"""Project custom permissions""" from rest_framework import permissions from rest_framework_simplejwt.tokens import AccessToken from account.models import UserRole, Role from authorization.models import JWTRefreshToken from utils.tokens import GMRefreshToken class IsAuthenticatedAndTokenIsValid(permissions.BasePermission): """ Check if user has a valid token and authenticated """ def has_permission(self, request, view): """Check permissions by access token and default REST permission IsAuthenticated""" user = request.user access_token = request.COOKIES.get('access_token') if user.is_authenticated and access_token: access_token = AccessToken(access_token) valid_tokens = user.access_tokens.valid()\ .by_jti(jti=access_token.payload.get('jti')) return valid_tokens.exists() else: return False class IsRefreshTokenValid(permissions.BasePermission): """ Check if user has a valid refresh token and authenticated """ def has_permission(self, request, view): """Check permissions by refresh token and default REST permission IsAuthenticated""" refresh_token = request.COOKIES.get('refresh_token') if refresh_token: refresh_token = GMRefreshToken(refresh_token) refresh_token_qs = JWTRefreshToken.objects.valid()\ .by_jti(jti=refresh_token.payload.get('jti')) return refresh_token_qs.exists() else: return False def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request, # so we'll always allow GET, HEAD or OPTIONS requests. if request.method in permissions.SAFE_METHODS or \ obj.user == request.user or request.user.is_superuser: return True return False class IsGuest(permissions.IsAuthenticatedOrReadOnly): """ Object-level permission to only allow owners of an object to edit it. """ def has_object_permission(self, request, view, obj): if request.method in permissions.SAFE_METHODS or request.user.is_superuser: return True return False class IsStandardUser(IsGuest): """ Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request if super().has_object_permission(request, view, obj) or\ (obj.user == request.user and obj.user.email_confirmed): return True return False class IsCountryAdmin(IsStandardUser): """ Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. if super().has_object_permission(request, view, obj): return True # Must have role role = Role.objects.filter(role=Role.COUNTRY_ADMIN, country_id=obj.country_id) \ .first() # 'Comments moderator' is_access = UserRole.objects.filter(user=request.user, role=role).exists() if obj.user != request.user and is_access: return True return False class IsCommentModerator(IsCountryAdmin): """ Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. if super().has_object_permission(request, view, obj): return True # Must have role role = Role.objects.filter(role=Role.COMMENTS_MODERATOR, country_id=obj.country_id)\ .first() # 'Comments moderator' is_access = UserRole.objects.filter(user=request.user, role=role).exists() if obj.user != request.user and is_access: return True return False class IsCountryAdmin(IsGuest): def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. # Must have role role = Role.objects.filter(role=Role.COUNTRY_ADMIN, country_id=obj.country_id).first() # 'Country admin' is_access = UserRole.objects.filter(user=request.user, role=role).exists() if super().has_object_permission(request, view, obj) and is_access: return True return False