Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 1 | """Authorization permission classes for accessing the API.""" |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame^] | 2 | import logging |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 3 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 4 | from rest_framework.permissions import BasePermission |
Mitja Nikolaus | bcaf502 | 2018-08-30 16:40:38 +0200 | [diff] [blame] | 5 | from crashreports.models import Device |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 6 | |
| 7 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 8 | def user_owns_uuid(user, uuid): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 9 | """Determine whether a user is owning the device with the given UUID. |
| 10 | |
| 11 | Args: |
| 12 | user: The user making the request. |
| 13 | uuid: The UUID of the device to be manipulated. |
| 14 | |
| 15 | Returns: True if the user owns the device. |
| 16 | |
| 17 | """ |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 18 | try: |
| 19 | device = Device.objects.get(user=user) |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame^] | 20 | except Exception as exception: # pylint: disable=broad-except |
| 21 | logging.exception(exception) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 22 | return False |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 23 | if uuid == device.uuid: |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 24 | return True |
| 25 | return False |
| 26 | |
| 27 | |
| 28 | def user_is_hiccup_staff(user): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 29 | """Determine whether a user is part of the Hiccup staff. |
| 30 | |
| 31 | Returns true if either the user is part of the group |
| 32 | "FairphoneSoftwareTeam", or he/she has all permissions for manipulating |
| 33 | crashreports, heartbeats and logfiles. |
| 34 | |
| 35 | Args: |
| 36 | user: The user making the request. |
| 37 | |
| 38 | Returns: True if user is part of the Hiccup staff. |
| 39 | |
| 40 | """ |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 41 | if user.groups.filter(name="FairphoneSoftwareTeam").exists(): |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 42 | return True |
| 43 | else: |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 44 | return user.has_perms( |
| 45 | [ |
| 46 | # Crashreports |
| 47 | "crashreports.add_crashreport", |
| 48 | "crashreports.change_crashreport", |
| 49 | "crashreports.del_crashreport", |
| 50 | # Heartbeats |
| 51 | "heartbeat.add_crashreport", |
| 52 | "heartbeat.change_crashreport", |
| 53 | "heartbeat.del_crashreport", |
| 54 | # Logfiles |
| 55 | "heartbeat.add_logfile", |
| 56 | "heartbeat.change_logfile", |
| 57 | "heartbeat.del_logfile", |
| 58 | ] |
| 59 | ) |
| 60 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 61 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 62 | class HasStatsAccess(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 63 | """Authorization requires to be part of the Hiccup staff.""" |
| 64 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 65 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 66 | """Check if user is part of the Hiccup staff.""" |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 67 | return user_is_hiccup_staff(request.user) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 68 | |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 69 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 70 | class HasRightsOrIsDeviceOwnerDeviceCreation(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 71 | """Authorization requires to be part of Hiccup staff or device owner.""" |
| 72 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 73 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 74 | """Return true if user is part of Hiccp staff or device owner.""" |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 75 | if user_is_hiccup_staff(request.user): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 76 | return True |
Dirk Vogt | 57a615d | 2017-05-04 22:29:54 +0200 | [diff] [blame] | 77 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 78 | # special case: |
| 79 | # user is the owner of a device. in this case creations are allowed. |
| 80 | # we have to check if the device with the supplied uuid indeed |
| 81 | # belongs to the user |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 82 | if request.method == "POST": |
| 83 | if "uuid" not in request.data: |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 84 | return False |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 85 | return user_owns_uuid(request.user, request.data["uuid"]) |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 86 | return False |