36 lines
1.1 KiB
Python
36 lines
1.1 KiB
Python
from rest_framework.permissions import BasePermission, SAFE_METHODS
|
|
|
|
|
|
class IsOwner(BasePermission):
|
|
"""Object-level: allow access only to the object's owner."""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
return obj.owner == request.user
|
|
|
|
|
|
class IsCreator(BasePermission):
|
|
"""Object-level: allow access only to the object's creator."""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
return obj.creator == request.user
|
|
|
|
|
|
class IsOwnerOrReadOnly(BasePermission):
|
|
def has_object_permission(self, request, view, obj):
|
|
if request.method in SAFE_METHODS:
|
|
return True
|
|
return obj.owner == request.user
|
|
|
|
|
|
class WebhookPermission(BasePermission):
|
|
"""
|
|
Validates the X-Webhook-Secret header against settings.WEBHOOK_SECRET.
|
|
Used on the RunPod callback endpoint.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
from django.conf import settings
|
|
|
|
secret = request.headers.get("X-Webhook-Secret", "")
|
|
return bool(settings.WEBHOOK_SECRET) and secret == settings.WEBHOOK_SECRET
|