o cZh$@sdZddlmZddlmZdZGdddZGdddeZGd d d eZGd d d Z Gd ddZ GdddZ Gdddee Z Gddde dZGdddeZGdddeZGdddeZGdddeZGdddeZGd d!d!eZGd"d#d#eZd$S)%z2 Provides a set of pluggable permission policies. )Http404) exceptions)GETHEADOPTIONSc@s4eZdZddZddZddZddZd d Zd S) OperationHolderMixincC tt||SN OperandHolderANDselfotherrQ/var/www/html/lang_env/lib/python3.10/site-packages/rest_framework/permissions.py__and__  zOperationHolderMixin.__and__cCrr r ORr rrr__or__rzOperationHolderMixin.__or__cC tt||Sr r r rrr__rand__rzOperationHolderMixin.__rand__cCrr rr rrr__ror__rzOperationHolderMixin.__ror__cCs tt|Sr )SingleOperandHolderNOT)rrrr __invert__ zOperationHolderMixin.__invert__N)__name__ __module__ __qualname__rrrrrrrrrr s  rc@eZdZddZddZdS)rcC||_||_dSr )operator_class op1_class)rr#r$rrr__init__ zSingleOperandHolder.__init__cOs|j|i|}||Sr )r$r#)rargskwargsop1rrr__call__!s zSingleOperandHolder.__call__Nrrr r%r*rrrrrs rc@r!)r cCs||_||_||_dSr )r#r$ op2_class)rr#r$r,rrrr%'s zOperandHolder.__init__cOs,|j|i|}|j|i|}|||Sr )r$r,r#)rr'r(r)op2rrrr*,s zOperandHolder.__call__Nr+rrrrr &s r c@$eZdZddZddZddZdS)r cCr"r r)r-rr)r-rrrr%3r&z AND.__init__cCs|j||o |j||Sr r)has_permissionr-rrequestviewrrrr27 zAND.has_permissioncCs |j|||o|j|||Sr )r)has_object_permissionr-rr4r5objrrrr7=szAND.has_object_permissionNrrr r%r2r7rrrrr 2 r c@r.)rcCr"r r/r0rrrr%Er&z OR.__init__cCs|j||p |j||Sr r1r3rrrr2Ir6zOR.has_permissioncCs<|j||o|j|||p|j||o|j|||Sr )r)r2r7r-r8rrrr7Os zOR.has_object_permissionNr:rrrrrDr;rc@r.)rcCs ||_dSr )r))rr)rrrr%Zrz NOT.__init__cCs|j|| Sr )r)r2r3rrrr2]szNOT.has_permissioncCs|j||| Sr )r)r7r8rrrr7`zNOT.has_object_permissionNr:rrrrrYs rc@s eZdZdS)BasePermissionMetaclassN)rrr rrrrr=dsr=c@s eZdZdZddZddZdS)BasePermissionzH A base class from which all permission classes should inherit. cCdSzL Return `True` if permission is granted, `False` otherwise. Trr3rrrr2mzBasePermission.has_permissioncCr?r@rr8rrrr7srAz$BasePermission.has_object_permissionN)rrr __doc__r2r7rrrrr>hs r>) metaclassc@eZdZdZddZdS)AllowAnyz Allow any access. This isn't strictly required, since you could use an empty permission_classes list, but it's useful because it makes the intention more explicit. cCr?)NTrr3rrrr2szAllowAny.has_permissionNrrr rBr2rrrrrEzs rEc@rD)IsAuthenticatedz4 Allows access only to authenticated users. cCt|jo|jjSr )booluseris_authenticatedr3rrrr2r<zIsAuthenticated.has_permissionNrFrrrrrG rGc@rD) IsAdminUserz, Allows access only to admin users. cCrHr )rIrJZis_staffr3rrrr2r<zIsAdminUser.has_permissionNrFrrrrrMrLrMc@rD)IsAuthenticatedOrReadOnlyzL The request is authenticated as a user, or is a read-only request. cCst|jtvp |jo |jjSr )rImethod SAFE_METHODSrJrKr3rrrr2s  z(IsAuthenticatedOrReadOnly.has_permissionNrFrrrrrNrLrNc@sHeZdZdZgggdgdgdgdgdZdZddZd d Zd d Zd S)DjangoModelPermissionsa} The request is authenticated using `django.contrib.auth` permissions. See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the model. This permission can only be applied against view classes that provide a `.queryset` attribute. %(app_label)s.add_%(model_name)s#%(app_label)s.change_%(model_name)s#%(app_label)s.delete_%(model_name)srrrPOSTPUTPATCHDELETETc>|jj|jjd||jvrt|fdd|j|DS)z Given a model and an HTTP method, return the list of permission codes that the user is required to have.  app_label model_namecg|]}|qSrr.0permr(rr zCDjangoModelPermissions.get_required_permissions.._metar\r] perms_maprZMethodNotAllowedrrO model_clsrrbrget_required_permissionss   z/DjangoModelPermissions.get_required_permissionscCsbt|dst|dddusJd|jjt|dr.|}|dus,Jd|jj|S|jS)N get_querysetquerysetz[Cannot apply {} on a view that does not set `.queryset` or have a `.get_queryset()` method.z{}.get_queryset() returned None)hasattrgetattrformat __class__rrkrl)rr5rlrrr _querysets     z DjangoModelPermissions._querysetcCsNt|ddrdS|jr|jjs|jrdS||}||j|j}|j|S)NZ_ignore_model_permissionsFT) rnrJrKauthenticated_users_onlyrqrjrOmodel has_perms)rr4r5rlpermsrrrr2s   z%DjangoModelPermissions.has_permissionN) rrr rBrgrrrjrqr2rrrrrQs  rQc@seZdZdZdZdS)$DjangoModelPermissionsOrAnonReadOnlyzj Similar to DjangoModelPermissions, except that anonymous users are allowed read-only access. FN)rrr rBrrrrrrrvsrvc@s<eZdZdZgggdgdgdgdgdZddZdd Zd S) DjangoObjectPermissionsa The request is authenticated using Django's object-level permissions. It requires an object-permissions-enabled backend, such as Django Guardian. It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the object using .has_perms. This permission can only be applied against view classes that provide a `.queryset` attribute. rRrSrTrUcrZ)Nr[cr^rrr_rbrrrcrdzKDjangoObjectPermissions.get_required_object_permissions..rerhrrbrget_required_object_permissions s   z7DjangoObjectPermissions.get_required_object_permissionsc Csb||}|j}|j}||j|}|||s/|jtvrt|d|}|||s-tdSdS)NrFT)rqrsrJrxrOrtrPr) rr4r5r9rlrirJruZ read_permsrrrr7s     z-DjangoObjectPermissions.has_object_permissionN)rrr rBrgrxr7rrrrrws  rwN)rBZ django.httprZrest_frameworkrrPrrr r rrtyper=r>rErGrMrNrQrvrwrrrrs&         I