mirror of
https://github.com/pinry/pinry.git
synced 2025-11-14 00:55:43 +01:00
cf86da266a
As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend.
36 lines
1021 B
Python
36 lines
1021 B
Python
from django.core.validators import email_re
|
|
|
|
from pinry.core.models import User
|
|
from pinry.pins.models import Pin
|
|
|
|
|
|
class CombinedAuthBackend(object):
|
|
def authenticate(self, username=None, password=None):
|
|
is_email = email_re.match(username)
|
|
if is_email:
|
|
qs = User.objects.filter(email=username)
|
|
else:
|
|
qs = User.objects.filter(username=username)
|
|
|
|
try:
|
|
user = qs.get()
|
|
except User.DoesNotExist:
|
|
return None
|
|
if user.check_password(password):
|
|
return user
|
|
return None
|
|
|
|
def get_user(self, user_id):
|
|
try:
|
|
return User.objects.get(pk=user_id)
|
|
except User.DoesNotExist:
|
|
return None
|
|
|
|
def has_perm(self, user, perm, obj=None):
|
|
"""
|
|
A very simplistic authorization mechanism for now. Basically a pin owner can do anything with the pin.
|
|
"""
|
|
if obj and isinstance(obj, Pin):
|
|
return obj.submitter == user
|
|
return False
|