Skip to content

E
edx-platform
Switch branch/tag
Find file
Normal viewHistoryPermalink
permissions.py 6.15 KB
Newer Older
mattdrayer/increment-edx-lint: Bump to v0.2.9 and address pylint/pep8 violations
1eab25f2
 
Matt Drayer committed
1 2 3 4 
"""
API library for Django REST Framework permissions-oriented workflows
"""
Added Course Structure API
2854bb95
 
Clinton Blackburn committed
5 
from django.conf import settings
GET method for user account API.
023e6ec8
 
cahrens committed
6 
from django.http import Http404
Modified permission classes for CCX REST APIs
7683eadc
 
Giovanni Di Milia committed
7 8 
from opaque_keys import InvalidKeyError
from opaque_keys.edx.keys import CourseKey
Reorder imports using isort (except lms and cms)
93235d11
 
Andy Armstrong committed
9 
from rest_framework import permissions
TNL-1897 Implement Course Team API
9d336c33
 
Ben McMorran committed
10
Add logging when header permissions in use.
dc4150ca
 
Edward Fagin committed
11 
from openedx.core.lib.log_utils import audit_log
Reorder imports using isort (except lms and cms)
93235d11
 
Andy Armstrong committed
12 
from student.roles import CourseInstructorRole, CourseStaffRole
Add logging when header permissions in use.
dc4150ca
 
Edward Fagin committed
13
Added Course Structure API
2854bb95
 
Clinton Blackburn committed
14 15 

class ApiKeyHeaderPermission(permissions.BasePermission):
mattdrayer/increment-edx-lint: Bump to v0.2.9 and address pylint/pep8 violations
1eab25f2
 
Matt Drayer committed
16 17 18 
    """
    Django REST Framework permissions class used to manage API Key integrations
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
19
Added Course Structure API
2854bb95
 
Clinton Blackburn committed
20 21 22 23 24 25 26 27 28 29 
    def has_permission(self, request, view):
        """
        Check for permissions by matching the configured API key and header

        If settings.DEBUG is True and settings.EDX_API_KEY is not set or None,
        then allow the request. Otherwise, allow the request if and only if
        settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is
        present in the request and matches the setting.
        """
        api_key = getattr(settings, "EDX_API_KEY", None)
Add logging when header permissions in use.
dc4150ca
 
Edward Fagin committed
30 31 32 33 34 35 36 37 38 39 40 

        if settings.DEBUG and api_key is None:
            return True

        elif api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key:
            audit_log("ApiKeyHeaderPermission used",
                      path=request.path,
                      ip=request.META.get("REMOTE_ADDR"))
            return True

        return False
Added Course Structure API
2854bb95
 
Clinton Blackburn committed
41 42
Allow the enrollment API to be accessed via API keys.
1e4f1b58
 
Diana Huang committed
43 44 45 46 47 48 
class ApiKeyHeaderPermissionIsAuthenticated(ApiKeyHeaderPermission, permissions.IsAuthenticated):
    """
    Allow someone to access the view if they have the API key OR they are authenticated.

    See ApiKeyHeaderPermission for more information how the API key portion is implemented.
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
49
Allow the enrollment API to be accessed via API keys.
1e4f1b58
 
Diana Huang committed
50 
    def has_permission(self, request, view):
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
51 
        # TODO We can optimize this later on when we know which of these methods is used more often.
Allow the enrollment API to be accessed via API keys.
1e4f1b58
 
Diana Huang committed
52 53 54 55 56 
        api_permissions = ApiKeyHeaderPermission.has_permission(self, request, view)
        is_authenticated_permissions = permissions.IsAuthenticated.has_permission(self, request, view)
        return api_permissions or is_authenticated_permissions
GET method for user account API.
023e6ec8
 
cahrens committed
57 58 59 60 
class IsUserInUrl(permissions.BasePermission):
    """
    Permission that checks to see if the request user matches the user in the URL.
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
61
GET method for user account API.
023e6ec8
 
cahrens committed
62 
    def has_permission(self, request, view):
Implement profile_image upload and remove endpoints
46b63164
 
jsa committed
63 64 65 66 67 68 
        """
        Returns true if the current request is by the user themselves.

