From 4ca74bc69ba6616d5edf99ef30d36a66c6b07010 Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Wed, 20 May 2020 13:47:06 +0300 Subject: [PATCH] Permissions: start from scratch and add IsCollectionAdmin permission. --- django_etesync/permissions.py | 53 ++++++++--------------------------- 1 file changed, 11 insertions(+), 42 deletions(-) diff --git a/django_etesync/permissions.py b/django_etesync/permissions.py index f553930..29806c6 100644 --- a/django_etesync/permissions.py +++ b/django_etesync/permissions.py @@ -13,53 +13,22 @@ # along with this program. If not, see . from rest_framework import permissions -from journal.models import Journal, JournalMember +from django_etesync.models import Collection, AccessLevels -class IsOwnerOrReadOnly(permissions.BasePermission): +class IsCollectionAdmin(permissions.BasePermission): """ - Custom permission to only allow owners of an object to edit it. - """ - - def has_object_permission(self, request, view, obj): - if request.method in permissions.SAFE_METHODS: - return True - - return obj.owner == request.user - - -class IsJournalOwner(permissions.BasePermission): - """ - Custom permission to only allow owners of a journal to view it - """ - - def has_permission(self, request, view): - journal_uid = view.kwargs['journal_uid'] - try: - journal = view.get_journal_queryset().get(uid=journal_uid) - return journal.owner == request.user - except Journal.DoesNotExist: - # If the journal does not exist, we want to 404 later, not permission denied. - return True - - -class IsMemberReadOnly(permissions.BasePermission): - """ - Custom permission to make a journal read only if a read only member + Custom permission to only allow owners of a collection to view it """ + message = 'Only collection admins can perform this operation.' + code = 'admin_access_required' def has_permission(self, request, view): - if request.method in permissions.SAFE_METHODS: - return True - - journal_uid = view.kwargs['journal_uid'] + collection_uid = view.kwargs['collection_uid'] try: - journal = view.get_journal_queryset().get(uid=journal_uid) - member = journal.members.get(user=request.user) - return not member.readOnly - except Journal.DoesNotExist: - # If the journal does not exist, we want to 404 later, not permission denied. - return True - except JournalMember.DoesNotExist: - # Not being a member means we are the owner. + collection = view.get_collection_queryset().get(uid=collection_uid) + member = collection.members.filter(user=request.user).first() + return (member is not None) and (member.accessLevel == AccessLevels.ADMIN) + except Collection.DoesNotExist: + # If the collection does not exist, we want to 404 later, not permission denied. return True