From 8455ff3f7b6f1bcb59d262a93a34ac669c665bd4 Mon Sep 17 00:00:00 2001 From: klmp200 Date: Fri, 19 Aug 2016 12:37:30 +0200 Subject: [PATCH] Turned the api readonly and fixed permissions on it --- api/views/__init__.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/api/views/__init__.py b/api/views/__init__.py index 97682e80..86a33cc6 100644 --- a/api/views/__init__.py +++ b/api/views/__init__.py @@ -2,10 +2,20 @@ from rest_framework.response import Response from rest_framework import viewsets from django.core.exceptions import PermissionDenied from rest_framework.decorators import detail_route +from django.db.models.query import QuerySet from core.views import can_view, can_edit -class RightManagedModelViewSet(viewsets.ModelViewSet): +def check_if(obj, user, test): + if (isinstance(obj, QuerySet)): + for o in obj: + if (test(o, user) is False): + return False + return True + else: + return test(obj, user) + +class RightManagedModelViewSet(viewsets.ReadOnlyModelViewSet): @detail_route() def id(self, request, pk=None): @@ -22,9 +32,7 @@ class RightManagedModelViewSet(viewsets.ModelViewSet): obj = self.queryset user = self.request.user try: - if (request.method == 'GET' and can_view(obj, user)): - return res - elif (request.method != 'GET' and can_edit(obj, user)): + if (check_if(obj, user, can_view)): return res except: pass # To prevent bug with Anonymous user raise PermissionDenied