From 4ca74bc69ba6616d5edf99ef30d36a66c6b07010 Mon Sep 17 00:00:00 2001
From: Tom Hacohen <tom@stosb.com>
Date: Wed, 20 May 2020 13:47:06 +0300
Subject: [PATCH] Permissions: start from scratch and add IsCollectionAdmin
 permission.

---
 django_etesync/permissions.py | 53 ++++++++---------------------------
 1 file changed, 11 insertions(+), 42 deletions(-)

diff --git a/django_etesync/permissions.py b/django_etesync/permissions.py
index f553930..29806c6 100644
--- a/django_etesync/permissions.py
+++ b/django_etesync/permissions.py
@@ -13,53 +13,22 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 
 from rest_framework import permissions
-from journal.models import Journal, JournalMember
+from django_etesync.models import Collection, AccessLevels
 
 
-class IsOwnerOrReadOnly(permissions.BasePermission):
+class IsCollectionAdmin(permissions.BasePermission):
     """
-    Custom permission to only allow owners of an object to edit it.
-    """
-
-    def has_object_permission(self, request, view, obj):
-        if request.method in permissions.SAFE_METHODS:
-            return True
-
-        return obj.owner == request.user
-
-
-class IsJournalOwner(permissions.BasePermission):
-    """
-    Custom permission to only allow owners of a journal to view it
-    """
-
-    def has_permission(self, request, view):
-        journal_uid = view.kwargs['journal_uid']
-        try:
-            journal = view.get_journal_queryset().get(uid=journal_uid)
-            return journal.owner == request.user
-        except Journal.DoesNotExist:
-            # If the journal does not exist, we want to 404 later, not permission denied.
-            return True
-
-
-class IsMemberReadOnly(permissions.BasePermission):
-    """
-    Custom permission to make a journal read only if a read only member
+    Custom permission to only allow owners of a collection to view it
     """
+    message = 'Only collection admins can perform this operation.'
+    code = 'admin_access_required'
 
     def has_permission(self, request, view):
-        if request.method in permissions.SAFE_METHODS:
-            return True
-
-        journal_uid = view.kwargs['journal_uid']
+        collection_uid = view.kwargs['collection_uid']
         try:
-            journal = view.get_journal_queryset().get(uid=journal_uid)
-            member = journal.members.get(user=request.user)
-            return not member.readOnly
-        except Journal.DoesNotExist:
-            # If the journal does not exist, we want to 404 later, not permission denied.
-            return True
-        except JournalMember.DoesNotExist:
-            # Not being a member means we are the owner.
+            collection = view.get_collection_queryset().get(uid=collection_uid)
+            member = collection.members.filter(user=request.user).first()
+            return (member is not None) and (member.accessLevel == AccessLevels.ADMIN)
+        except Collection.DoesNotExist:
+            # If the collection does not exist, we want to 404 later, not permission denied.
             return True