        Note: a 404 is returned for non-staff instead of a 403. This is to prevent
        users from being able to detect the existence of accounts.
        """
Add the preferences endpoint to the User API
6976a33a
 
Andy Armstrong committed
69 70 
        url_username = request.parser_context.get('kwargs', {}).get('username', '')
        if request.user.username.lower() != url_username.lower():
Implement profile_image upload and remove endpoints
46b63164
 
jsa committed
71 72 
            if request.user.is_staff:
                return False  # staff gets 403
GET method for user account API.
023e6ec8
 
cahrens committed
73 74 
            raise Http404()
        return True
Implement profile_image upload and remove endpoints
46b63164
 
jsa committed
75 76
Modified permission classes for CCX REST APIs
7683eadc
 
Giovanni Di Milia committed
77 
class IsCourseStaffInstructor(permissions.BasePermission):
Added CCX REST APIs
e63194c1
 
Giovanni Di Milia committed
78 
    """
Modified permission classes for CCX REST APIs
7683eadc
 
Giovanni Di Milia committed
79 80 81 
    Permission to check that user is a course instructor or staff of
    a master course given a course object or the user is a coach of
    the course itself.
Added CCX REST APIs
e63194c1
 
Giovanni Di Milia committed
82 83 84 
    """

    def has_object_permission(self, request, view, obj):
Modified permission classes for CCX REST APIs
7683eadc
 
Giovanni Di Milia committed
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 
        return (hasattr(request, 'user') and
                # either the user is a staff or instructor of the master course
                (hasattr(obj, 'course_id') and
                 (CourseInstructorRole(obj.course_id).has_user(request.user) or
                  CourseStaffRole(obj.course_id).has_user(request.user))) or
                # or it is a safe method and the user is a coach on the course object
                (request.method in permissions.SAFE_METHODS
                 and hasattr(obj, 'coach') and obj.coach == request.user))


class IsMasterCourseStaffInstructor(permissions.BasePermission):
    """
    Permission to check that user is instructor or staff of the master course.
    """
    def has_permission(self, request, view):
        """
        This method is assuming that a `master_course_id` parameter
        is available in the request as a GET parameter, a POST parameter
        or it is in the JSON payload included in the request.
        The reason is because this permission class is going
        to check if the user making the request is an instructor
        for the specified course.
        """
        master_course_id = (request.GET.get('master_course_id')
                            or request.POST.get('master_course_id')
                            or request.data.get('master_course_id'))
        if master_course_id is not None:
            try:
                course_key = CourseKey.from_string(master_course_id)
            except InvalidKeyError:
                raise Http404()
            return (hasattr(request, 'user') and
                    (CourseInstructorRole(course_key).has_user(request.user) or
                     CourseStaffRole(course_key).has_user(request.user)))
        return False
Added CCX REST APIs
e63194c1
 
Giovanni Di Milia committed
120 121
Implement profile_image upload and remove endpoints
46b63164
 
jsa committed
122 123 124 125 
class IsUserInUrlOrStaff(IsUserInUrl):
    """
    Permission that checks to see if the request user matches the user in the URL or has is_staff access.
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
126
Implement profile_image upload and remove endpoints
46b63164
 
jsa committed
127 128 129 130 131 
    def has_permission(self, request, view):
        if request.user.is_staff:
            return True

        return super(IsUserInUrlOrStaff, self).has_permission(request, view)
TNL-1897 Implement Course Team API
9d336c33
 
Ben McMorran committed
132 133 134 135 136 137 


class IsStaffOrReadOnly(permissions.BasePermission):
    """Permission that checks to see if the user is global or course
    staff, permitting only read-only access if they are not.
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
138
TNL-1897 Implement Course Team API
9d336c33
 
Ben McMorran committed
139 140 141 142 
    def has_object_permission(self, request, view, obj):
        return (request.user.is_staff or
                CourseStaffRole(obj.course_id).has_user(request.user) or
                request.method in permissions.SAFE_METHODS)
Rewrote Credit API
92153752
 
Clinton Blackburn committed
143 144 145 146 147 148 149 


class IsStaffOrOwner(permissions.BasePermission):
    """
    Permission that allows access to admin users or the owner of an object.
    The owner is considered the User object represented by obj.user.
    """
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
150
Rewrote Credit API
92153752
 
Clinton Blackburn committed
151 152 153 154 155 
    def has_object_permission(self, request, view, obj):
        return request.user.is_staff or obj.user == request.user

    def has_permission(self, request, view):
        user = request.user
Fixed Permissions Bug
dfadb283
 
Clinton Blackburn committed
156 157 
        return user.is_staff \
            or (user.username == request.GET.get('username')) \
Check API View kwargs for username when checking for staff or owner permission
b44864b3
 
Douglas Hall committed
158 159 
            or (user.username == getattr(request, 'data', {}).get('username')) \
            or (user.username == getattr(view, 'kwargs', {}).get('username'))