1
0
mirror of https://github.com/etesync/server synced 2025-01-03 21:20:55 +00:00
etesync-server/django_etesync/permissions.py

35 lines
1.4 KiB
Python
Raw Normal View History

2020-02-19 18:53:43 +00:00
# Copyright © 2017 Tom Hacohen
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, version 3.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from rest_framework import permissions
from django_etesync.models import Collection, AccessLevels
2020-02-19 18:53:43 +00:00
class IsCollectionAdmin(permissions.BasePermission):
2020-02-19 18:53:43 +00:00
"""
Custom permission to only allow owners of a collection to view it
2020-02-19 18:53:43 +00:00
"""
message = 'Only collection admins can perform this operation.'
code = 'admin_access_required'
2020-02-19 18:53:43 +00:00
def has_permission(self, request, view):
collection_uid = view.kwargs['collection_uid']
2020-02-19 18:53:43 +00:00
try:
collection = view.get_collection_queryset().get(uid=collection_uid)
member = collection.members.filter(user=request.user).first()
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
except Collection.DoesNotExist:
# If the collection does not exist, we want to 404 later, not permission denied.
2020-02-19 18:53:43 +00:00
return True