Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 1 | """Authorization permission classes for accessing the API.""" |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 2 | import logging |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 3 | |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame] | 4 | from django.core.exceptions import ObjectDoesNotExist |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 5 | from rest_framework.permissions import BasePermission |
Mitja Nikolaus | bcaf502 | 2018-08-30 16:40:38 +0200 | [diff] [blame] | 6 | from crashreports.models import Device |
Mitja Nikolaus | 78e3a05 | 2018-09-05 12:18:35 +0200 | [diff] [blame] | 7 | from hiccup.allauth_adapters import FP_STAFF_GROUP_NAME |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 8 | |
| 9 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 10 | def user_owns_uuid(user, uuid): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 11 | """Determine whether a user is owning the device with the given UUID. |
| 12 | |
| 13 | Args: |
| 14 | user: The user making the request. |
| 15 | uuid: The UUID of the device to be manipulated. |
| 16 | |
| 17 | Returns: True if the user owns the device. |
| 18 | |
| 19 | """ |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 20 | try: |
| 21 | device = Device.objects.get(user=user) |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame] | 22 | except (ObjectDoesNotExist, TypeError): |
| 23 | # If the device does not exist or type of the given user is not |
| 24 | # correct, False is returned. |
| 25 | return False |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 26 | except Exception as exception: # pylint: disable=broad-except |
Mitja Nikolaus | ff2d180 | 2018-09-13 11:15:18 +0200 | [diff] [blame] | 27 | # All other exceptions are logged and False is returned. |
Mitja Nikolaus | e1389bd | 2018-08-30 17:09:04 +0200 | [diff] [blame] | 28 | logging.exception(exception) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 29 | return False |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 30 | if uuid == device.uuid: |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 31 | return True |
| 32 | return False |
| 33 | |
| 34 | |
| 35 | def user_is_hiccup_staff(user): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 36 | """Determine whether a user is part of the Hiccup staff. |
| 37 | |
| 38 | Returns true if either the user is part of the group |
Mitja Nikolaus | 1037bb5 | 2018-11-05 10:22:22 +0100 | [diff] [blame] | 39 | "FairphoneSoftwareTeam". |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 40 | |
| 41 | Args: |
| 42 | user: The user making the request. |
| 43 | |
| 44 | Returns: True if user is part of the Hiccup staff. |
| 45 | |
| 46 | """ |
Mitja Nikolaus | 1037bb5 | 2018-11-05 10:22:22 +0100 | [diff] [blame] | 47 | return user.groups.filter(name=FP_STAFF_GROUP_NAME).exists() |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 48 | |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 49 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 50 | class HasStatsAccess(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 51 | """Authorization requires to be part of the Hiccup staff.""" |
| 52 | |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 53 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 54 | """Check if user is part of the Hiccup staff.""" |
Borjan Tchakaloff | fa134bd | 2018-04-09 16:16:11 +0200 | [diff] [blame] | 55 | return user_is_hiccup_staff(request.user) |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 56 | |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 57 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 58 | class HasRightsOrIsDeviceOwnerDeviceCreation(BasePermission): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 59 | """Authorization requires to be part of Hiccup staff or device owner.""" |
| 60 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 61 | def has_permission(self, request, view): |
Mitja Nikolaus | 6a67913 | 2018-08-30 14:35:29 +0200 | [diff] [blame] | 62 | """Return true if user is part of Hiccp staff or device owner.""" |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 63 | if user_is_hiccup_staff(request.user): |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 64 | return True |
Dirk Vogt | 57a615d | 2017-05-04 22:29:54 +0200 | [diff] [blame] | 65 | |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 66 | # special case: |
| 67 | # user is the owner of a device. in this case creations are allowed. |
| 68 | # we have to check if the device with the supplied uuid indeed |
| 69 | # belongs to the user |
Mitja Nikolaus | cb50f2c | 2018-08-24 13:54:48 +0200 | [diff] [blame] | 70 | if request.method == "POST": |
| 71 | if "uuid" not in request.data: |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 72 | return False |
Dirk Vogt | 7160b5e | 2016-10-12 17:04:40 +0200 | [diff] [blame] | 73 | return user_owns_uuid(request.user, request.data["uuid"]) |
Dirk Vogt | c9e10ab | 2016-10-12 13:58:15 +0200 | [diff] [blame] | 74 | return False |
Mitja Nikolaus | 4d759da | 2018-08-28 15:31:29 +0200 | [diff] [blame] | 75 | |
| 76 | |
| 77 | # Security requirements for swagger documentation |
| 78 | SWAGGER_SECURITY_REQUIREMENTS_OAUTH = [{"Google OAuth": []}] |
Mitja Nikolaus | 78e3a05 | 2018-09-05 12:18:35 +0200 | [diff] [blame] | 79 | SWAGGER_SECURITY_REQUIREMENTS_DEVICE_TOKEN = [ |
| 80 | {"Device token authentication": []} |
| 81 | ] |
Mitja Nikolaus | 4d759da | 2018-08-28 15:31:29 +0200 | [diff] [blame] | 82 | SWAGGER_SECURITY_REQUIREMENTS_ALL = ( |
| 83 | SWAGGER_SECURITY_REQUIREMENTS_OAUTH |
| 84 | + SWAGGER_SECURITY_REQUIREMENTS_DEVICE_TOKEN |
| 85 | ) |