Fakultas Ilmu Komputer UI

permissions.py 4.97 KB
Newer Older
1
2
3
4
5
6
from rest_framework import permissions
from rest_framework.exceptions import APIException

from core.models import Company
from core.models import Student
from core.models import Supervisor
7
from core.models import Application
8

9

10
def is_admin_or_student(user):
11
    return user.is_superuser or user.is_staff or hasattr(user, "student")
12
13
14


def is_admin_or_company(user):
15
16
17
18
19
20
21
    if user.is_superuser or user.is_staff:
        return True

    if not hasattr(user, "company") or user.company != Company.VERIFIED :
        raise APIException("This account is not valid company account or has not been verified", 403)

    return True
22
23
24


def is_admin_or_supervisor(user):
25
    return user.is_superuser or user.is_staff or hasattr(user, "supervisor")
26
27


28
def is_admin_or_supervisor_or_company(user):
29
    return user.is_superuser or user.is_staff or hasattr(user, "supervisor") or hasattr(user, "company")
30
31


32
33
34
35
class IsAdminOrSelfOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
36
        if request.user.is_superuser or request.user.is_staff:
37
38
39
40
41
42
43
44
45
46
47
48
49
            return True
        # Instance must have an attribute named `user` or be `user`
        if hasattr(obj, "user"):
            return obj.user == request.user
        return obj == request.user


class IsAdminOrStudent(permissions.BasePermission):
    def has_permission(self, request, view):
        return is_admin_or_student(request.user)

    def has_object_permission(self, request, view, obj):
        user = request.user
50
        if user.is_superuser or user.is_staff:
51
52
53
54
55
56
57
58
            return True
        student = None
        if isinstance(obj, Student):
            student = obj
        elif hasattr(obj, "student"):
            student = obj.student
        else:
            raise APIException(
59
                "Checking student permission on object {} not associated with Student"
60
                    .format(type(obj.__name__)), 403
61
62
63
64
65
66
67
68
69
70
71
            )

        return hasattr(user, "student") and user.student == student


class IsAdminOrSupervisor(permissions.BasePermission):
    def has_permission(self, request, view):
        return is_admin_or_supervisor(request.user)

    def has_object_permission(self, request, view, obj):
        user = request.user
72
        if user.is_superuser or user.is_staff:
73
74
75
76
77
78
79
80
            return True
        supervisor = None
        if isinstance(obj, Supervisor):
            supervisor = obj
        elif hasattr(obj, "supervisor"):
            supervisor = obj.supervisor
        else:
            raise APIException(
81
                "Checking supervisor permission on object {} not associated with Supervisor"
82
                    .format(type(obj.__name__)), 403
83
84
85
86
87
88
89
90
91
92
93
            )

        return hasattr(user, "supervisor") and user.supervisor == supervisor


class IsAdminOrCompany(permissions.BasePermission):
    def has_permission(self, request, view):
        return is_admin_or_company(request.user)

    def has_object_permission(self, request, view, obj):
        user = request.user
94
        if user.is_superuser or user.is_staff:
95
96
97
98
99
100
101
102
            return True
        company = None
        if isinstance(obj, Company):
            company = obj
        elif hasattr(obj, "company"):
            company = obj.company
        else:
            raise APIException(
103
                "Checking company permission on object {} not associated with Company"
104
                    .format(type(obj.__name__)), 403
105
106
107
            )

        return hasattr(user, "company") and user.company == company
108
109
110
111
112
113
114
115
116
117


class IsAdminOrSupervisorOrCompany(permissions.BasePermission):
    def has_permission(self, request, view):
        return is_admin_or_supervisor_or_company(request.user)


class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
    def has_object_permission(self, request, view, obj):
        user = request.user
118
        if user.is_superuser or user.is_staff or hasattr(user, "company") or hasattr(user, "supervisor"):
119
120
121
122
123
124
125
126
127
            return True
        if hasattr(user, "student"):
            if isinstance(obj, Student):
                student = obj
            elif hasattr(obj, "student"):
                student = obj.student
            else:
                raise APIException(
                    "Checking student permission on object {} not associated with Student"
128
                        .format(type(obj.__name__)), 403
129
130
131
                )
            return hasattr(user, "student") and user.student == student
        return False
132
133


134
135
136
137
138
139
class IsAdminOrVacancyOwner(permissions.BasePermission):
    def has_permission(self, request, view):
        return is_admin_or_company(request.user)

    def has_object_permission(self, request, view, obj):
        user = request.user
140
        if user.is_superuser or user.is_staff:
141
142
143
144
145
            return True
        if isinstance(obj, Application):
            return user.company == obj.vacancy.company
        else:
            raise APIException(
146
                "Checking owner permission on non-application object", 403
147
            )