Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4cdd65744eaebff9cb00fbcda8951f98a735b41
edx-platform/openedx/core/lib/api/permissions.py
cahrens 023e6ec8cd GET method for user account API.
2015-02-20 14:52:46 -05:00

58 lines
2.0 KiB
Python
Raw Blame History

from django.conf import settings
from rest_framework import permissions
from rest_framework.exceptions import PermissionDenied
from django.http import Http404
class ApiKeyHeaderPermission(permissions.BasePermission):
def has_permission(self, request, view):
"""
Check for permissions by matching the configured API key and header
If settings.DEBUG is True and settings.EDX_API_KEY is not set or None,
then allow the request. Otherwise, allow the request if and only if
settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is
present in the request and matches the setting.
"""
api_key = getattr(settings, "EDX_API_KEY", None)
return (
(settings.DEBUG and api_key is None) or
(api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key)
)
class IsAuthenticatedOrDebug(permissions.BasePermission):
"""
Allows access only to authenticated users, or anyone if debug mode is enabled.
"""
def has_permission(self, request, view):
if settings.DEBUG:
return True
user = getattr(request, 'user', None)
return user and user.is_authenticated()
class IsUserInUrl(permissions.BasePermission):
"""
Permission that checks to see if the request user matches the user in the URL.
"""
def has_permission(self, request, view):
# Return a 404 instead of a 403 (Unauthorized). If one user is looking up
# other users, do not let them deduce the existence of an account.
if request.user.username != request.parser_context.get('kwargs', {}).get('username', None):
raise Http404()
return True
class IsUserInUrlOrStaff(IsUserInUrl):
"""
Permission that checks to see if the request user matches the user in the URL or has is_staff access.
"""
def has_permission(self, request, view):
if request.user.is_staff:
return True
return super(IsUserInUrlOrStaff, self).has_permission(request, view)
Reference in New Issue View Git Blame Copy Permalink