Source code for rpaper.apps.reservations.perms

from permission.logics import PermissionLogic
from .middleware import get_record_credential



[docs]class ThingPermissionLogic(PermissionLogic):

[docs]    def has_perm(self, user_obj, perm, obj=None):
        add_permission = self.get_full_permission_string('add')
        change_permission = self.get_full_permission_string('change')
        delete_permission = self.get_full_permission_string('delete')

        if perm not in (add_permission, change_permission, delete_permission):
            return False
        elif obj is None:
            return user_obj.is_authenticated()
        return obj.owner == user_obj




[docs]class RecordPermissionLogic(PermissionLogic):

[docs]    def has_perm(self, user_obj, perm, obj=None):
        add_permission = self.get_full_permission_string('add')
        change_permission = self.get_full_permission_string('change')
        delete_permission = self.get_full_permission_string('delete')

        if perm not in (add_permission, change_permission, delete_permission):
            return False
        elif perm == add_permission:
            return True
        elif obj is None:
            return True
        if obj.owner:
            # NOTE:
            # DO NOT FALLBACK TO 'CREDENTIAL' WAY.
            # As I explained below, the 'credential' way has a security risk.
            # So I would like to prepare 'a secure way' for an authenticated
            # user. If a record has made by an authenticated user, the
            # record SHOULD ONLY BE modifiable by that authenticated user.
            # In this case, if the user logged out, even users who share the
            # same web-browser cannot touch the record unless he/she have
            # a way to logged in as that user.
            return obj.owner == user_obj
        # NOTE:
        # The 'credential' way is not secure.
        # While the 'credential' is assumed to saved in a localStorage, users
        # who share same web-browser suffer a security risk. A user can see a
        # 'credential' of other's if he/she have enough skill to dig.
        # However, while the target of this service is a real object in a real
        # world, what he/she can do with a 'credential' is removing/updating
        # the record and the advantage he/she can get is not so valuable.
        # So that I just decided to ignore this security risk for an anonyomous
        # user.
        credential = get_record_credential()
        return credential and str(obj.credential) == credential



PERMISSION_LOGICS = (
    ('reservations.Thing', ThingPermissionLogic()),
    ('reservations.Record', RecordPermissionLogic()),
)