-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat[bckend-RBAS-ABAS]:Added Role based permission system and integra…
…ted action based access for services.
- Loading branch information
Showing
6 changed files
with
168 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,33 @@ | ||
from rest_framework.permissions import BasePermission | ||
from rest_framework.exceptions import PermissionDenied | ||
|
||
from permission.models import Service | ||
class HasRolePermission(BasePermission): | ||
""" | ||
Custom permission class that checks if a user has a specific role permission. | ||
""" | ||
def has_permission(self, request, view): | ||
permission_name = getattr(view, 'permission_name', None) | ||
if not permission_name: | ||
raise ValueError("Permission name not provided in the view.") | ||
view_class_name = view.__class__.__name__ | ||
service_name = getattr(view, 'service_name', None) | ||
if not service_name: | ||
return True | ||
if request.user.is_anonymous: | ||
return False | ||
if request.user.role and not request.user.role.has_permission_recursive(permission_name): | ||
raise PermissionDenied("You do not have permission to access this view.") | ||
return True | ||
if request.user.role: | ||
role = request.user.role | ||
if role.has_service_recursive(service_name): | ||
service = Service.objects.get(name=service_name) | ||
parent_services = service.get_all_parents() | ||
for parent_service in parent_services: | ||
# Check if the requested view is in role.custom_permissions.AssociatedViews | ||
for permission in role.custom_permissions.filter(service__name=parent_service.name): | ||
for AssociatedView in permission.AssociatedViews.all(): | ||
if view_class_name == AssociatedView.name: | ||
return True | ||
return False | ||
|
||
def has_object_permission(self, request, view, obj): | ||
# Check if the object has an owner field | ||
if not hasattr(obj, 'owner'): | ||
return False | ||
# Allow access only if the request user is the object's owner | ||
return obj.owner == request.user or request.user.is_superuser |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,25 +1,45 @@ | ||
from rest_framework import serializers | ||
from django.contrib.auth.models import User | ||
from permission.models import Role, CustomPermission | ||
from permission.models import Role, CustomPermission, Service, AssociatedViews | ||
|
||
class CustomPermissionSerializer(serializers.ModelSerializer): | ||
parent_name = serializers.CharField(write_only=True, required=False) | ||
class AssociatedViewsSerializer(serializers.ModelSerializer): | ||
class Meta: | ||
model = AssociatedViews | ||
fields = '__all__' | ||
|
||
class ServiceSerializer(serializers.ModelSerializer): | ||
parent_service = serializers.CharField(write_only=True, required=False) | ||
|
||
class Meta: | ||
model = CustomPermission | ||
fields = ['id', 'name', 'description', 'parent_name'] | ||
model = Service | ||
fields = '__all__' | ||
|
||
def create(self, validated_data): | ||
parent_name = validated_data.pop('parent_name', None) | ||
if parent_name: | ||
parent = CustomPermission.objects.get(name=parent_name) | ||
validated_data['parent'] = parent | ||
parent_service = validated_data.pop('parent_service', None) | ||
if parent_service: | ||
parent = Service.objects.get(name=parent_service) | ||
validated_data['parent_service'] = parent | ||
return super().create(validated_data) | ||
|
||
class CustomPermissionSerializer(serializers.ModelSerializer): | ||
service = serializers.CharField(write_only=True, required=False) | ||
AssociatedViews = AssociatedViewsSerializer(many=True, required=False, allow_empty=True) | ||
class Meta: | ||
model = CustomPermission | ||
fields = '__all__' | ||
|
||
def create(self, validated_data): | ||
service = validated_data.pop('service', None) | ||
if service: | ||
service = Service.objects.get(name=service) | ||
validated_data['service'] = service | ||
return super().create(validated_data) | ||
|
||
class RoleSerializer(serializers.ModelSerializer): | ||
services = ServiceSerializer(many=True, required=False, allow_empty=True) | ||
custom_permissions = CustomPermissionSerializer(many=True, required=False, allow_empty=True) | ||
|
||
class Meta: | ||
model = Role | ||
fields = ('id', 'name', 'custom_permissions') | ||
fields = '__all__' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,14 @@ | ||
from django.urls import path | ||
from permission.views import CustomPermissionViewSet, RoleViewSet, AssignRoleToUserView | ||
from permission.views import CustomPermissionViewSet, RoleViewSet, AssignRoleToUserView, ServiceViewSet, AssociatedViewsViewSet | ||
|
||
urlpatterns = [ | ||
path('permissions/', CustomPermissionViewSet.as_view({'get': 'list', 'post': 'create'}), name='permissions-list'), | ||
path('permissions/<int:pk>/', CustomPermissionViewSet.as_view({'get': 'retrieve', 'put': 'update', 'delete': 'destroy'}), name='permission-detail'), | ||
path('roles/', RoleViewSet.as_view({'get': 'list', 'post': 'create'}), name='roles-list'), | ||
path('roles/<int:pk>/', RoleViewSet.as_view({'get': 'retrieve', 'put': 'update', 'delete': 'destroy'}), name='role-detail'), | ||
path('services/', ServiceViewSet.as_view({'get': 'list', 'post': 'create'}), name='services-list'), | ||
path('services/<int:pk>/', ServiceViewSet.as_view({'get': 'retrieve', 'put': 'update', 'delete': 'destroy'}), name='service-detail'), | ||
path('AccessControlViews/', AssociatedViewsViewSet.as_view({'get': 'list', 'post': 'create'}), name='http-methods-list'), | ||
path('AccessControlViews/<int:pk>/', AssociatedViewsViewSet.as_view({'get': 'retrieve', 'put': 'update', 'delete': 'destroy'}), name='http-method-detail'), | ||
path('users/<int:user_id>/assign-role/', AssignRoleToUserView.as_view(), name='assign-role') | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters