mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-26 02:54:20 +00:00
Turned the api readonly and fixed permissions on it
This commit is contained in:
parent
da96e9da84
commit
8455ff3f7b
@ -2,10 +2,20 @@ from rest_framework.response import Response
|
|||||||
from rest_framework import viewsets
|
from rest_framework import viewsets
|
||||||
from django.core.exceptions import PermissionDenied
|
from django.core.exceptions import PermissionDenied
|
||||||
from rest_framework.decorators import detail_route
|
from rest_framework.decorators import detail_route
|
||||||
|
from django.db.models.query import QuerySet
|
||||||
|
|
||||||
from core.views import can_view, can_edit
|
from core.views import can_view, can_edit
|
||||||
|
|
||||||
class RightManagedModelViewSet(viewsets.ModelViewSet):
|
def check_if(obj, user, test):
|
||||||
|
if (isinstance(obj, QuerySet)):
|
||||||
|
for o in obj:
|
||||||
|
if (test(o, user) is False):
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return test(obj, user)
|
||||||
|
|
||||||
|
class RightManagedModelViewSet(viewsets.ReadOnlyModelViewSet):
|
||||||
|
|
||||||
@detail_route()
|
@detail_route()
|
||||||
def id(self, request, pk=None):
|
def id(self, request, pk=None):
|
||||||
@ -22,9 +32,7 @@ class RightManagedModelViewSet(viewsets.ModelViewSet):
|
|||||||
obj = self.queryset
|
obj = self.queryset
|
||||||
user = self.request.user
|
user = self.request.user
|
||||||
try:
|
try:
|
||||||
if (request.method == 'GET' and can_view(obj, user)):
|
if (check_if(obj, user, can_view)):
|
||||||
return res
|
|
||||||
elif (request.method != 'GET' and can_edit(obj, user)):
|
|
||||||
return res
|
return res
|
||||||
except: pass # To prevent bug with Anonymous user
|
except: pass # To prevent bug with Anonymous user
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
|
Loading…
Reference in New Issue
Block a user