nofusscomputing/centurion_erp
1
0
Fork 0
Code Issues Wiki Activity

feat(access): Enforce view action and HTTP/Method match for permission checks

Browse Source 
ref: #442 #456
This commit is contained in:
Jon Lockwood
2024-12-27 18:25:18 +09:30
parent f211f022a0
commit 7c62643c6c
1 changed files with 32 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
app/access/mixins/permissions.py
View File

@ -102,27 +102,14 @@ class OrganizationPermissionMixin(
if(
view.action == 'create'
or getattr(view.request._stream, 'method', '') == 'POST'
and getattr(view.request._stream, 'method', '') == 'POST'
):
view_action = 'add'
elif (
view.action == 'partial_update'
or view.action == 'update'
or getattr(view.request._stream, 'method', '') == 'PATCH'
or getattr(view.request._stream, 'method', '') == 'PUT'
):
view_action = 'change'
obj_organization: Organization = view.get_obj_organization(
obj = view.get_object()
)
elif(
view.action == 'destroy'
or getattr(view.request._stream, 'method', '') == 'DELETE'
and getattr(view.request._stream, 'method', '') == 'DELETE'
):
view_action = 'delete'
@ -137,7 +124,32 @@ class OrganizationPermissionMixin(
view_action = 'view'
elif view.action == 'retrieve':
elif (
view.action == 'partial_update'
and getattr(view.request._stream, 'method', '') == 'PATCH'
):
view_action = 'change'
obj_organization: Organization = view.get_obj_organization(
obj = view.get_object()
)
elif (
view.action == 'update'
and getattr(view.request._stream, 'method', '') == 'PUT'
):
view_action = 'change'
obj_organization: Organization = view.get_obj_organization(
obj = view.get_object()
)
elif(
view.action == 'retrieve'
and getattr(view.request._stream, 'method', '') == 'GET'
):
view_action = 'view'
@ -145,7 +157,10 @@ class OrganizationPermissionMixin(
obj = view.get_object()
)
elif view.action == 'metadata':
elif(
view.action == 'metadata'
and getattr(view.request._stream, 'method', '') == 'OPTIONS'
):
return True