Fix bugs in API perm checking

2021-05-23 00:42:30 +02:00 · 2021-05-23 00:42:30 +02:00 · 43d678d8ca
commit 43d678d8ca
parent 07f994ce91
5 changed files with 41 additions and 8 deletions
--- a/evennia/web/api/README.md
+++ b/evennia/web/api/README.md
@ -1,6 +1,7 @@
 # Evennia API

 ## Synopsis
+
 An API, or [Application Programming Interface][wiki-api], is a way of establishing rules
 through which external services can use your program. In web development, it's
 often that case that the 'frontend' of a web app is written in HTML and Javascript
@ -141,4 +142,4 @@ the native [Fetch][fetch].
 [rest]: https://en.wikipedia.org/wiki/Representational_state_transfer
 [requests]: https://requests.readthedocs.io/en/master/
 [axios]: https://github.com/axios/axios
-[fetch]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
+[fetch]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
--- a/evennia/web/api/permissions.py
+++ b/evennia/web/api/permissions.py
@ -1,13 +1,20 @@
-from rest_framework import permissions
+"""
+Sets up an api-access permission check using the in-game permission hierarchy.

+"""
+
+
+from rest_framework import permissions
 from django.conf import settings
+from evennia.locks.lockhandler import check_perm


 class EvenniaPermission(permissions.BasePermission):
    """
-    A Django Rest Framework permission class that allows us to use
-    Evennia's permission structure. Based on the action in a given
-    view, we'll check a corresponding Evennia access/lock check.
+    A Django Rest Framework permission class that allows us to use Evennia's
+    permission structure. Based on the action in a given view, we'll check a
+    corresponding Evennia access/lock check.
+
    """

    # subclass this to change these permissions
@ -40,9 +47,9 @@ class EvenniaPermission(permissions.BasePermission):
            return True
        # these actions don't support object-level permissions, so use the above definitions
        if view.action == "list":
-            return request.user.has_permistring(self.MINIMUM_LIST_PERMISSION)
+            return check_perm(request.user, self.MINIMUM_LIST_PERMISSION)
        if view.action == "create":
-            return request.user.has_permistring(self.MINIMUM_CREATE_PERMISSION)
+            return check_perm(request.user, self.MINIMUM_CREATE_PERMISSION)
        return True  # this means we'll check object-level permissions

    @staticmethod
--- a/evennia/web/api/urls.py
+++ b/evennia/web/api/urls.py
@ -7,6 +7,7 @@ actions that it detects for a viewset. For example, below we create a DefaultRou
 We then register ObjectDBViewSet, a viewset for CRUD operations for ObjectDB
 instances, to the 'objects' base endpoint. That will generate a number of URLs
 like the following:
+
 list objects:    action: GET, url: /objects/, view name: object-list
 create object:   action: POST, url: /objects/, view name: object-list
 retrieve object: action: GET, url: /objects/<:pk>, view name: object-detail