Source code for oscarapi.permissions

from django.conf import settings

from rest_framework.permissions import (

from oscarapi.basket.operations import request_allows_access_to

[docs]class IsOwner(IsAuthenticated): """ Permission that checks if this object has a foreign key pointing to the authenticated user of this request """
[docs] def has_object_permission(self, request, view, obj): return obj.user == request.user
[docs]class APIAdminPermission(DjangoModelPermissions): """ The permission for all the admin api views. You only get admin api access when: - OSCARAPI_BLOCK_ADMIN_API_ACCESS is false - you are a staff user (is_staff) - you have any of the model permissions needed (view / add / change / delete) Feel free to customize! """ perms_map = { "GET": ["%(app_label)s.view_%(model_name)s"], "OPTIONS": ["%(app_label)s.view_%(model_name)s"], "HEAD": ["%(app_label)s.view_%(model_name)s"], "POST": ["%(app_label)s.add_%(model_name)s"], "PUT": ["%(app_label)s.change_%(model_name)s"], "PATCH": ["%(app_label)s.change_%(model_name)s"], "DELETE": ["%(app_label)s.delete_%(model_name)s"], } @staticmethod def disallowed_by_setting_and_request(request): return ( getattr(settings, "OSCARAPI_BLOCK_ADMIN_API_ACCESS", True) or not request.user.is_staff )
[docs] def has_permission(self, request, view): if self.disallowed_by_setting_and_request(request): return False return super(APIAdminPermission, self).has_permission(request, view)
[docs]class RequestAllowsAccessTo(BasePermission):
[docs] def has_object_permission(self, request, view, obj): return request_allows_access_to(request, obj)