fix: add missing SpacePermission class to encryptid_auth

The SpacePermission DRF permission class was imported in files/views.py but never defined, causing an ImportError that crash-looped the app. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 15:00:33 -07:00 · 2026-02-15 15:00:33 -07:00 · 2b20b23d0b
parent 0f76ae63a4
commit 2b20b23d0b
1 changed files with 45 additions and 0 deletions
--- a/config/encryptid_auth.py
+++ b/config/encryptid_auth.py
@ -159,6 +159,7 @@ def get_or_create_user(claims: dict):
 try:
    from rest_framework.authentication import BaseAuthentication
    from rest_framework.exceptions import AuthenticationFailed
+    from rest_framework import permissions

    class EncryptIDAuthentication(BaseAuthentication):
        """
@ -186,6 +187,50 @@ try:
        def authenticate_header(self, request):
            return 'Bearer realm="encryptid"'

+    class SpacePermission(permissions.BasePermission):
+        """
+        DRF permission that enforces SharedSpace visibility rules.
+
+        Expects the view to implement get_space_config(request) returning
+        {'visibility': str, 'owner_did': str} or None (no space context).
+        """
+
+        def has_permission(self, request, view):
+            get_config = getattr(view, 'get_space_config', None)
+            if not get_config:
+                return True
+
+            config = get_config(request)
+            if not config:
+                return True  # No space context — allow
+
+            visibility = config.get('visibility', 'public')
+
+            # Public spaces: anyone can read and write
+            if visibility == 'public':
+                return True
+
+            # Public-read spaces: anyone can read, auth required to write
+            if visibility == 'public_read':
+                if request.method in permissions.SAFE_METHODS:
+                    return True
+                return request.user and request.user.is_authenticated
+
+            # Authenticated spaces: any logged-in user
+            if visibility == 'authenticated':
+                return request.user and request.user.is_authenticated
+
+            # Members-only: must be the space owner
+            if visibility == 'members_only':
+                if not (request.user and request.user.is_authenticated):
+                    return False
+                owner_did = config.get('owner_did', '')
+                if not owner_did:
+                    return False
+                return getattr(request.user, 'email', '') == owner_did
+
+            return False
+
 except ImportError:
    # DRF not installed — skip
    pass