Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 1 | """Authorization permission classes for accessing the API.""" |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 2 | import logging |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 3 | |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame^] | 4 | from django.core.exceptions import ObjectDoesNotExist |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 5 | from rest_framework.permissions import BasePermission |
Mitja Nikolaus | bcaf502 | 2018-08-30 16:40:38 +0200 | [diff] [blame] | 6 | from crashreports.models import Device |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 7 | |
| 8 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 9 | def user_owns_uuid(user, uuid): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 10 | """Determine whether a user is owning the device with the given UUID. |
| 11 | |
| 12 | Args: |
| 13 | user: The user making the request. |
| 14 | uuid: The UUID of the device to be manipulated. |
| 15 | |
| 16 | Returns: True if the user owns the device. |
| 17 | |
| 18 | """ |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 19 | try: |
| 20 | device = Device.objects.get(user=user) |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame^] | 21 | except (ObjectDoesNotExist, TypeError): |
| 22 | # If the device does not exist or type of the given user is not |
| 23 | # correct, False is returned. |
| 24 | return False |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 25 | except Exception as exception: # pylint: disable=broad-except |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame^] | 26 | # All other exceptions are logged and False is returned. |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 27 | logging.exception(exception) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 28 | return False |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 29 | if uuid == device.uuid: |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 30 | return True |
| 31 | return False |
| 32 | |
| 33 | |
| 34 | def user_is_hiccup_staff(user): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 35 | """Determine whether a user is part of the Hiccup staff. |
| 36 | |
| 37 | Returns true if either the user is part of the group |
| 38 | "FairphoneSoftwareTeam", or he/she has all permissions for manipulating |
| 39 | crashreports, heartbeats and logfiles. |
| 40 | |
| 41 | Args: |
| 42 | user: The user making the request. |
| 43 | |
| 44 | Returns: True if user is part of the Hiccup staff. |
| 45 | |
| 46 | """ |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 47 | if user.groups.filter(name="FairphoneSoftwareTeam").exists(): |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 48 | return True |
Mitja Nikolaus | b4e3bec | 2018-08-30 17:16:21 +0200 | [diff] [blame] | 49 | return user.has_perms( |
| 50 | [ |
| 51 | # Crashreports |
| 52 | "crashreports.add_crashreport", |
| 53 | "crashreports.change_crashreport", |
| 54 | "crashreports.del_crashreport", |
| 55 | # Heartbeats |
| 56 | "heartbeat.add_crashreport", |
| 57 | "heartbeat.change_crashreport", |
| 58 | "heartbeat.del_crashreport", |
| 59 | # Logfiles |
| 60 | "heartbeat.add_logfile", |
| 61 | "heartbeat.change_logfile", |
| 62 | "heartbeat.del_logfile", |
| 63 | ] |
| 64 | ) |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 65 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 66 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 67 | class HasStatsAccess(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 68 | """Authorization requires to be part of the Hiccup staff.""" |
| 69 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 70 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 71 | """Check if user is part of the Hiccup staff.""" |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 72 | return user_is_hiccup_staff(request.user) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 73 | |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 74 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 75 | class HasRightsOrIsDeviceOwnerDeviceCreation(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 76 | """Authorization requires to be part of Hiccup staff or device owner.""" |
| 77 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 78 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 79 | """Return true if user is part of Hiccp staff or device owner.""" |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 80 | if user_is_hiccup_staff(request.user): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 81 | return True |
Dirk Vogt | 57a615d | 2017-05-04 22:29:54 +0200 | [diff] [blame] | 82 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 83 | # special case: |
| 84 | # user is the owner of a device. in this case creations are allowed. |
| 85 | # we have to check if the device with the supplied uuid indeed |
| 86 | # belongs to the user |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 87 | if request.method == "POST": |
| 88 | if "uuid" not in request.data: |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 89 | return False |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 90 | return user_owns_uuid(request.user, request.data["uuid"]) |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 91 | return False |