refactor: Refactor permissions to allow list

Author: last-partizan

rest_framework/exceptions.py

@@ -4,6 +4,7 @@
 In addition, Django's built in 403 and 404 exceptions are handled.
 (`django.http.Http404` and `django.core.exceptions.PermissionDenied`)
 """
+
 import math
 
 from django.http import JsonResponse
@@ -21,23 +22,20 @@ def _get_error_details(data, default_code=None):
     lazy translation strings or strings into `ErrorDetail`.
     """
     if isinstance(data, (list, tuple)):
-        ret = [
-            _get_error_details(item, default_code) for item in data
-        ]
+        ret = [_get_error_details(item, default_code) for item in data]
         if isinstance(data, ReturnList):
             return ReturnList(ret, serializer=data.serializer)
         return ret
     elif isinstance(data, dict):
         ret = {
-            key: _get_error_details(value, default_code)
-            for key, value in data.items()
+            key: _get_error_details(value, default_code) for key, value in data.items()
         }
         if isinstance(data, ReturnDict):
             return ReturnDict(ret, serializer=data.serializer)
         return ret
 
     text = force_str(data)
-    code = getattr(data, 'code', default_code)
+    code = getattr(data, "code", default_code)
     return ErrorDetail(text, code)
 
 
@@ -54,16 +52,14 @@ def _get_full_details(detail):
         return [_get_full_details(item) for item in detail]
     elif isinstance(detail, dict):
         return {key: _get_full_details(value) for key, value in detail.items()}
-    return {
-        'message': detail,
-        'code': detail.code
-    }
+    return {"message": detail, "code": detail.code}
 
 
 class ErrorDetail(str):
     """
     A string-like object that can additionally have a code.
     """
+
     code = None
 
     def __new__(cls, string, code=None):
@@ -87,7 +83,7 @@ def __ne__(self, other):
         return not result
 
     def __repr__(self):
-        return 'ErrorDetail(string=%r, code=%r)' % (
+        return "ErrorDetail(string=%r, code=%r)" % (
             str(self),
             self.code,
         )
@@ -101,11 +97,23 @@ class APIException(Exception):
     Base class for REST framework exceptions.
     Subclasses should provide `.status_code` and `.default_detail` properties.
     """
+
     status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
-    default_detail = _('A server error occurred.')
-    default_code = 'error'
+    default_detail = _("A server error occurred.")
+    default_code = "error"
 
     def __init__(self, detail=None, code=None):
+        if (
+            isinstance(detail, tuple)
+            and isinstance(code, tuple)
+            and len(detail) == len(code)
+        ):
+            self.detail = [
+                _get_error_details(d or self.default_detail, c or self.default_code)
+                for d, c in zip(detail, code)
+            ]
+            return
+
         if detail is None:
             detail = self.default_detail
         if code is None:
@@ -140,10 +148,11 @@ def get_full_details(self):
 # from rest_framework import serializers
 # raise serializers.ValidationError('Value was invalid')
 
+
 class ValidationError(APIException):
     status_code = status.HTTP_400_BAD_REQUEST
-    default_detail = _('Invalid input.')
-    default_code = 'invalid'
+    default_detail = _("Invalid input.")
+    default_code = "invalid"
 
     def __init__(self, detail=None, code=None):
         if detail is None:
@@ -163,38 +172,38 @@ def __init__(self, detail=None, code=None):
 
 class ParseError(APIException):
     status_code = status.HTTP_400_BAD_REQUEST
-    default_detail = _('Malformed request.')
-    default_code = 'parse_error'
+    default_detail = _("Malformed request.")
+    default_code = "parse_error"
 
 
 class AuthenticationFailed(APIException):
     status_code = status.HTTP_401_UNAUTHORIZED
-    default_detail = _('Incorrect authentication credentials.')
-    default_code = 'authentication_failed'
+    default_detail = _("Incorrect authentication credentials.")
+    default_code = "authentication_failed"
 
 
 class NotAuthenticated(APIException):
     status_code = status.HTTP_401_UNAUTHORIZED
-    default_detail = _('Authentication credentials were not provided.')
-    default_code = 'not_authenticated'
+    default_detail = _("Authentication credentials were not provided.")
+    default_code = "not_authenticated"
 
 
 class PermissionDenied(APIException):
     status_code = status.HTTP_403_FORBIDDEN
-    default_detail = _('You do not have permission to perform this action.')
-    default_code = 'permission_denied'
+    default_detail = _("You do not have permission to perform this action.")
+    default_code = "permission_denied"
 
 
 class NotFound(APIException):
     status_code = status.HTTP_404_NOT_FOUND
-    default_detail = _('Not found.')
-    default_code = 'not_found'
+    default_detail = _("Not found.")
+    default_code = "not_found"
 
 
 class MethodNotAllowed(APIException):
     status_code = status.HTTP_405_METHOD_NOT_ALLOWED
     default_detail = _('Method "{method}" not allowed.')
-    default_code = 'method_not_allowed'
+    default_code = "method_not_allowed"
 
     def __init__(self, method, detail=None, code=None):
         if detail is None:
@@ -204,8 +213,8 @@ def __init__(self, method, detail=None, code=None):
 
 class NotAcceptable(APIException):
     status_code = status.HTTP_406_NOT_ACCEPTABLE
-    default_detail = _('Could not satisfy the request Accept header.')
-    default_code = 'not_acceptable'
+    default_detail = _("Could not satisfy the request Accept header.")
+    default_code = "not_acceptable"
 
     def __init__(self, detail=None, code=None, available_renderers=None):
         self.available_renderers = available_renderers
@@ -215,7 +224,7 @@ def __init__(self, detail=None, code=None, available_renderers=None):
 class UnsupportedMediaType(APIException):
     status_code = status.HTTP_415_UNSUPPORTED_MEDIA_TYPE
     default_detail = _('Unsupported media type "{media_type}" in request.')
-    default_code = 'unsupported_media_type'
+    default_code = "unsupported_media_type"
 
