a D gG@sddlmZmZddlmZddlmZddlmZm Z ddl m Z ddl m Z ddlmZGdd d ZGd d d eZGd d d eZGdddeZGdddeZGdddeZdS))get_permission_codenameget_user_model) Permission) ContentType)FieldDoesNotExistImproperlyConfigured)Q)cached_property)resolve_model_stringc@seZdZdZdZddZeddZddZd d Z d d Z d dZ ddZ ddZ ddZddZddZddZddZddZdd Zd!S)"BasePermissionPolicya A 'permission policy' is an object that handles all decisions about the actions users are allowed to perform on a given model. The mechanism by which it does this is arbitrary, and may or may not involve the django.contrib.auth Permission model; it could be as simple as "allow all users to do everything". In this way, admin apps can change their permission-handling logic just by swapping to a different policy object, rather than having that logic spread across numerous view functions. BasePermissionPolicy is an abstract class that all permission policies inherit from. The only method that subclasses need to implement is users_with_any_permission; all other methods can be derived from that (but in practice, subclasses will probably want to override additional methods, either for efficiency or to implement more fine-grained permission logic). cCs ||_dSN)_model_or_nameselfmodelr_/var/www/lab.imftr.de/x/nb_venv/lib/python3.9/site-packages/wagtail/permission_policies/base.py__init__szBasePermissionPolicy.__init__cCst|j}|||Sr )r r check_modelrrrrr"s  zBasePermissionPolicy.modelcCsdSr rrrrrr(sz BasePermissionPolicy.check_modelcCstS)a  Return a set of all permissions that the given user has on this model. They may be instances of django.contrib.auth.Permission, or custom permission objects defined by the policy, which are not necessarily model instances. )setruserrrrget_all_permissions_for_user.sz1BasePermissionPolicy.get_all_permissions_for_usercCs<t||jrt||j}n||}|jr8t||j||S)a( Return a list of all permissions that the given user has on this model, using the cache if available and populating the cache if not. This can be useful for the other methods to perform efficient queries against the set of permissions that the user has. )hasattrpermission_cache_namegetattrrsetattr)rrZpermsrrrget_cached_permissions_for_user8s   z4BasePermissionPolicy.get_cached_permissions_for_usercCs|||vS)z Return whether the given user has permission to perform the given action on some or all instances of this model )users_with_permissionrractionrrruser_has_permissionLsz(BasePermissionPolicy.user_has_permissioncstfdd|DS)z Return whether the given user has permission to perform any of the given actions on some or all instances of this model c3s|]}|VqdSr r".0r!rrr Xz?BasePermissionPolicy.user_has_any_permission..anyrractionsrrruser_has_any_permissionSsz,BasePermissionPolicy.user_has_any_permissioncCstdS)z Return a queryset of users who have permission to perform any of the given actions on some or all instances of this model N)NotImplementedErrorrr+rrrusers_with_any_permission]sz.BasePermissionPolicy.users_with_any_permissioncCs ||gS)z Return a queryset of users who have permission to perform the given action on some or all instances of this model r/rr!rrrrdsz*BasePermissionPolicy.users_with_permissioncCs |||S)z~ Return whether the given user has permission to perform the given action on the given model instance r#rrr!instancerrr user_has_permission_for_instancessz5BasePermissionPolicy.user_has_permission_for_instancecstfdd|DS)z Return whether the given user has permission to perform any of the given actions on the given model instance c3s|]}|VqdSr )r4r$r3rrrrr&szLBasePermissionPolicy.user_has_any_permission_for_instance..r(rrr+r3rr5r$user_has_any_permission_for_instancezsz9BasePermissionPolicy.user_has_any_permission_for_instancecCs(|||r|jjS|jjSdS)z Return a queryset of all instances of this model for which the given user has permission to perform any of the given actions N)r,robjectsallnoner*rrr%instances_user_has_any_permission_fors  z:BasePermissionPolicy.instances_user_has_any_permission_forcCs|||gS)z Return a queryset of all instances of this model for which the given user has permission to perform the given action )r;r rrr!instances_user_has_permission_forsz6BasePermissionPolicy.instances_user_has_permission_forcCs ||S)z Return a queryset of all users who have permission to perform any of the given actions on the given model instance r0)rr+r3rrr&users_with_any_permission_for_instancesz;BasePermissionPolicy.users_with_any_permission_for_instancecCs||g|Sr )r=)rr!r3rrr"users_with_permission_for_instancesz7BasePermissionPolicy.users_with_permission_for_instanceN)__name__ __module__ __qualname____doc__rrr rrrrr"r,r/rr4r7r;r<r=r>rrrrr s$     r c@s0eZdZdZddZddZddZdd Zd S) BlanketPermissionPolicyzv A permission policy that gives everyone (including