Permissions: start from scratch and add IsCollectionAdmin permission.
This commit is contained in:
Tom Hacohen
parent
c30cc2f229
commit
4ca74bc69b
@ -13,53 +13,22 @@
|
|||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
from rest_framework import permissions
|
from rest_framework import permissions
|
||||||
from journal.models import Journal, JournalMember
|
from django_etesync.models import Collection, AccessLevels
|
||||||
|
|
||||||
|
|
||||||
class IsOwnerOrReadOnly(permissions.BasePermission):
|
class IsCollectionAdmin(permissions.BasePermission):
|
||||||
"""
|
"""
|
||||||
Custom permission to only allow owners of an object to edit it.
|
Custom permission to only allow owners of a collection to view it
|
||||||
"""
|
|
||||||
|
|
||||||
def has_object_permission(self, request, view, obj):
|
|
||||||
if request.method in permissions.SAFE_METHODS:
|
|
||||||
return True
|
|
||||||
|
|
||||||
return obj.owner == request.user
|
|
||||||
|
|
||||||
|
|
||||||
class IsJournalOwner(permissions.BasePermission):
|
|
||||||
"""
|
|
||||||
Custom permission to only allow owners of a journal to view it
|
|
||||||
"""
|
"""
|
||||||
|
message = 'Only collection admins can perform this operation.'
|
||||||
|
code = 'admin_access_required'
|
||||||
|
|
||||||
def has_permission(self, request, view):
|
def has_permission(self, request, view):
|
||||||
journal_uid = view.kwargs['journal_uid']
|
collection_uid = view.kwargs['collection_uid']
|
||||||
try:
|
try:
|
||||||
journal = view.get_journal_queryset().get(uid=journal_uid)
|
collection = view.get_collection_queryset().get(uid=collection_uid)
|
||||||
return journal.owner == request.user
|
member = collection.members.filter(user=request.user).first()
|
||||||
except Journal.DoesNotExist:
|
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
|
||||||
# If the journal does not exist, we want to 404 later, not permission denied.
|
except Collection.DoesNotExist:
|
||||||
return True
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
||||||
|
|
||||||
|
|
||||||
class IsMemberReadOnly(permissions.BasePermission):
|
|
||||||
"""
|
|
||||||
Custom permission to make a journal read only if a read only member
|
|
||||||
"""
|
|
||||||
|
|
||||||
def has_permission(self, request, view):
|
|
||||||
if request.method in permissions.SAFE_METHODS:
|
|
||||||
return True
|
|
||||||
|
|
||||||
journal_uid = view.kwargs['journal_uid']
|
|
||||||
try:
|
|
||||||
journal = view.get_journal_queryset().get(uid=journal_uid)
|
|
||||||
member = journal.members.get(user=request.user)
|
|
||||||
return not member.readOnly
|
|
||||||
except Journal.DoesNotExist:
|
|
||||||
# If the journal does not exist, we want to 404 later, not permission denied.
|
|
||||||
return True
|
|
||||||
except JournalMember.DoesNotExist:
|
|
||||||
# Not being a member means we are the owner.
|
|
||||||
return True
|
return True
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user