|
|
|
|
@ -13,53 +13,22 @@
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
from rest_framework import permissions
|
|
|
|
|
from journal.models import Journal, JournalMember
|
|
|
|
|
from django_etesync.models import Collection, AccessLevels
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class IsOwnerOrReadOnly(permissions.BasePermission):
|
|
|
|
|
class IsCollectionAdmin(permissions.BasePermission):
|
|
|
|
|
"""
|
|
|
|
|
Custom permission to only allow owners of an object to edit it.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
|
|
|
if request.method in permissions.SAFE_METHODS:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
return obj.owner == request.user
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class IsJournalOwner(permissions.BasePermission):
|
|
|
|
|
"""
|
|
|
|
|
Custom permission to only allow owners of a journal to view it
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
|
journal_uid = view.kwargs['journal_uid']
|
|
|
|
|
try:
|
|
|
|
|
journal = view.get_journal_queryset().get(uid=journal_uid)
|
|
|
|
|
return journal.owner == request.user
|
|
|
|
|
except Journal.DoesNotExist:
|
|
|
|
|
# If the journal does not exist, we want to 404 later, not permission denied.
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class IsMemberReadOnly(permissions.BasePermission):
|
|
|
|
|
"""
|
|
|
|
|
Custom permission to make a journal read only if a read only member
|
|
|
|
|
Custom permission to only allow owners of a collection to view it
|
|
|
|
|
"""
|
|
|
|
|
message = 'Only collection admins can perform this operation.'
|
|
|
|
|
code = 'admin_access_required'
|
|
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
|
if request.method in permissions.SAFE_METHODS:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
journal_uid = view.kwargs['journal_uid']
|
|
|
|
|
collection_uid = view.kwargs['collection_uid']
|
|
|
|
|
try:
|
|
|
|
|
journal = view.get_journal_queryset().get(uid=journal_uid)
|
|
|
|
|
member = journal.members.get(user=request.user)
|
|
|
|
|
return not member.readOnly
|
|
|
|
|
except Journal.DoesNotExist:
|
|
|
|
|
# If the journal does not exist, we want to 404 later, not permission denied.
|
|
|
|
|
return True
|
|
|
|
|
except JournalMember.DoesNotExist:
|
|
|
|
|
# Not being a member means we are the owner.
|
|
|
|
|
collection = view.get_collection_queryset().get(uid=collection_uid)
|
|
|
|
|
member = collection.members.filter(user=request.user).first()
|
|
|
|
|
return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
|
|
|
|
|
except Collection.DoesNotExist:
|
|
|
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
|
|
|
return True
|
|
|
|
|
|
Tom Hacohen
4 years ago