anonymous users) full permission over the given model cCsdSNTrr rrrr"sz+BlanketPermissionPolicy.user_has_permissioncCsdSrDrr*rrrr,sz/BlanketPermissionPolicy.user_has_any_permissioncCstjjddSNT is_activerr8filterr.rrrr/s z1BlanketPermissionPolicy.users_with_any_permissioncCstjjddSrErHr1rrrrsz-BlanketPermissionPolicy.users_with_permissionNr?r@rArBr"r,r/rrrrrrCs  rCc@s0eZdZdZddZddZddZdd Zd S) "AuthenticationOnlyPermissionPolicyzp A permission policy that gives all active authenticated users full permission over the given model cCs |jo |jSr is_authenticatedrGr rrrr"sz6AuthenticationOnlyPermissionPolicy.user_has_permissioncCs |jo |jSr rLr*rrrr,sz:AuthenticationOnlyPermissionPolicy.user_has_any_permissioncCstjjddSrErHr.rrrr/szr'zKBaseDjangoAuthPermissionPolicy._get_permission_codenames..rr.rrTr_get_permission_codenamessz8BaseDjangoAuthPermissionPolicy._get_permission_codenamescCsd|jt||jjS)z Get the full app-label-qualified permission name (as required by user.has_perm(...) ) for the given action on this model z{}.{})formatrVrrrUr1rrr_get_permission_names z3BaseDjangoAuthPermissionPolicy._get_permission_namecCstjj|j||dS)zP Get a queryset of the Permission objects for the given actions  content_typeZ codename__in)rr8rIrXrZr.rrr#_get_permission_objects_for_actionsszBBaseDjangoAuthPermissionPolicy._get_permission_objects_for_actionscCs:tjj|j|d}tddt|dBt|dBtdd@S)a Given a list of permission codenames, return a filter expression which will find all users which have any of those permissions - either through group permissions, user permissions, or implicitly through being a superuser. r]T) is_superuser)Zuser_permissions__in)Zgroups__permissions__inrF)rr8rIrXr)rpermission_codenamesZ permissionsrrr/_get_users_with_any_permission_codenames_filterszNBaseDjangoAuthPermissionPolicy._get_users_with_any_permission_codenames_filtercCs||}tj|S)z Given a list of permission codenames, return a queryset of users which have any of those permissions - either through group permissions, user permissions, or implicitly through being a superuser. )rbrr8rIdistinct)rra filter_exprrrr(_get_users_with_any_permission_codenamesszGBaseDjangoAuthPermissionPolicy._get_users_with_any_permission_codenames)N)r?r@rArBrr rQrVrWrXrZr\r_rbre __classcell__rrrRrrNs       rNc@s eZdZdZddZddZdS)ModelPermissionPolicyz A permission policy that enforces permissions at the model level, by consulting the standard django.contrib.auth permission model directly cCs|||Sr )has_permr\r rrrr"&sz)ModelPermissionPolicy.user_has_permissioncCs|||Sr )rerZr.rrrr/)sz/ModelPermissionPolicy.users_with_any_permissionN)r?r@rArBr"r/rrrrrg srgcs^eZdZdZdfdd ZfddZdd Zd d Zd d ZddZ ddZ ddZ Z S)OwnershipPermissionPolicya A permission policy for objects that support a concept of 'ownership', where the owner is typically the user who created the object. This policy piggybacks off 'add' and 'change' permissions defined through the django.contrib.auth Permission model, as follows: * any user with 'add' permission can create instances, and ALSO edit instances that they own * any user with 'change' permission can edit instances regardless of ownership * ability to edit also implies ability to delete Besides 'add', 'change' and 'delete', no other actions are recognised or permitted (unless the user is an active superuser, in which case they can do everything). Nownercstj||d||_dS)N)rQ)rOrowner_field_name)rrrQrkrRrrr@sz"OwnershipPermissionPolicy.__init__csHt|z|j|jWn$tyBtd||jfYn0dS)Nz%s has no field named '%s'. To use this model with OwnershipPermissionPolicy, you must specify a valid field name as owner_field_name.)rOrrU get_fieldrkrrrrRrrrDs  z%OwnershipPermissionPolicy.check_modelcCsX|dkr||dS|dks(|dkrH||dpF||dS|joR|jSdS)Naddchangedelete)rhr\rGr`r rrrr"Qs z-OwnershipPermissionPolicy.user_has_permissioncCsRd|vsd|vr |ddh}n(d|vr6|dh}ntjjdddS||S)NrnrormTrGr`)rZrr8rIre)rr+rarrrr/`s z3OwnershipPermissionPolicy.users_with_any_permissioncCs|||g|Sr )r7r2rrrr4nsz:OwnershipPermissionPolicy.user_has_permission_for_instancecCs^d|vsd|vrN||dr$dS||drHt||j|krHdSdSn |joX|jSdS)NrnroTrmF)rhr\rrkrGr`r6rrrr7qsz>OwnershipPermissionPolicy.user_has_any_permission_for_instancecCs|jr|jr|jjSd|vs(d|vr|||drD|jjS||drn|jjjfi|j|iS|jj Sn |jj SdS)Nrnrorm) rGr`rr8r9rhr\rIrkr:r*rrrr;s   z?OwnershipPermissionPolicy.instances_user_has_any_permission_forcCs~d|vsd|vrh||dh}t||j}|durV||drV|t|jdB}tj | Stj j dddSdS)Nrnrorm)pkTrp) rbrZrrkrhr\rrqrr8rIrc)rr+r3rdrjrrrr=s  z@OwnershipPermissionPolicy.users_with_any_permission_for_instance)Nrj) r?r@rArBrrr"r/r4r7r;r=rfrrrRrri/s riN)Zdjango.contrib.authrrZdjango.contrib.auth.modelsrZ"django.contrib.contenttypes.modelsrZdjango.core.exceptionsrrZdjango.db.modelsrZdjango.utils.functionalr Zwagtail.coreutilsr r rCrKrNrgrirrrrs     R