Check permissions per request instead of per user

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

note_kfet/admin.py

@@ -6,7 +6,6 @@ from django.contrib.admin import AdminSite
 from django.contrib.sites.admin import Site, SiteAdmin
 
 from member.views import CustomLoginView
-from .middlewares import get_current_session
 
 
 class StrongAdminSite(AdminSite):
@@ -14,8 +13,7 @@ class StrongAdminSite(AdminSite):
         """
         Authorize only staff that have the correct permission mask
         """
-        session = get_current_session()
-        return request.user.is_active and request.user.is_staff and session.get("permission_mask", -1) >= 42
+        return request.user.is_active and request.user.is_staff and request.session.get("permission_mask", -1) >= 42
 
     def login(self, request, extra_context=None):
         return CustomLoginView.as_view()(request)

note_kfet/middlewares.py

@@ -2,13 +2,10 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from threading import local
-from typing import Optional
 
 from django.conf import settings
 from django.contrib.auth import login
 from django.contrib.auth.models import User
-from django.contrib.sessions.backends.db import SessionStore
-from django.http import HttpRequest
 
 REQUEST_ATTR_NAME = getattr(settings, 'LOCAL_REQUEST_ATTR_NAME', '_current_request')
 
@@ -19,43 +16,10 @@ def _set_current_request(request=None):
     setattr(_thread_locals, REQUEST_ATTR_NAME, request)
 
 
-def get_current_request() -> Optional[HttpRequest]:
+def get_current_request():
     return getattr(_thread_locals, REQUEST_ATTR_NAME, None)
 
 
-def get_current_user() -> Optional[User]:
-    request = get_current_request()
-    if request is None:
-        return None
-    return request.user
-
-
-def get_current_session() -> Optional[SessionStore]:
-    request = get_current_request()
-    if request is None:
-        return None
-    return request.session
-
-
-def get_current_ip() -> Optional[str]:
-    request = get_current_request()
-
-    if request is None:
-        return None
-    elif 'HTTP_X_REAL_IP' in request.META:
-        return request.META.get('HTTP_X_REAL_IP')
-    elif 'HTTP_X_FORWARDED_FOR' in request.META:
-        return request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
-    return request.META.get('REMOTE_ADDR')
-
-
-def get_current_authenticated_user():
-    current_user = get_current_user()
-    if not current_user or not current_user.is_authenticated:
-        return None
-    return current_user
-
-
 class SessionMiddleware(object):
     """
     This middleware get the current user with his or her IP address on each request.

note_kfet/views.py

@@ -19,11 +19,11 @@ class IndexView(LoginRequiredMixin, RedirectView):
         user = self.request.user
 
         # The account note will have the consumption page as default page
-        if not PermissionBackend.check_perm(user, "auth.view_user", user):
+        if not PermissionBackend.check_perm(self.request, "auth.view_user", user):
             return reverse("note:consos")
 
         # People that can see the alias BDE are Kfet members
-        if PermissionBackend.check_perm(user, "alias.view_alias", Alias.objects.get(name="BDE")):
+        if PermissionBackend.check_perm(self.request, "alias.view_alias", Alias.objects.get(name="BDE")):
             return reverse("note:transfer")
 
         # Non-Kfet members will don't see the transfer page, but their profile page