Add a very simplistic Pin access control for the API

As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend.
2025-11-14 17:05:50 +01:00 · 2013-03-02 17:00:58 -08:00
parent a0e11a949e
commit cf86da266a
3 changed files with 72 additions and 15 deletions
--- a/pinry/core/auth/backends.py
+++ b/pinry/core/auth/backends.py
@@ -1,6 +1,8 @@
 from django.core.validators import email_re

 from pinry.core.models import User
+from pinry.pins.models import Pin
+

 class CombinedAuthBackend(object):
    def authenticate(self, username=None, password=None):
@@ -22,4 +24,12 @@ class CombinedAuthBackend(object):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
-            return None
+            return None
+
+    def has_perm(self, user, perm, obj=None):
+        """
+        A very simplistic authorization mechanism for now. Basically a pin owner can do anything with the pin.
+        """
+        if obj and isinstance(obj, Pin):
+            return obj.submitter == user
+        return False