added permission classes for sharing + tests

2020-10-15 23:41:38 +02:00
parent 5c1cecb7e7
commit cd46203d55
4 changed files with 69 additions and 8 deletions
--- a/cookbook/helper/permission_helper.py
+++ b/cookbook/helper/permission_helper.py
@ -72,6 +72,23 @@ def is_object_owner(user, obj):
    return False


+def is_object_shared(user, obj):
+    """
+    Tests if a given user is shared for a given object
+    test performed by checking user against the objects shared table
+    superusers bypass all checks, unauthenticated users cannot own anything
+    :param user django auth user object
+    :param obj any object that should be tested
+    :return: true if user is shared for object, false otherwise
+    """
+    # TODO this could be improved/cleaned up by adding share checks for relevant objects
+    if not user.is_authenticated:
+        return False
+    if user.is_superuser:
+        return True
+    return user in obj.shared.all()
+
+
 def share_link_valid(recipe, share):
    """
    Verifies the validity of a share uuid
@ -147,6 +164,21 @@ class CustomIsOwner(permissions.BasePermission):
        return is_object_owner(request.user, obj)


+class CustomIsShared(permissions.BasePermission): # TODO function duplicate name
+    """
+    Custom permission class for django rest framework views
+    verifies user is shared for the object he is trying to access
+    """
+    message = _('You cannot interact with this object as its not owned by you!')
+
+    def has_permission(self, request, view):
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request, view, obj):
+        print("called is shared")
+        return is_object_shared(request.user, obj)
+
+
 class CustomIsGuest(permissions.BasePermission):
    """
    Custom permission class for django rest framework views