3 =^#@s0dZddlmZddlmZddlmZddlmZd(Z Gd d d Z Gd d d e Z Gd dde Z GdddZ GdddZGdddZGddde eZejeGdddeZGdddeZGdddeZGdddeZGdd d eZGd!d"d"eZGd#d$d$eZGd%d&d&eZd'S))z2 Provides a set of pluggable permission policies. )unicode_literals)Http404)six) exceptionsGETHEADOPTIONSc@s4eZdZddZddZddZddZd d Zd S) OperationHolderMixincCs tt||S)N) OperandHolderAND)selfotherrI/tmp/pip-build-8app2_gc/djangorestframework/rest_framework/permissions.py__and__szOperationHolderMixin.__and__cCs tt||S)N)r OR)r r rrr__or__szOperationHolderMixin.__or__cCs tt||S)N)r r )r r rrr__rand__szOperationHolderMixin.__rand__cCs tt||S)N)r r)r r rrr__ror__szOperationHolderMixin.__ror__cCs tt|S)N)SingleOperandHolderNOT)r rrr __invert__szOperationHolderMixin.__invert__N)__name__ __module__ __qualname__rrrrrrrrrr s r c@seZdZddZddZdS)rcCs||_||_dS)N)operator_class op1_class)r rrrrr__init__ szSingleOperandHolder.__init__cOs|j||}|j|S)N)rr)r argskwargsop1rrr__call__$s zSingleOperandHolder.__call__N)rrrrr!rrrrrsrc@seZdZddZddZdS)r cCs||_||_||_dS)N)rr op2_class)r rrr"rrrr*szOperandHolder.__init__cOs$|j||}|j||}|j||S)N)rr"r)r rrr op2rrrr!/s  zOperandHolder.__call__N)rrrrr!rrrrr )sr c@s$eZdZddZddZddZdS)r cCs||_||_dS)N)r r#)r r r#rrrr6sz AND.__init__cCs|jj||o|jj||S)N)r has_permissionr#)r requestviewrrrr$:szAND.has_permissioncCs |jj|||o|jj|||S)N)r has_object_permissionr#)r r%r&objrrrr'@szAND.has_object_permissionN)rrrrr$r'rrrrr 5sr c@s$eZdZddZddZddZdS)rcCs||_||_dS)N)r r#)r r r#rrrrHsz OR.__init__cCs|jj||p|jj||S)N)r r$r#)r r%r&rrrr$LszOR.has_permissioncCs |jj|||p|jj|||S)N)r r'r#)r r%r&r(rrrr'RszOR.has_object_permissionN)rrrrr$r'rrrrrGsrc@s$eZdZddZddZddZdS)rcCs ||_dS)N)r )r r rrrrZsz NOT.__init__cCs|jj|| S)N)r r$)r r%r&rrrr$]szNOT.has_permissioncCs|jj||| S)N)r r')r r%r&r(rrrr'`szNOT.has_object_permissionN)rrrrr$r'rrrrrYsrc@s eZdZdS)BasePermissionMetaclassN)rrrrrrrr)dsr)c@s eZdZdZddZddZdS)BasePermissionzH A base class from which all permission classes should inherit. cCsdS)zL Return `True` if permission is granted, `False` otherwise. Tr)r r%r&rrrr$nszBasePermission.has_permissioncCsdS)zL Return `True` if permission is granted, `False` otherwise. Tr)r r%r&r(rrrr'tsz$BasePermission.has_object_permissionN)rrr__doc__r$r'rrrrr*hsr*c@seZdZdZddZdS)AllowAnyz Allow any access. This isn't strictly required, since you could use an empty permission_classes list, but it's useful because it makes the intention more explicit. cCsdS)NTr)r r%r&rrrr$szAllowAny.has_permissionN)rrrr+r$rrrrr,{sr,c@seZdZdZddZdS)IsAuthenticatedz4 Allows access only to authenticated users. cCst|jo|jjS)N)booluseris_authenticated)r r%r&rrrr$szIsAuthenticated.has_permissionN)rrrr+r$rrrrr-sr-c@seZdZdZddZdS) IsAdminUserz, Allows access only to admin users. cCst|jo|jjS)N)r.r/Zis_staff)r r%r&rrrr$szIsAdminUser.has_permissionN)rrrr+r$rrrrr1sr1c@seZdZdZddZdS)IsAuthenticatedOrReadOnlyzL