Add a very simplistic Pin access control for the API

As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend.
2025-11-13 16:45:41 +01:00 · 2013-03-02 17:00:58 -08:00
parent a0e11a949e
commit cf86da266a
3 changed files with 72 additions and 15 deletions
--- a/pinry/core/api.py
+++ b/pinry/core/api.py
@@ -1,5 +1,6 @@
 from tastypie import fields
 from tastypie.authorization import DjangoAuthorization
+from tastypie.exceptions import Unauthorized
 from tastypie.resources import ModelResource
 from django_images.models import Thumbnail

@@ -7,6 +8,37 @@ from pinry.core.models import User
 from pinry.pins.models import Image, Pin


+class PinryAuthorization(DjangoAuthorization):
+    """
+    Pinry-specific Authorization backend with object-level permission checking.
+    """
+    def update_detail(self, object_list, bundle):
+        klass = self.base_checks(bundle.request, bundle.obj.__class__)
+
+        if klass is False:
+            raise Unauthorized("You are not allowed to access that resource.")
+
+        permission = '%s.change_%s' % (klass._meta.app_label, klass._meta.module_name)
+
+        if not bundle.request.user.has_perm(permission, bundle.obj):
+            raise Unauthorized("You are not allowed to access that resource.")
+
+        return True
+
+    def delete_detail(self, object_list, bundle):
+        klass = self.base_checks(bundle.request, bundle.obj.__class__)
+
+        if klass is False:
+            raise Unauthorized("You are not allowed to access that resource.")
+
+        permission = '%s.delete_%s' % (klass._meta.app_label, klass._meta.module_name)
+
+        if not bundle.request.user.has_perm(permission, bundle.obj):
+            raise Unauthorized("You are not allowed to access that resource.")
+
+        return True
+
+
 class UserResource(ModelResource):
    gravatar = fields.CharField(readonly=True)

@@ -87,4 +119,4 @@ class PinResource(ModelResource):
        resource_name = 'pin'
        include_resource_uri = False
        always_return_data = True
-        authorization = DjangoAuthorization()
+        authorization = PinryAuthorization()