""" Moderation Permissions This module contains custom permission classes for the moderation system, providing role-based access control for moderation operations. """ from rest_framework import permissions from django.contrib.auth import get_user_model User = get_user_model() class IsModerator(permissions.BasePermission): """ Permission that only allows moderators to access the view. """ def has_permission(self, request, view): """Check if user is authenticated and has moderator role.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role == "MODERATOR" def has_object_permission(self, request, view, obj): """Check object-level permissions for moderators.""" return self.has_permission(request, view) class IsModeratorOrAdmin(permissions.BasePermission): """ Permission that allows moderators, admins, and superusers to access the view. """ def has_permission(self, request, view): """Check if user is authenticated and has moderator, admin, or superuser role.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["MODERATOR", "ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for moderators and admins.""" return self.has_permission(request, view) class IsAdminOrSuperuser(permissions.BasePermission): """ Permission that only allows admins and superusers to access the view. """ def has_permission(self, request, view): """Check if user is authenticated and has admin or superuser role.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for admins and superusers.""" return self.has_permission(request, view) class CanViewModerationData(permissions.BasePermission): """ Permission that allows users to view moderation data based on their role. - Regular users can only view their own reports - Moderators and above can view all moderation data """ def has_permission(self, request, view): """Check if user is authenticated.""" return request.user and request.user.is_authenticated def has_object_permission(self, request, view, obj): """Check object-level permissions for viewing moderation data.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") # Moderators and above can view all data if user_role in ["MODERATOR", "ADMIN", "SUPERUSER"]: return True # Regular users can only view their own reports if hasattr(obj, "reported_by"): return obj.reported_by == request.user # For other objects, deny access to regular users return False class CanModerateContent(permissions.BasePermission): """ Permission that allows users to moderate content based on their role. - Only moderators and above can moderate content - Includes additional checks for specific moderation actions """ def has_permission(self, request, view): """Check if user is authenticated and has moderation privileges.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["MODERATOR", "ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for content moderation.""" if not self.has_permission(request, view): return False user_role = getattr(request.user, "role", "USER") # Superusers can do everything if user_role == "SUPERUSER": return True # Admins can moderate most content but may have some restrictions if user_role == "ADMIN": # Add any admin-specific restrictions here if needed return True # Moderators have basic moderation permissions if user_role == "MODERATOR": # Add any moderator-specific restrictions here if needed # For example, moderators might not be able to moderate admin actions if hasattr(obj, "moderator") and obj.moderator: moderator_role = getattr(obj.moderator, "role", "USER") if moderator_role in ["ADMIN", "SUPERUSER"]: return False return True return False class CanAssignModerationTasks(permissions.BasePermission): """ Permission that allows users to assign moderation tasks to others. - Moderators can assign tasks to themselves - Admins can assign tasks to moderators and themselves - Superusers can assign tasks to anyone """ def has_permission(self, request, view): """Check if user is authenticated and has assignment privileges.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["MODERATOR", "ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for task assignment.""" if not self.has_permission(request, view): return False user_role = getattr(request.user, "role", "USER") # Superusers can assign to anyone if user_role == "SUPERUSER": return True # Admins can assign to moderators and themselves if user_role == "ADMIN": return True # Moderators can only assign to themselves if user_role == "MODERATOR": # Check if they're trying to assign to themselves assignee_id = request.data.get("moderator_id") or request.data.get( "assigned_to" ) if assignee_id: return str(assignee_id) == str(request.user.id) return True return False class CanPerformBulkOperations(permissions.BasePermission): """ Permission that allows users to perform bulk operations. - Only admins and superusers can perform bulk operations - Includes additional safety checks for destructive operations """ def has_permission(self, request, view): """Check if user is authenticated and has bulk operation privileges.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for bulk operations.""" if not self.has_permission(request, view): return False user_role = getattr(request.user, "role", "USER") # Superusers can perform all bulk operations if user_role == "SUPERUSER": return True # Admins can perform most bulk operations if user_role == "ADMIN": # Add any admin-specific restrictions for bulk operations here # For example, admins might not be able to perform certain destructive operations operation_type = getattr(obj, "operation_type", None) if operation_type in ["DELETE_USERS", "PURGE_DATA"]: return False # Only superusers can perform these operations return True return False class IsOwnerOrModerator(permissions.BasePermission): """ Permission that allows object owners or moderators to access the view. - Users can access their own objects - Moderators and above can access any object """ def has_permission(self, request, view): """Check if user is authenticated.""" return request.user and request.user.is_authenticated def has_object_permission(self, request, view, obj): """Check object-level permissions for owners or moderators.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") # Moderators and above can access any object if user_role in ["MODERATOR", "ADMIN", "SUPERUSER"]: return True # Check if user is the owner of the object if hasattr(obj, "reported_by"): return obj.reported_by == request.user elif hasattr(obj, "created_by"): return obj.created_by == request.user elif hasattr(obj, "user"): return obj.user == request.user return False class CanManageUserRestrictions(permissions.BasePermission): """ Permission that allows users to manage user restrictions and moderation actions. - Moderators can create basic restrictions (warnings, temporary suspensions) - Admins can create more severe restrictions (longer suspensions, content removal) - Superusers can create any restriction including permanent bans """ def has_permission(self, request, view): """Check if user is authenticated and has restriction management privileges.""" if not request.user or not request.user.is_authenticated: return False user_role = getattr(request.user, "role", "USER") return user_role in ["MODERATOR", "ADMIN", "SUPERUSER"] def has_object_permission(self, request, view, obj): """Check object-level permissions for managing user restrictions.""" if not self.has_permission(request, view): return False user_role = getattr(request.user, "role", "USER") # Superusers can manage any restriction if user_role == "SUPERUSER": return True # Get the action type from request data or object action_type = None if request.method in ["POST", "PUT", "PATCH"]: action_type = request.data.get("action_type") elif hasattr(obj, "action_type"): action_type = obj.action_type # Admins can manage most restrictions if user_role == "ADMIN": # Admins cannot create permanent bans if action_type == "USER_BAN" and request.data.get("duration_hours") is None: return False return True # Moderators can only manage basic restrictions if user_role == "MODERATOR": allowed_actions = ["WARNING", "CONTENT_REMOVAL", "USER_SUSPENSION"] if action_type not in allowed_actions: return False # Moderators can only create temporary suspensions (max 7 days) if action_type == "USER_SUSPENSION": duration_hours = request.data.get("duration_hours", 0) if duration_hours > 168: # 7 days = 168 hours return False return True return False