-Key) have their
    permissions checked against Django's standard permission system.
    """

    def has_permission(self, request, view):
        if request.user and request.user.is_authenticated:
            perm = get_permission_for_view(request, view)
            # Required as view_apiroot is a permission not linked to a specific
            # model. This use-case allows users to view the base of the API
            # explorer. Their assigned group permissions determine further access
            # into the explorer.
            if perm == "view_apiroot":
                return True
            return request.user.has_perm(perm)
        return check_authorization_header(request)

    def has_object_permission(self, request, view, obj):
        if request.user and request.user.is_authenticated:
            perm = get_permission_for_view(request, view)
            return request.user.has_perm(perm, obj)
        return check_authorization_header(request)
fix(api): prevent timing attacke on api key (#1771) 2022-04-17 18:55:18 +02:00			`from secrets import compare_digest`

add API v2 2020-01-30 14:47:36 +01:00			`from django.conf import settings`
Add isort pre-commit hook Sort import statement in python files See https://github.com/PyCQA/isort 2021-06-03 15:20:39 +02:00			`from rest_framework.permissions import BasePermission`
fix(api): upgrade django code (pre-commit) 2023-04-24 16:49:12 +02:00			`from rest_framework.request import Request`
Add isort pre-commit hook Sort import statement in python files See https://github.com/PyCQA/isort 2021-06-03 15:20:39 +02:00
feat(api): rename user model fields (#1902) 2022-06-21 23:43:03 +02:00			`from .core.models import Role`
add API v2 2020-01-30 14:47:36 +01:00
			`REQUEST_PERMISSION_TYPE_MAP = {`
Format code using black 2021-05-27 16:23:02 +02:00			`"GET": "view",`
			`"HEAD": "view",`
			`"OPTIONS": "view",`
			`"POST": "change",`
			`"PUT": "change",`
			`"DELETE": "delete",`
			`"PATCH": "change",`
add API v2 2020-01-30 14:47:36 +01:00			`}`

Format code using black 2021-05-27 16:23:02 +02:00
add API v2 2020-01-30 14:47:36 +01:00			`def get_own_obj(request, view):`
			`user = request.user`
chore(api): rename editor role to host 2022-06-27 17:13:05 +02:00			`if user is None or user.role != Role.HOST:`
Format code using black 2021-05-27 16:23:02 +02:00			`return ""`
			`if request.method == "GET":`
			`return ""`
add API v2 2020-01-30 14:47:36 +01:00			`qs = view.queryset.all()`
			`try:`
			`model_owners = []`
			`for model in qs:`
			`owner = model.get_owner()`
			`if owner not in model_owners:`
			`model_owners.append(owner)`
			`if len(model_owners) == 1 and user in model_owners:`
Format code using black 2021-05-27 16:23:02 +02:00			`return "own_"`
add API v2 2020-01-30 14:47:36 +01:00			`except AttributeError:`
Format code using black 2021-05-27 16:23:02 +02:00			`return ""`
			`return ""`

add API v2 2020-01-30 14:47:36 +01:00
			`def get_permission_for_view(request, view):`
			`try:`
			`permission_type = REQUEST_PERMISSION_TYPE_MAP[request.method]`
Format code using black 2021-05-27 16:23:02 +02:00			`if view.__class__.__name__ == "APIRootView":`
chore: add pyupgrade pre-commit hook - add --py3-plus flag to pyupgrade hook - add --py36-plus flag to pyupgrade hook 2022-01-25 23:45:00 +01:00			`return f"{permission_type}_apiroot"`
add API v2 2020-01-30 14:47:36 +01:00			`model = view.model_permission_name`
			`own_obj = get_own_obj(request, view)`
refactor(api): fix pylint errors 2022-04-01 17:29:11 +02:00			`return f"{permission_type}_{own_obj}{model}"`
add API v2 2020-01-30 14:47:36 +01:00			`except AttributeError:`
			`return None`

Format code using black 2021-05-27 16:23:02 +02:00
fix(api): upgrade django code (pre-commit) 2023-04-24 16:49:12 +02:00			`def check_authorization_header(request: Request):`
			`auth_header = request.headers.get("authorization", "")`
Format code using black 2021-05-27 16:23:02 +02:00			`if auth_header.startswith("Api-Key"):`
add API v2 2020-01-30 14:47:36 +01:00			`token = auth_header.split()[1]`
fix(api): prevent timing attacke on api key (#1771) 2022-04-17 18:55:18 +02:00			`return compare_digest(token, settings.CONFIG.general.api_key)`
add API v2 2020-01-30 14:47:36 +01:00			`return False`


			`class IsAdminOrOwnUser(BasePermission):`
			`"""`
			`Implements Django Rest Framework permissions. This is separate from`
			`Django's standard permission system. For details see`
			`https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions`
			`"""`
Format code using black 2021-05-27 16:23:02 +02:00
add API v2 2020-01-30 14:47:36 +01:00			`def has_permission(self, request, view):`
feat(api): rename user model fields (#1902) 2022-06-21 23:43:03 +02:00			`if request.user.is_superuser():`
add API v2 2020-01-30 14:47:36 +01:00			`return True`
			`return False`

			`def has_object_permission(self, request, view, obj):`
feat(api): rename user model fields (#1902) 2022-06-21 23:43:03 +02:00			`if request.user.is_superuser():`
add API v2 2020-01-30 14:47:36 +01:00			`return True`
			`return obj.username == request.user`


			`class IsSystemTokenOrUser(BasePermission):`
			`"""`
			`Implements Django Rest Framework permissions. This is separate from`
			`Django's standard permission system. For details see`
			`https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions`

			`This permission allows services (liquidsoap, 3rd-party, etc) to connect with`
			`an API-Key header. All standard-users (i.e. not using the API-Key) have their`
			`permissions checked against Django's standard permission system.`
			`"""`
Format code using black 2021-05-27 16:23:02 +02:00
add API v2 2020-01-30 14:47:36 +01:00			`def has_permission(self, request, view):`
			`if request.user and request.user.is_authenticated:`
			`perm = get_permission_for_view(request, view)`
			`# Required as view_apiroot is a permission not linked to a specific`
			`# model. This use-case allows users to view the base of the API`
			`# explorer. Their assigned group permissions determine further access`
			`# into the explorer.`
Format code using black 2021-05-27 16:23:02 +02:00			`if perm == "view_apiroot":`
add API v2 2020-01-30 14:47:36 +01:00			`return True`
			`return request.user.has_perm(perm)`
			`return check_authorization_header(request)`

			`def has_object_permission(self, request, view, obj):`
			`if request.user and request.user.is_authenticated:`
			`perm = get_permission_for_view(request, view)`
			`return request.user.has_perm(perm, obj)`
			`return check_authorization_header(request)`