Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 1 | """Authorization permission classes for accessing the API.""" |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 2 | import logging |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 3 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 4 | from rest_framework.permissions import BasePermission |
Mitja Nikolaus | bcaf502 | 2018-08-30 16:40:38 +0200 | [diff] [blame] | 5 | from crashreports.models import Device |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 6 | |
| 7 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 8 | def user_owns_uuid(user, uuid): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 9 | """Determine whether a user is owning the device with the given UUID. |
| 10 | |
| 11 | Args: |
| 12 | user: The user making the request. |
| 13 | uuid: The UUID of the device to be manipulated. |
| 14 | |
| 15 | Returns: True if the user owns the device. |
| 16 | |
| 17 | """ |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 18 | try: |
| 19 | device = Device.objects.get(user=user) |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 20 | except Exception as exception: # pylint: disable=broad-except |
| 21 | logging.exception(exception) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 22 | return False |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 23 | if uuid == device.uuid: |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 24 | return True |
| 25 | return False |
| 26 | |
| 27 | |
| 28 | def user_is_hiccup_staff(user): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 29 | """Determine whether a user is part of the Hiccup staff. |
| 30 | |
| 31 | Returns true if either the user is part of the group |
| 32 | "FairphoneSoftwareTeam", or he/she has all permissions for manipulating |
| 33 | crashreports, heartbeats and logfiles. |
| 34 | |
| 35 | Args: |
| 36 | user: The user making the request. |
| 37 | |
| 38 | Returns: True if user is part of the Hiccup staff. |
| 39 | |
| 40 | """ |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 41 | if user.groups.filter(name="FairphoneSoftwareTeam").exists(): |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 42 | return True |
Mitja Nikolaus | b4e3bec | 2018-08-30 17:16:21 +0200 | [diff] [blame] | 43 | return user.has_perms( |
| 44 | [ |
| 45 | # Crashreports |
| 46 | "crashreports.add_crashreport", |
| 47 | "crashreports.change_crashreport", |
| 48 | "crashreports.del_crashreport", |
| 49 | # Heartbeats |
| 50 | "heartbeat.add_crashreport", |
| 51 | "heartbeat.change_crashreport", |
| 52 | "heartbeat.del_crashreport", |
| 53 | # Logfiles |
| 54 | "heartbeat.add_logfile", |
| 55 | "heartbeat.change_logfile", |
| 56 | "heartbeat.del_logfile", |
| 57 | ] |
| 58 | ) |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 59 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 60 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 61 | class HasStatsAccess(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 62 | """Authorization requires to be part of the Hiccup staff.""" |
| 63 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 64 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 65 | """Check if user is part of the Hiccup staff.""" |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 66 | return user_is_hiccup_staff(request.user) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 67 | |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 68 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 69 | class HasRightsOrIsDeviceOwnerDeviceCreation(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 70 | """Authorization requires to be part of Hiccup staff or device owner.""" |
| 71 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 72 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 73 | """Return true if user is part of Hiccp staff or device owner.""" |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 74 | if user_is_hiccup_staff(request.user): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 75 | return True |
Dirk Vogt | 57a615d | 2017-05-04 22:29:54 +0200 | [diff] [blame] | 76 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 77 | # special case: |
| 78 | # user is the owner of a device. in this case creations are allowed. |
| 79 | # we have to check if the device with the supplied uuid indeed |
| 80 | # belongs to the user |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 81 | if request.method == "POST": |
| 82 | if "uuid" not in request.data: |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 83 | return False |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 84 | return user_owns_uuid(request.user, request.data["uuid"]) |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 85 | return False |