improve permission_classes checking to support rest_condition as well as DRF 3.9+ bitwise operands

n2ygk · n2ygk · commit 838bc2e54fd4 · 2019-08-14T11:29:00.000-04:00
diff --git a/rest_framework_json_api/schemas/openapi.py b/rest_framework_json_api/schemas/openapi.py
@@ -6,6 +6,7 @@
 from django.utils.module_loading import import_string as import_class_from_dotted_path
 from rest_framework import exceptions
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
+from rest_framework.permissions import OperandHolder, SingleOperandHolder
 from rest_framework.relations import ManyRelatedField
 from rest_framework.schemas import openapi as drf_openapi
 from rest_framework.schemas.utils import is_list_view
@@ -14,6 +15,14 @@
 from rest_framework_json_api.optional import OAuth2Authentication, TokenMatchesOASRequirements
 from rest_framework_json_api.views import RelationshipView
 
+# DRF 3.9+ has native boolean conditions now
+# But older code may use rest_condition or other packages.
+try:
+    from rest_condition import Condition as rest_condition_Condition
+except ImportError:
+    rest_condition_Condition = None
+
+
 #: static OAS 3.0 component definitions that are referenced by AutoSchema.
 JSONAPI_COMPONENTS = {
     'schemas': {
@@ -566,8 +575,32 @@ def _get_oauth_security(self, path, method):
         self.openapi_schema['components']['securitySchemes']['oauth']['flows'] = flows
         # TODO: add JWT and SAML2 bearer
         content = []
-        for perm_class in self.view.permission_classes:
-            if issubclass(perm_class, TokenMatchesOASRequirements):
+        # permission_classes can be a direct list of classes, or instances of Operands, etc.
+        # TODO: this is kind of ugly. modularize it.
+        for perm_class_or_condition in self.view.permission_classes:
+            # check if DRF conditional operands were specified
+            if isinstance(perm_class_or_condition, OperandHolder):
+                if issubclass(perm_class_or_condition.op1_class, TokenMatchesOASRequirements):
+                    perm_class_instance = perm_class_or_condition.op1_class()
+                elif issubclass(perm_class_or_condition.op2_class, TokenMatchesOASRequirements):
+                    perm_class_instance = perm_class_or_condition.op2_class()
+                else:
+                    perm_class_instance = None
+            elif isinstance(perm_class_or_condition, SingleOperandHolder):
+                if issubclass(perm_class_or_condition.op1_class, TokenMatchesOASRequirements):
+                    perm_class_instance = perm_class_or_condition.op1_class()
+                else:
+                    perm_class_instance = None
+            # check for rest_condition.Condition
+            elif (rest_condition_Condition and
+                  isinstance(perm_class_or_condition, rest_condition_Condition)):
+                for cond in perm_class_or_condition.perms_or_conds:
+                    if issubclass(cond, TokenMatchesOASRequirements):
+                        perm_class_instance = cond()
+                        break
+            else:
+                perm_class_instance = perm_class_or_condition()
+            if isinstance(perm_class_instance, TokenMatchesOASRequirements):
                 alt_scopes = self.view.required_alternate_scopes
                 if method not in alt_scopes:
                     continue
