Move ObjectPermissionRequiredMixin to utilities.views

netbox/utilities/views.py

@@ -4,7 +4,8 @@ from copy import deepcopy
 
 from django.contrib import messages
 from django.contrib.contenttypes.models import ContentType
-from django.core.exceptions import FieldDoesNotExist, ObjectDoesNotExist, ValidationError
+from django.contrib.auth.mixins import AccessMixin
+from django.core.exceptions import FieldDoesNotExist, ImproperlyConfigured, ObjectDoesNotExist, ValidationError
 from django.db import transaction, IntegrityError
 from django.db.models import ManyToManyField, ProtectedError
 from django.forms import Form, ModelMultipleChoiceField, MultipleHiddenInput, Textarea
@@ -32,6 +33,61 @@ from .forms import ConfirmationForm, ImportForm
 from .paginator import EnhancedPaginator, get_paginate_count
 
 
+#
+# Mixins
+#
+
+class ObjectPermissionRequiredMixin(AccessMixin):
+    """
+    Similar to Django's built-in PermissionRequiredMixin, but extended to check for both model-level and object-level
+    permission assignments. If the user has only object-level permissions assigned, the view's queryset is filtered
+    to return only those objects on which the user is permitted to perform the specified action.
+    """
+    permission_required = None
+
+    def has_permission(self):
+        user = self.request.user
+
+        # First, check that the user is granted the required permission at either the model or object level.
+        if not user.has_perm(self.permission_required):
+            return False
+
+        # Superusers implicitly have all permissions
+        if user.is_superuser:
+            return True
+
+        # Determine whether the permission is model-level or object-level. Model-level permissions grant the
+        # specified action to *all* objects, so no further action is needed.
+        if self.permission_required in {*user._user_perm_cache, *user._group_perm_cache}:
+            return True
+
+        # If the permission is granted only at the object level, filter the view's queryset to return only objects
+        # on which the user is permitted to perform the specified action.
+        attrs = ObjectPermission.objects.get_attr_constraints(user, self.permission_required)
+        if attrs:
+            # Update the view's QuerySet to filter only the permitted objects
+            self.queryset = self.queryset.filter(attrs)
+            return True
+
+    def dispatch(self, request, *args, **kwargs):
+        if self.permission_required is None:
+            raise ImproperlyConfigured(
+                '{0} is missing the permission_required attribute. Define {0}.permission_required, or override '
+                '{0}.get_permission_required().'.format(self.__class__.__name__)
+            )
+
+        if not hasattr(self, 'queryset'):
+            raise ImproperlyConfigured(
+                '{} has no queryset defined. ObjectPermissionRequiredMixin may only be used on views which define '
+                'a base queryset'.format(self.__class__.__name__)
+            )
+
+        if not self.has_permission():
+            return self.handle_no_permission()
+
+        return super().dispatch(request, *args, **kwargs)
+
+
 class GetReturnURLMixin(object):
     """
     Provides logic for determining where a user should be redirected after processing a form.
@@ -58,6 +114,10 @@ class GetReturnURLMixin(object):
         return reverse('home')
 
 
+#
+# Generic views
+#
+
 class ObjectListView(View):
     """
     List a series of objects.