     def __init__(self, media_type, detail=None, code=None):
         if detail is None:
@@ -225,21 +234,28 @@ def __init__(self, media_type, detail=None, code=None):
 
 class Throttled(APIException):
     status_code = status.HTTP_429_TOO_MANY_REQUESTS
-    default_detail = _('Request was throttled.')
-    extra_detail_singular = _('Expected available in {wait} second.')
-    extra_detail_plural = _('Expected available in {wait} seconds.')
-    default_code = 'throttled'
+    default_detail = _("Request was throttled.")
+    extra_detail_singular = _("Expected available in {wait} second.")
+    extra_detail_plural = _("Expected available in {wait} seconds.")
+    default_code = "throttled"
 
     def __init__(self, wait=None, detail=None, code=None):
         if detail is None:
             detail = force_str(self.default_detail)
         if wait is not None:
             wait = math.ceil(wait)
-            detail = ' '.join((
-                detail,
-                force_str(ngettext(self.extra_detail_singular.format(wait=wait),
-                                   self.extra_detail_plural.format(wait=wait),
-                                   wait))))
+            detail = " ".join(
+                (
+                    detail,
+                    force_str(
+                        ngettext(
+                            self.extra_detail_singular.format(wait=wait),
+                            self.extra_detail_plural.format(wait=wait),
+                            wait,
+                        )
+                    ),
+                )
+            )
         self.wait = wait
         super().__init__(detail, code)
 
@@ -248,17 +264,13 @@ def server_error(request, *args, **kwargs):
     """
     Generic 500 error handler.
     """
-    data = {
-        'error': 'Server Error (500)'
-    }
+    data = {"error": "Server Error (500)"}
     return JsonResponse(data, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 
 def bad_request(request, exception, *args, **kwargs):
     """
     Generic 400 error handler.
     """
-    data = {
-        'error': 'Bad Request (400)'
-    }
+    data = {"error": "Bad Request (400)"}
     return JsonResponse(data, status=status.HTTP_400_BAD_REQUEST)

rest_framework/permissions.py

@@ -2,7 +2,6 @@
 Provides a set of pluggable permission policies.
 """
 from django.http import Http404
-from django.utils.translation import gettext_lazy as _
 
 from rest_framework import exceptions
 
@@ -59,61 +58,69 @@ def __hash__(self):
         return hash((self.operator_class, self.op1_class, self.op2_class))
 
 
-class AND:
-    def __init__(self, op1, op2):
-        self.op1 = op1
-        self.op2 = op2
-        self.message = None
+class OperatorBase:
+    def __init__(self, *permissions):
+        self._permissions = permissions
 
-    def has_permission(self, request, view):
-        if not self.op1.has_permission(request, view):
-            self.message = getattr(self.op1, 'message', None)
-            return False
 
-        if not self.op2.has_permission(request, view):
-            self.message = getattr(self.op2, 'message', None)
-            return False
+class AND(OperatorBase):
 
+    def has_permission(self, request, view):
+        for perm in self._permissions:
+            if not perm.has_permission(request, view):
+                self._set_message_and_code(perm)
+                return False
         return True
 
     def has_object_permission(self, request, view, obj):
-        if not self.op1.has_object_permission(request, view, obj):
-            self.message = getattr(self.op1, 'message', None)
-            return False
-
-        if not self.op2.has_object_permission(request, view, obj):
-            self.message = getattr(self.op2, 'message', None)
-            return False
-
+        for perm in self._permissions:
+            if not perm.has_object_permission(request, view, obj):
+                self._set_message_and_code(perm)
+                return False
         return True
 
+    def _set_message_and_code(self, perm):
+        self.message = getattr(perm, 'message', None)
+        self.code = getattr(perm, 'code', None)
 
-class OR:
-    def __init__(self, op1, op2):
-        self.op1 = op1
-        self.op2 = op2
-        self.message1 = getattr(op1, 'message', None)
-        self.message2 = getattr(op2, 'message', None)
-        self.message = self.message1 or self.message2
-        if self.message1 and self.message2:
-            self.message = '"{0}" {1} "{2}"'.format(
-                self.message1, _('OR'), self.message2,
-            )
+
+class OR(OperatorBase):
 
     def has_permission(self, request, view):
-        return (
-            self.op1.has_permission(request, view) or
-            self.op2.has_permission(request, view)
-        )
+        collector = ResultCollector()
+        for perm in self._permissions:
+            if perm.has_permission(request, view):
+                return True
+            else:
+                collector.add_message_and_code(perm)
+        collector.finalize(self)
+        return False
 
     def has_object_permission(self, request, view, obj):
-        return (
-            self.op1.has_permission(request, view)
-            and self.op1.has_object_permission(request, view, obj)
-        ) or (
-            self.op2.has_permission(request, view)
-            and self.op2.has_object_permission(request, view, obj)
-        )
+        collector = ResultCollector()
+        for perm in self._permissions:
+            if perm.has_permission(request, view) and perm.has_object_permission(request, view, obj):
+                return True
+            else:
+                collector.add_message_and_code(perm)
+        collector.finalize(self)
+        return False
+
+
+class ResultCollector:
+    def __init__(self):
+        self.messages = ()
+        self.codes = ()
+
+    def add_message_and_code(self, perm):
+        message = getattr(perm, 'message', None)
+        code = getattr(perm, 'code', None)
+        self.messages += (message,)
+        self.codes += (code,)
+
+    def finalize(self, perm):
+        perm.message = self.messages
+        perm.code = self.codes
 
 
 class NOT: