mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-25 18:44:23 +00:00
Turned the api readonly and fixed permissions on it
This commit is contained in:
parent
da96e9da84
commit
8455ff3f7b
@ -2,10 +2,20 @@ from rest_framework.response import Response
|
||||
from rest_framework import viewsets
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from rest_framework.decorators import detail_route
|
||||
from django.db.models.query import QuerySet
|
||||
|
||||
from core.views import can_view, can_edit
|
||||
|
||||
class RightManagedModelViewSet(viewsets.ModelViewSet):
|
||||
def check_if(obj, user, test):
|
||||
if (isinstance(obj, QuerySet)):
|
||||
for o in obj:
|
||||
if (test(o, user) is False):
|
||||
return False
|
||||
return True
|
||||
else:
|
||||
return test(obj, user)
|
||||
|
||||
class RightManagedModelViewSet(viewsets.ReadOnlyModelViewSet):
|
||||
|
||||
@detail_route()
|
||||
def id(self, request, pk=None):
|
||||
@ -22,9 +32,7 @@ class RightManagedModelViewSet(viewsets.ModelViewSet):
|
||||
obj = self.queryset
|
||||
user = self.request.user
|
||||
try:
|
||||
if (request.method == 'GET' and can_view(obj, user)):
|
||||
return res
|
||||
elif (request.method != 'GET' and can_edit(obj, user)):
|
||||
if (check_if(obj, user, can_view)):
|
||||
return res
|
||||
except: pass # To prevent bug with Anonymous user
|
||||
raise PermissionDenied
|
||||
|
Loading…
Reference in New Issue
Block a user