o Ci!@sdZddlmZddlmZddlmZddlmZm Z ddl mZ dd Z d d Z d d ZddZddZddlmZddZddZddZGdddZddZddlmZddlmZddlmZGdd d eZdS)!z7 Permission checking utilities and decorators for RBAC wraps) JsonResponse)cache) UserProfile PermissionNcCsV|jjrdSd|jjd|}t|}|dur|S||jvr)t|dddSdS)z Check if user has a specific permission Args: user: UserProfile instance permission_code: String like 'flowboard.create' Returns: Boolean indicating if user has permission T user_perms__N,F)user is_superuseridrgetcustom_permissionsset)requestpermission_code cache_key cached_resultr1/var/www/Datamplify/authentication/permissions.pyhas_permission s   rctfdd|DS)z Check if user has any of the specified permissions Args: user: UserProfile instance permission_codes: List of permission codes Returns: Boolean indicating if user has at least one permission c3|]}t|VqdSNr.0coder rr Az%has_any_permission..)anyr permission_codesrr rhas_any_permission6 r&cr)z Check if user has all of the specified permissions Args: user: UserProfile instance permission_codes: List of permission codes Returns: Boolean indicating if user has all permissions c3rrrrr rrr!Or"z&has_all_permissions..)allr$rr rhas_all_permissionsDr'r)cCs|jr ttjjdddSd|j}t|}|dur|Stjj |d d d}t }|D]}| |jjjdddq0t|}t ||d |S) z Get all permission codes for a user Args: user: UserProfile instance Returns: List of permission codes rTflatuser_all_perms_Nr rolerole__permissionsr )r listrobjects values_listrrrrfilterselect_relatedprefetch_relatedrupdater- permissions)r r cached_perms user_rolesr% user_rolepermission_listrrrget_user_permissionsRs   r;cCs*td|jdtd|jdS)z'Clear all cached permissions for a userr z_*r,N)rdelete_patternrdeleter rrrclear_user_permission_cachetsr>) Applicationcfdd}|S)z Decorator to require a specific permission for a view Usage: @require_permission('flowboard.create') def create_flowboard(request): ... ctfdd}|S)NcsN|jjs tdddddSt|r|g|Ri|Stdddd dS) NAuthentication requiredz-You must be logged in to access this resourceerrormessagestatusPermission deniedz1You do not have permission to perform this action)rDrErequired_permission)r is_authenticatedrrrargskwargs)r view_funcrrwrappers  z6require_permission..decorator..wrapperrrPrQrrPr decoratorsz%require_permission..decoratorr)rrUrrSrrequire_permission|s rVcr@)z Decorator to require any of the specified permissions Usage: @require_any_permission('flowboard.edit', 'flowboard.delete') def modify_flowboard(request): ... crA)NcP|jjs tddiddSt|jr|g|Ri|StdtdddSNrDrBrFrGrI)rDrequired_permissionsrK)r rLrr&r/rMr%rPrrrQ z:require_any_permission..decorator..wrapperrrRr%rTrrUz)require_any_permission..decoratorrr%rUrr\rrequire_any_permission r_cr@)z Decorator to require all of the specified permissions Usage: @require_all_permissions('user.edit', 'user.manage_roles') def assign_role_to_user(request): ... crA)NcrWrX)r rLrr)r/rMrZrrrQr[z;require_all_permissions..decorator..wrapperrrRr\rTrrUr]z*require_all_permissions..decoratorrr^rr\rrequire_all_permissionsr`rac@s0eZdZdZddZddZddZdd Zd S) PermissionMixinzb Mixin to add permission checking methods to request object Can be used in middleware cC t|j|Sr)rr )selfrrrrr zPermissionMixin.has_permissioncGrcr)r&r rdr%rrrr&rez"PermissionMixin.has_any_permissioncGrcr)r)r rfrrrr)rez#PermissionMixin.has_all_permissionscCs t|jSr)r;r )rdrrrget_permissionss zPermissionMixin.get_permissionsN)__name__ __module__ __qualname____doc__rr&r)rgrrrrrbs  rbcCsPd|}t|}|dur&ttjjj|djddd}t||d|S)Nz user_perms:) roles__usersrTr*r ) rrr auth_modelsrr0r2distinctr1)user_idkeypermsrrrget_user_custom_permissionss   rr)IsAuthenticated)AuthenticationFailedc@seZdZdZddZdS)CustomIsAuthenticatedz3Access denied: Please provide a valid access token.cCsb|jdur tddd|jjjtjkr|jjj|_|jr!|jjs(tdddt|jj |_ dS)N unauthorizedz5Access token missing or invalid. Please log in again.rCT) authrt applicationauthorization_grant_typer?GRANT_CLIENT_CREDENTIALSr rLrrrr)rdrviewrrrrs  z$CustomIsAuthenticated.has_permissionN)rhrirjrErrrrrrus ru)rk functoolsr django.httprdjango.core.cachermodelsrrauthentication.modelsrmrr&r)r;r>oauth2_provider.modelsr?rVr_rarbrrrest_framework.permissionsrsrest_framework.exceptionsrtrurrrrs*    +" !