|
|
@ -36,3 +36,49 @@ class IsCollectionAdmin(permissions.BasePermission):
|
|
|
|
except Collection.DoesNotExist:
|
|
|
|
except Collection.DoesNotExist:
|
|
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
|
|
return True
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class IsCollectionAdminOrReadOnly(permissions.BasePermission):
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
Custom permission to only allow owners of a collection to edit it
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
message = 'Only collection admins can edit collections.'
|
|
|
|
|
|
|
|
code = 'admin_access_required'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
|
|
|
|
collection_uid = view.kwargs.get('collection_uid', None)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Allow creating new collections
|
|
|
|
|
|
|
|
if collection_uid is None:
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
|
|
|
collection = view.get_collection_queryset().get(uid=collection_uid)
|
|
|
|
|
|
|
|
if request.method in permissions.SAFE_METHODS:
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return is_collection_admin(collection, request.user)
|
|
|
|
|
|
|
|
except Collection.DoesNotExist:
|
|
|
|
|
|
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class HasWriteAccessOrReadOnly(permissions.BasePermission):
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
Custom permission to restrict write
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
message = 'You need write access to write to this collection'
|
|
|
|
|
|
|
|
code = 'no_write_access'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
|
|
|
|
collection_uid = view.kwargs['collection_uid']
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
|
|
|
collection = view.get_collection_queryset().get(uid=collection_uid)
|
|
|
|
|
|
|
|
if request.method in permissions.SAFE_METHODS:
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
member = collection.members.get(user=request.user)
|
|
|
|
|
|
|
|
return member.accessLevel != AccessLevels.READ_ONLY
|
|
|
|
|
|
|
|
except Collection.DoesNotExist:
|
|
|
|
|
|
|
|
# If the collection does not exist, we want to 404 later, not permission denied.
|
|
|
|
|
|
|
|
return True
|
|
|
|