Permissions: start from scratch and add IsCollectionAdmin permission.

This commit is contained in:
Tom Hacohen 2020-05-20 13:47:06 +03:00
parent c30cc2f229
commit 4ca74bc69b

View File

@ -13,53 +13,22 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from rest_framework import permissions
from journal.models import Journal, JournalMember
from django_etesync.models import Collection, AccessLevels
class IsOwnerOrReadOnly(permissions.BasePermission):
class IsCollectionAdmin(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.owner == request.user
class IsJournalOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of a journal to view it
Custom permission to only allow owners of a collection to view it
"""
message = 'Only collection admins can perform this operation.'
code = 'admin_access_required'
def has_permission(self, request, view):
journal_uid = view.kwargs['journal_uid']
collection_uid = view.kwargs['collection_uid']
try:
journal = view.get_journal_queryset().get(uid=journal_uid)
return journal.owner == request.user
except Journal.DoesNotExist:
# If the journal does not exist, we want to 404 later, not permission denied.
return True
class IsMemberReadOnly(permissions.BasePermission):
"""
Custom permission to make a journal read only if a read only member
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True
journal_uid = view.kwargs['journal_uid']
try:
journal = view.get_journal_queryset().get(uid=journal_uid)
member = journal.members.get(user=request.user)
return not member.readOnly
except Journal.DoesNotExist:
# If the journal does not exist, we want to 404 later, not permission denied.
return True
except JournalMember.DoesNotExist:
# Not being a member means we are the owner.
collection = view.get_collection_queryset().get(uid=collection_uid)
member = collection.members.filter(user=request.user).first()
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
except Collection.DoesNotExist:
# If the collection does not exist, we want to 404 later, not permission denied.
return True