|
|
@@ -55,16 +55,31 @@ class TokenPermissions(DjangoModelPermissions):
|
|
|
Custom permissions handler which extends the built-in DjangoModelPermissions to validate a Token's write ability
|
|
|
for unsafe requests (POST/PUT/PATCH/DELETE).
|
|
|
"""
|
|
|
+ # Override the stock perm_map to enforce view permissions
|
|
|
+ perms_map = {
|
|
|
+ 'GET': ['%(app_label)s.view_%(model_name)s'],
|
|
|
+ 'OPTIONS': [],
|
|
|
+ 'HEAD': ['%(app_label)s.view_%(model_name)s'],
|
|
|
+ 'POST': ['%(app_label)s.add_%(model_name)s'],
|
|
|
+ 'PUT': ['%(app_label)s.change_%(model_name)s'],
|
|
|
+ 'PATCH': ['%(app_label)s.change_%(model_name)s'],
|
|
|
+ 'DELETE': ['%(app_label)s.delete_%(model_name)s'],
|
|
|
+ }
|
|
|
+
|
|
|
def __init__(self):
|
|
|
+
|
|
|
# LOGIN_REQUIRED determines whether read-only access is provided to anonymous users.
|
|
|
self.authenticated_users_only = settings.LOGIN_REQUIRED
|
|
|
+
|
|
|
super().__init__()
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
+
|
|
|
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
|
|
|
if request.method not in SAFE_METHODS and isinstance(request.auth, Token):
|
|
|
if not request.auth.write_enabled:
|
|
|
return False
|
|
|
+
|
|
|
return super().has_permission(request, view)
|
|
|
|
|
|
|
Jeremy Stretch