Permissions & Access Control

class BasePermissions:
    def user_can_create_object(user, obj):
        """Check if user can create the object"""
        
    def user_can_read_object(user, obj):
        """Check if user can read the object"""
        
    def user_can_update_object(user, obj):
        """Check if user can update the object"""
        
    def user_can_delete_object(user, obj):
        """Check if user can delete the object"""
        
    def readable_by_user_filter(user):
        """Return queryset filter for readable objects"""

RoleBasedPermissions(
    target_field="collection",
    can_be_created_by=(role_kinds.ADMIN,),
    can_be_read_by=(role_kinds.ADMIN, role_kinds.COACH),
    can_be_updated_by=(role_kinds.ADMIN,),
    can_be_deleted_by=(role_kinds.ADMIN,),
)

from kolibri.core.auth.permissions.general import DenyAll

class InternalResource:
    permissions = DenyAll()

from kolibri.core.auth.permissions.general import AllowAll

class PublicResource:
    permissions = AllowAll()

from kolibri.core.auth.permissions.general import IsSelf

# Read-only access to own user profile
permissions = IsSelf(read_only=True)

from kolibri.core.auth.permissions.general import IsOwn

# User can manage their own content
permissions = IsOwn(field_name="user_id")

from kolibri.core.auth.permissions.general import IsAdminForOwnFacility

permissions = IsAdminForOwnFacility()

# User can access if they own it OR are an admin
permissions = IsOwn(field_name="created_by") | IsAdminForOwnFacility()

# User must be self AND in read-only mode (redundant example)
permissions = IsSelf() & IsSelf(read_only=True)

from kolibri.core.auth.api import KolibriAuthPermissions
from rest_framework import viewsets

class MyViewSet(viewsets.ModelViewSet):
    permission_classes = (KolibriAuthPermissions,)

from kolibri.core.auth.api import KolibriAuthPermissionsFilter
from django_filters.rest_framework import DjangoFilterBackend

class MyViewSet(viewsets.ModelViewSet):
    filter_backends = (
        KolibriAuthPermissionsFilter,  # Apply first
        DjangoFilterBackend,
    )

# Check if user can create an object
if request.user.can_create(Lesson, validated_data):
    lesson = Lesson.objects.create(**validated_data)

# Check if user can read an object
if request.user.can_read(lesson):
    return lesson

# Check if user can update an object  
if request.user.can_update(lesson):
    lesson.title = "New Title"
    lesson.save()

# Check if user can delete an object
if request.user.can_delete(lesson):
    lesson.delete()

# Filter queryset to readable objects
readable_lessons = request.user.filter_readable(Lesson.objects.all())

from kolibri.core.auth.constants import role_kinds

role_kinds.ADMIN             # Facility administrator
role_kinds.COACH             # Classroom coach
role_kinds.ASSIGNABLE_COACH  # Coach that can be assigned to specific resources

# Check if user has a specific role for a collection
if user.has_role_for_collection(role_kinds.ADMIN, facility):
    # User is admin for this facility
    pass

# Check if user has any of multiple roles
if user.has_role_for(
    (role_kinds.ADMIN, role_kinds.COACH),
    classroom
):
    # User is admin or coach for this classroom
    pass

from kolibri.core.auth.constants import user_kinds

user_kinds.ADMIN      # Facility administrator
user_kinds.COACH      # Coach (classroom level)
user_kinds.LEARNER    # Regular learner
user_kinds.SUPERUSER  # Device superuser

# Coach wants to create a lesson for their classroom
lesson_data = {
    'title': 'Math Lesson 1',
    'collection': classroom,  # Their classroom
    'created_by': coach_user,
}

# Permission check (automatic in viewset)
can_create = coach_user.can_create(Lesson, lesson_data)
# Returns: True (coach has role for classroom)

# Learner wants to read their own progress data
progress = ContentSummaryLog.objects.get(user=learner_user)

can_read = learner_user.can_read(progress)
# Returns: True (IsOwn permission allows reading own data)

# Admin wants to create a new user in their facility
user_data = {
    'username': 'newlearner',
    'facility': admin_facility,
}

can_create = admin_user.can_create(FacilityUser, user_data)
# Returns: True (admin has role for facility)

# Admin tries to access user from different facility
other_user = FacilityUser.objects.get(
    facility=other_facility,
    username='someone'
)

can_read = admin_user.can_read(other_user)
# Returns: False (admin role is facility-specific)

{
  "detail": "You do not have permission to perform this action."
}

[
  {
    "id": "INVALID_CREDENTIALS",
    "metadata": {}
  }
]

# Good: Restrictive by default
class SensitiveDataViewSet(viewsets.ModelViewSet):
    permission_classes = (KolibriAuthPermissions,)

# Bad: Too permissive
class SensitiveDataViewSet(viewsets.ModelViewSet):
    permission_classes = (AllowAuthenticated,)

class MyViewSet(viewsets.ModelViewSet):
    filter_backends = (
        KolibriAuthPermissionsFilter,  # Critical!
        DjangoFilterBackend,
    )

@decorators.action(methods=['post'], detail=True)
def custom_action(self, request, pk=None):
    obj = self.get_object()
    
    # Explicit permission check
    if not request.user.can_update(obj):
        raise PermissionDenied("Cannot perform this action")
    
    # Perform action
    obj.do_something()
    return Response({'status': 'success'})

# Good: Hides existence from unauthorized users
if not user.can_read(obj):
    raise Http404()

# Bad: Reveals object exists
if not user.can_read(obj):
    raise PermissionDenied()

def test_coach_cannot_access_other_classroom():
    """Coach should not access classrooms they don't coach"""
    other_classroom = ClassroomFactory()
    response = coach_client.get(f'/api/classroom/{other_classroom.id}/')
    assert response.status_code == 404  # Not 403!