Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 1 | from crashreports.models import Device |
| 2 | from rest_framework.permissions import BasePermission |
| 3 | |
| 4 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 5 | def user_owns_uuid(user, uuid): |
| 6 | try: |
| 7 | device = Device.objects.get(user=user) |
| 8 | except: |
| 9 | return False |
| 10 | if (uuid == device.uuid): |
| 11 | return True |
| 12 | return False |
| 13 | |
| 14 | |
| 15 | def user_is_hiccup_staff(user): |
| 16 | return (user.has_perm('crashreports.add_crashreport') |
| 17 | and user.has_perm('crashreports.change_crashreport') |
| 18 | and user.has_perm('crashreports.del_crashreport') |
| 19 | and user.has_perm('heartbeat.add_crashreport') |
| 20 | and user.has_perm('heartbeat.change_crashreport') |
| 21 | and user.has_perm('heartbeat.del_crashreport') |
| 22 | and user.has_perm('heartbeat.add_logfile') |
| 23 | and user.has_perm('heartbeat.change_logfile') |
| 24 | and user.has_perm('heartbeat.del_logfile')) |
| 25 | |
| 26 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 27 | class HasRightsOrIsDeviceOwnerDeviceCreation(BasePermission): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 28 | def has_permission(self, request, view): |
| 29 | # if user has all permissions for crashreport return true |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 30 | if (user_is_hiccup_staff(request.user)): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 31 | return True |
Dirk Vogt | 57a615d | 2017-05-04 22:29:54 +0200 | [diff] [blame] | 32 | |
| 33 | if (request.user.groups.filter(name='FairphoneSoftwareTeam').exists()): |
| 34 | return True |
| 35 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 36 | # special case: |
| 37 | # user is the owner of a device. in this case creations are allowed. |
| 38 | # we have to check if the device with the supplied uuid indeed |
| 39 | # belongs to the user |
| 40 | if request.method == 'POST': |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 41 | if ('uuid' not in request.data): |
| 42 | return False |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 43 | return user_owns_uuid(request.user, request.data["uuid"]) |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 44 | return False |