Auth mechanism

2026-05-04 15:04:03 +00:00 · 2018-09-19 12:01:16 +02:00
parent ddb645aeea
commit 6d01c99d38
11 changed files with 239 additions and 9 deletions
--- a/src/pretix/api/auth/device.py
+++ b/src/pretix/api/auth/device.py
@@ -0,0 +1,25 @@
+from django.contrib.auth.models import AnonymousUser
+from rest_framework import exceptions
+from rest_framework.authentication import TokenAuthentication
+
+from pretix.base.models import Device
+
+
+class DeviceTokenAuthentication(TokenAuthentication):
+    model = Device
+    keyword = 'Device'
+
+    def authenticate_credentials(self, key):
+        model = self.get_model()
+        try:
+            device = model.objects.select_related('organizer').get(api_token=key)
+        except model.DoesNotExist:
+            raise exceptions.AuthenticationFailed('Invalid token.')
+
+        if not device.initialized:
+            raise exceptions.AuthenticationFailed('Device has not been initialized.')
+
+        if not device.api_token:
+            raise exceptions.AuthenticationFailed('Device access has been revoked.')
+
+        return AnonymousUser(), device
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -1,7 +1,7 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission

 from pretix.api.models import OAuthAccessToken
-from pretix.base.models import Event
+from pretix.base.models import Device, Event
 from pretix.base.models.organizer import Organizer, TeamAPIToken
 from pretix.helpers.security import (
    SessionInvalid, SessionReauthRequired, assert_session_valid,
@@ -9,10 +9,9 @@ from pretix.helpers.security import (


 class EventPermission(BasePermission):
-    model = TeamAPIToken

    def has_permission(self, request, view):
-        if not request.user.is_authenticated and not isinstance(request.auth, TeamAPIToken):
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
            return False

        if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
@@ -31,7 +30,7 @@ class EventPermission(BasePermission):
            except SessionReauthRequired:
                return False

-        perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
+        perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken))
                       else request.user)
        if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
            request.event = Event.objects.filter(