Check permissions per request instead of per user

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2025-06-21 09:58:23 +02:00 · 2021-06-15 14:40:32 +02:00
parent 5e9f36ef1a
commit ea092803d7
25 changed files with 207 additions and 203 deletions
--- a/apps/api/viewsets.py
+++ b/apps/api/viewsets.py
@ -9,7 +9,6 @@ from django.contrib.auth.models import User
 from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
-from note_kfet.middlewares import get_current_session
 from note.models import Alias

 from .serializers import UserSerializer, ContentTypeSerializer
@ -25,9 +24,8 @@ class ReadProtectedModelViewSet(ModelViewSet):
        self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()

    def get_queryset(self):
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
+        self.request.session.setdefault("permission_mask", 42)
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()


 class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
@ -40,9 +38,8 @@ class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
        self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()

    def get_queryset(self):
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
+        self.request.session.setdefault("permission_mask", 42)
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()


 class UserViewSet(ReadProtectedModelViewSet):