Restrict create/update/delete Applications to authorised users

490f7db5 · James Graham · bfdb52d7 · 490f7db5 · 490f7db5 · 490f7db5
Commit 490f7db5 authored 6 years ago by James Graham
--- a/applications/admin.py
+++ b/applications/admin.py
+from django.contrib import admin
+
+from . import models
+
+
+class ApplicationAdmin(admin.ModelAdmin):
+    pass
+
+
+admin.site.register(models.Application, ApplicationAdmin)
--- a/applications/models.py
+++ b/applications/models.py
@@ -15,6 +15,9 @@ class Application(models.Model):
    url = models.URLField(blank=False, null=False)

    owner = models.ForeignKey(settings.AUTH_USER_MODEL,
+                              limit_choices_to={
+                                  'groups__name': 'Application providers'
+                              },
                              on_delete=models.PROTECT,
                              related_name='applications',
                              blank=False, null=False)
@@ -22,3 +25,6 @@ class Application(models.Model):
    def get_absolute_url(self):
        return reverse('applications:application.detail',
                       kwargs={'pk': self.pk})
+
+    def __str__(self):
+        return self.name
--- a/applications/views.py
+++ b/applications/views.py
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.urls import reverse_lazy
 from django.views.generic.detail import DetailView
 from django.views.generic.edit import CreateView, UpdateView, DeleteView
 from django.views.generic.list import ListView

 from . import models
+from profiles.permissions import OwnerPermissionRequiredMixin


 class ApplicationListView(ListView):
@@ -12,12 +14,14 @@ class ApplicationListView(ListView):
    context_object_name = 'applications'


-class ApplicationCreateView(CreateView):
+class ApplicationCreateView(PermissionRequiredMixin, CreateView):
    model = models.Application
    fields = '__all__'
    template_name = 'applications/application/create.html'
    context_object_name = 'application'

+    permission_required = 'applications.add_application'
+

 class ApplicationDetailView(DetailView):
    model = models.Application
@@ -25,15 +29,19 @@ class ApplicationDetailView(DetailView):
    context_object_name = 'application'


-class ApplicationUpdateView(UpdateView):
+class ApplicationUpdateView(OwnerPermissionRequiredMixin, UpdateView):
    model = models.Application
    fields = '__all__'
    template_name = 'applications/application/update.html'
    context_object_name = 'application'

+    permission_required = 'applications.change_application'
+

-class ApplicationDeleteView(DeleteView):
+class ApplicationDeleteView(OwnerPermissionRequiredMixin, DeleteView):
    model = models.Application
    template_name = 'applications/application/delete.html'
    context_object_name = 'application'
    success_url = reverse_lazy('applications:application.list')
+
+    permission_required = 'applications.delete_application'
--- a/pedasi/settings.py
+++ b/pedasi/settings.py
@@ -16,6 +16,8 @@ https://docs.djangoproject.com/en/2.0/howto/deployment/checklist/

 import os

+from django.urls import reverse_lazy
+
 from decouple import config
 import dj_database_url

@@ -129,6 +131,8 @@ PASSWORD_HASHERS = [
 # Set custom user model
 AUTH_USER_MODEL = 'profiles.User'

+LOGIN_URL = reverse_lazy('profiles:login')
+

 # Internationalization
 # https://docs.djangoproject.com/en/2.0/topics/i18n/

--- a/profiles/admin.py
+++ b/profiles/admin.py
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin
+
+from . import models
+
+
+admin.site.register(models.User, UserAdmin)
--- a/profiles/fixtures/auth.Group.json
+++ b/profiles/fixtures/auth.Group.json
+[
+  {
+    "model": "auth.group",
+    "pk": 1,
+    "fields": {
+      "name": "Application Providers",
+      "permissions": [
+        19,
+        20,
+        21
+      ]
+    }
+  },
+  {
+    "model": "auth.group",
+    "pk": 2,
+    "fields": {
+      "name": "Data Providers",
+      "permissions": [
+        22,
+        23,
+        24
+      ]
+    }
+  }
+]
\ No newline at end of file
--- a/profiles/permissions.py
+++ b/profiles/permissions.py
+from django.contrib.auth.mixins import PermissionRequiredMixin
+
+
+class OwnerPermissionRequiredMixin(PermissionRequiredMixin):
+    """
+    Mixin to require that a user has the relevant global permission and is the owner of the relevant object.
+
+    TODO replace this with 'django-guardian' once it supports Django 2.1 or use 'rules'
+    """
+    owner_attribute = 'owner'
+
+    def has_permission(self) -> bool:
+        """
+        Require the the user has the relevant global permission and is the owner of this object.
+
+        :return: Does the user have permission to perform this action?
+        """
+        return super().has_permission() and self.request.user == getattr(self.get_object(), self.owner_attribute)