U e$@sdZddlmZddlmZdZGdddZGdddeZGd d d eZGd d d Z Gd ddZ GdddZ Gdddee Z Gddde dZGdddeZGdddeZGdddeZGdddeZGdddeZGd d!d!eZGd"d#d#eZd$S)%z2 Provides a set of pluggable permission policies. )Http404) exceptions)GETHEADOPTIONSc@s4eZdZddZddZddZddZd d Zd S) OperationHolderMixincCs tt||SN OperandHolderANDselfotherr>/tmp/pip-unpacked-wheel-n426yvdz/rest_framework/permissions.py__and__ szOperationHolderMixin.__and__cCs tt||Srr ORr rrr__or__szOperationHolderMixin.__or__cCs tt||Srr r rrr__rand__szOperationHolderMixin.__rand__cCs tt||Srrr rrr__ror__szOperationHolderMixin.__ror__cCs tt|Sr)SingleOperandHolderNOT)r rrr __invert__szOperationHolderMixin.__invert__N)__name__ __module__ __qualname__rrrrrrrrrr s rc@seZdZddZddZdS)rcCs||_||_dSr)operator_class op1_class)r rrrrr__init__szSingleOperandHolder.__init__cOs|j||}||Sr)rr)r argskwargsop1rrr__call__!s zSingleOperandHolder.__call__Nrrrrr#rrrrrsrc@seZdZddZddZdS)r cCs||_||_||_dSr)rr op2_class)r rrr%rrrr'szOperandHolder.__init__cOs$|j||}|j||}|||Sr)rr%r)r r r!r"op2rrrr#,s  zOperandHolder.__call__Nr$rrrrr &sr c@s$eZdZddZddZddZdS)r cCs||_||_dSrr"r&r r"r&rrrr3sz AND.__init__cCs|j||o|j||Srr"has_permissionr&r requestviewrrrr*7s zAND.has_permissioncCs |j|||o|j|||Sr)r"has_object_permissionr&r r,r-objrrrr.=szAND.has_object_permissionNrrrrr*r.rrrrr 2sr c@s$eZdZddZddZddZdS)rcCs||_||_dSrr'r(rrrrEsz OR.__init__cCs|j||p|j||Srr)r+rrrr*Is zOR.has_permissioncCs<|j||r|j|||p:|j||o:|j|||Sr)r"r*r.r&r/rrrr.Os zOR.has_object_permissionNr1rrrrrDsrc@s$eZdZddZddZddZdS)rcCs ||_dSr)r")r r"rrrrZsz NOT.__init__cCs|j|| Sr)r"r*r+rrrr*]szNOT.has_permissioncCs|j||| Sr)r"r.r/rrrr.`szNOT.has_object_permissionNr1rrrrrYsrc@s eZdZdS)BasePermissionMetaclassN)rrrrrrrr2dsr2c@s eZdZdZddZddZdS)BasePermissionzH A base class from which all permission classes should inherit. cCsdSzL Return `True` if permission is granted, `False` otherwise. Trr+rrrr*mszBasePermission.has_permissioncCsdSr4rr/rrrr.ssz$BasePermission.has_object_permissionN)rrr__doc__r*r.rrrrr3hsr3) metaclassc@seZdZdZddZdS)AllowAnyz Allow any access. This isn't strictly required, since you could use an empty permission_classes list, but it's useful because it makes the intention more explicit. cCsdS)NTrr+rrrr*szAllowAny.has_permissionNrrrr5r*rrrrr7zsr7c@seZdZdZddZdS)IsAuthenticatedz4 Allows access only to authenticated users. cCst|jo|jjSr)booluseris_authenticatedr+rrrr*szIsAuthenticated.has_permissionNr8rrrrr9sr9c@seZdZdZddZdS) IsAdminUserz, Allows access only to admin users. cCst|jo|jjSr)r:r;Zis_staffr+rrrr*szIsAdminUser.has_permissionNr8rrrrr=sr=c@seZdZdZddZdS)IsAuthenticatedOrReadOnlyzL The request is authenticated as a user, or is a read-only request. cCst|jtkp|jo|jjSr)r:method SAFE_METHODSr;r<r+rrrr*s  z(IsAuthenticatedOrReadOnly.has_permissionNr8rrrrr>sr>c@sHeZdZdZgggdgdgdgdgdZdZddZd d Zd d Zd S)DjangoModelPermissionsa} The request is authenticated using `django.contrib.auth` permissions. See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the model. This permission can only be applied against view classes that provide a `.queryset` attribute. %(app_label)s.add_%(model_name)s#%(app_label)s.change_%(model_name)s#%(app_label)s.delete_%(model_name)srrrPOSTPUTPATCHDELETETcs>|jj|jjd||jkr&t|fdd|j|DS)z Given a model and an HTTP method, return the list of permission codes that the user is required to have.  app_label model_namecsg|] }|qSrr.0permr!rr szCDjangoModelPermissions.get_required_permissions..Z_metarKrL perms_maprZMethodNotAllowedr r? model_clsrrPrget_required_permissionss   z/DjangoModelPermissions.get_required_permissionscCsbt|ds,t|dddk s,td|jjt|dr\|}|dk sXtd|jj|S|jS)N get_querysetquerysetz[Cannot apply {} on a view that does not set `.queryset` or have a `.get_queryset()` method.z{}.get_queryset() returned None)hasattrgetattrAssertionErrorformat __class__rrWrX)r r-rXrrr _querysets    z DjangoModelPermissions._querysetcCsNt|ddrdS|jr$|jjs(|jr(dS||}||j|j}|j|S)NZ_ignore_model_permissionsFT) rZr;r<authenticated_users_onlyr^rVr?model has_perms)r r,r-rXpermsrrrr*s  z%DjangoModelPermissions.has_permissionN) rrrr5rSr_rVr^r*rrrrrAs rAc@seZdZdZdZdS)$DjangoModelPermissionsOrAnonReadOnlyzj Similar to DjangoModelPermissions, except that anonymous users are allowed read-only access. FN)rrrr5r_rrrrrcsrcc@s<eZdZdZgggdgdgdgdgdZddZdd Zd S) DjangoObjectPermissionsa The request is authenticated using Django's object-level permissions. It requires an object-permissions-enabled backend, such as Django Guardian. It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the object using .has_perms. This permission can only be applied against view classes that provide a `.queryset` attribute. rBrCrDrEcs>|jj|jjd||jkr&t|fdd|j|DS)NrJcsg|] }|qSrrrMrPrrrQszKDjangoObjectPermissions.get_required_object_permissions..rRrTrrPrget_required_object_permissions s   z7DjangoObjectPermissions.get_required_object_permissionsc Csb||}|j}|j}||j|}|||s^|jtkr>t|d|}|||sZtdSdS)NrFT)r^r`r;rer?rar@r) r r,r-r0rXrUr;rbZ read_permsrrrr.s     z-DjangoObjectPermissions.has_object_permissionN)rrrr5rSrer.rrrrrds   rdN)r5Z django.httprZrest_frameworkrr@rrr r rrtyper2r3r7r9r=r>rArcrdrrrrs$         I