from rest_framework import permissions from rest_framework.authtoken.models import Token from django.contrib.auth.models import AnonymousUser class SwaggerTokenPermission(permissions.BasePermission): """ Custom permission for Swagger that allows access to authenticated users via token or admin users via session authentication """ def has_permission(self, request, view): # Check if user is admin (for session-based access) if request.user and request.user.is_authenticated and request.user.is_staff: return True # Check for token in session (from our custom auth system) swagger_token = request.session.get('swagger_token') if swagger_token: try: token_obj = Token.objects.get(key=swagger_token) if token_obj.user.is_active: return True except Token.DoesNotExist: pass # Check for Authorization header auth_header = request.META.get('HTTP_AUTHORIZATION', '') if auth_header.startswith('Token '): token = auth_header.split(' ')[1] try: token_obj = Token.objects.get(key=token) if token_obj.user.is_active: return True except Token.DoesNotExist: pass return False class IsAdminOrSwaggerToken(permissions.BasePermission): """ Permission that allows access to admin users or users with valid swagger token """ def has_permission(self, request, view): # Allow admin users if request.user and request.user.is_authenticated and request.user.is_staff: return True # Check swagger token in session swagger_token = request.session.get('swagger_token') if swagger_token: try: token_obj = Token.objects.get(key=swagger_token) return token_obj.user.is_active except Token.DoesNotExist: pass return False