The request is authenticated as a user, or is a read-only request. cCst|jtkp|jo|jjS)N)r.method SAFE_METHODSr/r0)r r%r&rrrr$s z(IsAuthenticatedOrReadOnly.has_permissionN)rrrr+r$rrrrr2sr2c@sHeZdZdZgggdgdgdgdgdZdZddZd d Zd d Zd S)DjangoModelPermissionsa} The request is authenticated using `django.contrib.auth` permissions. See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the model. This permission can only be applied against view classes that provide a `.queryset` attribute. z %(app_label)s.add_%(model_name)sz#%(app_label)s.change_%(model_name)sz#%(app_label)s.delete_%(model_name)s)rrrPOSTPUTPATCHDELETETcs>|jj|jjd||jkr&tj|fdd|j|DS)z Given a model and an HTTP method, return the list of permission codes that the user is required to have. ) app_label model_namecsg|] }|qSrr).0perm)rrr szCDjangoModelPermissions.get_required_permissions..)_metar:r; perms_maprMethodNotAllowed)r r3 model_clsr)rrget_required_permissionss    z/DjangoModelPermissions.get_required_permissionscCsbt|ds,t|dddk s,tdj|jjt|dr\|j}|dk sXtdj|jj|S|jS)N get_querysetquerysetz[Cannot apply {} on a view that does not set `.queryset` or have a `.get_queryset()` method.z{}.get_queryset() returned None)hasattrgetattrAssertionErrorformat __class__rrDrE)r r&rErrr _querysets    z DjangoModelPermissions._querysetcCsRt|ddrdS|j s(|jj r,|jr,dS|j|}|j|j|j}|jj|S)NZ_ignore_model_permissionsFT) rGr/r0authenticated_users_onlyrKrCr3model has_perms)r r%r&rEpermsrrrr$s  z%DjangoModelPermissions.has_permissionN) rrrr+r@rLrCrKr$rrrrr5s  r5c@seZdZdZdZdS)$DjangoModelPermissionsOrAnonReadOnlyzj Similar to DjangoModelPermissions, except that anonymous users are allowed read-only access. FN)rrrr+rLrrrrrPsrPc@s<eZdZdZgggdgdgdgdgdZddZdd Zd S) DjangoObjectPermissionsa The request is authenticated using Django's object-level permissions. It requires an object-permissions-enabled backend, such as Django Guardian. It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the object using .has_perms. This permission can only be applied against view classes that provide a `.queryset` attribute. z %(app_label)s.add_%(model_name)sz#%(app_label)s.change_%(model_name)sz#%(app_label)s.delete_%(model_name)s)rrrr6r7r8r9cs>|jj|jjd||jkr&tj|fdd|j|DS)N)r:r;csg|] }|qSrr)r<r=)rrrr>szKDjangoObjectPermissions.get_required_object_permissions..)r?r:r;r@rrA)r r3rBr)rrget_required_object_permissions s    z7DjangoObjectPermissions.get_required_object_permissionsc Csb|j|}|j}|j}|j|j|}|j||s^|jtkr>t|jd|}|j||sZtdSdS)NrFT)rKrMr/rRr3rNr4r) r r%r&r(rErBr/rOZ read_permsrrrr's     z-DjangoObjectPermissions.has_object_permissionN)rrrr+r@rRr'rrrrrQs   rQN)rrr)r+ __future__rZ django.httprZ django.utilsrZrest_frameworkrr4r rr r rrtyper) add_metaclassobjectr*r,r-r1r2r5rPrQrrrrs*           I