djangoldp-notification/djangoldp_notification/permissions.py

from django.contrib.auth import get_user_model

from djangoldp.permissions import LDPPermissions
from djangoldp_notification.filters import InboxFilterBackend, SubscriptionsFilterBackend
from rest_framework.reverse import reverse


class InboxPermissions(LDPPermissions):
    filter_backends = [InboxFilterBackend]

    def has_permission(self, request, view):
        from djangoldp.models import Model

        if self.is_a_container(request._request.path):
            try:
                """
                If on nested field we use users permissions
                """
                obj = Model.resolve_parent(request.path)
                model = view.parent_model

                """
                If still on nested field and request is post (/users/X/inbox/) we use notification permissions
                """
                if view.parent_model != view.model and request.method == 'POST':
                    obj = None
                    model = view.model
            except:
                """
                Not on nested field we use notification permissions
                """
                obj = None
                model = view.model
        else:
            obj = Model.resolve_id(request._request.path)
            model = view.model

        perms = self.get_permissions(request.method, model)

        for perm in perms:
            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, model, obj):
                return False

        return True


class SubscriptionsPermissions(LDPPermissions):
    filter_backends = [SubscriptionsFilterBackend]

    def has_permission(self, request, view):
        if request.user.is_anonymous and not request.method == "OPTIONS":
            return False

        if request.method in ["GET", "PATCH", "DELETE", "PUT"]:
            return True

        return super().has_permission(request, view)

    def has_object_permission(self, request, view, obj):
        if request.user.is_anonymous and not request.method == "OPTIONS":
            return False

        reverse_path_key = "{}-notification-list".format(get_user_model()._meta.object_name.lower())
        user_inbox = reverse(reverse_path_key, kwargs={"slug": request.user.slug}, request=request)
        if obj.inbox == user_inbox:
            return True

        return False