Source code for evennia.web.api.permissions
"""
Sets up an api-access permission check using the in-game permission hierarchy.
"""
from django.conf import settings
from rest_framework import permissions
from evennia.locks.lockhandler import check_perm
[docs]class EvenniaPermission(permissions.BasePermission):
"""
A Django Rest Framework permission class that allows us to use Evennia's
permission structure. Based on the action in a given view, we'll check a
corresponding Evennia access/lock check.
"""
# subclass this to change these permissions
MINIMUM_LIST_PERMISSION = settings.REST_FRAMEWORK.get("DEFAULT_LIST_PERMISSION", "builder")
MINIMUM_CREATE_PERMISSION = settings.REST_FRAMEWORK.get("DEFAULT_CREATE_PERMISSION", "builder")
view_locks = settings.REST_FRAMEWORK.get("DEFAULT_VIEW_LOCKS", ["examine"])
destroy_locks = settings.REST_FRAMEWORK.get("DEFAULT_DESTROY_LOCKS", ["delete"])
update_locks = settings.REST_FRAMEWORK.get("DEFAULT_UPDATE_LOCKS", ["control", "edit"])
[docs] def has_permission(self, request, view):
"""Checks for permissions
Args:
request (Request): The incoming request object.
view (View): The django view we are checking permission for.
Returns:
bool: If permission is granted or not. If we return False here, a PermissionDenied
error will be raised from the view.
Notes:
This method is a check that always happens first. If there's an object involved,
such as with retrieve, update, or delete, then the has_object_permission method
is called after this, assuming this returns `True`.
"""
# Only allow authenticated users to call the API
if not request.user.is_authenticated:
return False
if request.user.is_superuser:
return True
# these actions don't support object-level permissions, so use the above definitions
if view.action == "list":
return check_perm(request.user, self.MINIMUM_LIST_PERMISSION)
if view.action == "create":
return check_perm(request.user, self.MINIMUM_CREATE_PERMISSION)
return True # this means we'll check object-level permissions
[docs] @staticmethod
def check_locks(obj, user, locks):
"""Checks access for user for object with given locks
Args:
obj: Object instance we're checking
user (Account): User who we're checking permissions
locks (list): list of lockstrings
Returns:
bool: True if they have access, False if they don't
"""
return any([obj.access(user, lock) for lock in locks])
[docs] def has_object_permission(self, request, view, obj):
"""Checks object-level permissions after has_permission
Args:
request (Request): The incoming request object.
view (View): The django view we are checking permission for.
obj: Object we're checking object-level permissions for
Returns:
bool: If permission is granted or not. If we return False here, a PermissionDenied
error will be raised from the view.
Notes:
This method assumes that has_permission has already returned True. We check
equivalent Evennia permissions in the request.user to determine if they can
complete the action.
"""
if view.action in ("list", "retrieve"):
# access_type is based on the examine command
return self.check_locks(obj, request.user, self.view_locks)
if view.action == "destroy":
# access type based on the destroy command
return self.check_locks(obj, request.user, self.destroy_locks)
if view.action in ("update", "partial_update", "set_attribute"):
# access type based on set command
return self.check_locks(obj, request.user, self.update_locks)
