Add role base permissions

402a9a97 · Bodor Máté · 6b4ff46f · 402a9a97 · 402a9a97 · 402a9a97
Commit 402a9a97 authored 6 years ago by Bodor Máté
--- a/src/account/views.py
+++ b/src/account/views.py
@@ -2,6 +2,7 @@ from rest_framework import viewsets
 from rest_framework import permissions
 from rest_framework.response import Response
 from rest_framework.decorators import list_route
+from common.permissions import IsSafeOrPatch
 from . import models
 from . import serializers
@@ -9,11 +10,11 @@ from . import serializers
 class ProfileViewSet(viewsets.ModelViewSet):
    serializer_class = serializers.ProfileSerializer
-    permission_classes = (permissions.IsAuthenticated, )
+    permission_classes = (permissions.IsAuthenticated, IsSafeOrPatch)
    def get_queryset(self):
        user = self.request.user
-        if user.has_perm(permissions.IsAdminUser):
+        if user.profile.role == 'Staff':
            role = self.request.query_params.get("role", None)
            if role is not None:
                return models.Profile.objects.filter(role=role)

--- a/src/common/permissions.py
+++ b/src/common/permissions.py
@@ -3,27 +3,36 @@ from rest_framework.permissions import SAFE_METHODS
 class IsStaffOrReadOnly(BasePermission):
-    """
-    The request is authenticated as a staff, or is a read-only request.
-    """
    def has_permission(self, request, view):
-        return request.method in SAFE_METHODS or request.user and request.user.is_staff
+        return request.method in SAFE_METHODS or\
+               (request.user.is_authenticated and request.user.profile.role == 'Staff')
 class IsStaffOrReadOnlyForAuthenticated(BasePermission):
-    """
-    The request is authenticated as a staff, or is a read-only request for authenticated.
-    """
    def has_permission(self, request, view):
-        return request.user.is_staff or request.method in SAFE_METHODS and request.user.is_authenticated
+        return request.user.is_authenticated and\
+               (request.method in SAFE_METHODS or request.user.profile.role == 'Staff')
 class IsStaffUser(BasePermission):
-    """
+    def has_permission(self, request, view):
-    The request is authenticated as a staff
+        return request.user.is_authenticated and request.user.profile.role == 'Staff'
-    """
+class IsSafeOrPatch(BasePermission):
+    def has_permission(self, request, view):
+        return request.method in SAFE_METHODS or request.method == 'PATCH'
+class IsStaffOrStudent(BasePermission):
+    def has_permission(self, request, view):
+        return request.user.is_authenticated and\
+               (request.user.profile.role == 'Staff' or request.user.profile.role == 'Student')
+class StudentJustCreate(BasePermission):
    def has_permission(self, request, view):
-        return request.user.is_staff
+        if request.user.is_authenticated and request.user.profile.role == 'Staff':
+            return True
+        return request.user.is_authenticated and request.user.profile.role == 'Student' and\
+               (request.method in SAFE_METHODS or request.method == 'CREATE')
--- a/src/document/views.py
+++ b/src/document/views.py
@@ -8,4 +8,4 @@ from . import serializers
 class DocumentViewSet(viewsets.ModelViewSet):
    queryset = models.Document.objects.all()
    serializer_class = serializers.DocumentSerializer
-    permission_classes = (permissions.IsStaffOrReadOnly, )
+    permission_classes = (permissions.IsStaffOrStudent, )
--- a/src/homework/views.py
+++ b/src/homework/views.py
 from rest_framework import viewsets
-from common import permissions
 from rest_framework.permissions import IsAuthenticated
 from . import serializers
 from . import models
+from common import permissions
 class TasksViewSet(viewsets.ModelViewSet):
@@ -14,12 +14,12 @@ class TasksViewSet(viewsets.ModelViewSet):
 class SolutionsViewSet(viewsets.ModelViewSet):
    serializer_class = serializers.SolutionSerializer
-    permission_classes = (IsAuthenticated, )
+    permission_classes = (permissions.IsStaffOrStudent, permissions.StudentJustCreate)
    def get_queryset(self):
        user = self.request.user
        queryset = models.Solution.objects.filter(created_by=user.profile)
-        if user.has_perm(permissions.IsStaffUser):
+        if user.profile.role == 'Staff':
            queryset = models.Solution.objects.all()
            profile_id = self.request.query_params.get('profileID', None)
            if profile_id is not None:

--- a/src/stats/migrations/0006_auto_20190114_1913.py
+++ b/src/stats/migrations/0006_auto_20190114_1913.py
+# Generated by Django 2.0.1 on 2019-01-14 18:13
+from django.db import migrations, models
+class Migration(migrations.Migration):
+    dependencies = [
+        ('stats', '0005_auto_20190114_1713'),
+    ]
+    operations = [
+        migrations.AlterField(
+            model_name='event',
+            name='visitors',
+            field=models.ManyToManyField(blank=True, related_name='events', to='account.Profile'),
+        ),
+    ]
--- a/src/stats/models.py
+++ b/src/stats/models.py
@@ -12,7 +12,6 @@ class Event(models.Model):
        Profile,
        related_name='events',
        blank=True,
-        null=True,
    )
    created_by = models.ForeignKey(
        Profile,

--- a/src/stats/serializers.py
+++ b/src/stats/serializers.py
@@ -6,7 +6,6 @@ from . import models
 class EventSerializer(serializers.ModelSerializer):
    created_by_name = serializers.SerializerMethodField()
    visitor_number = serializers.SerializerMethodField()
-    # visitors = serializers.SerializerMethodField()
    class Meta:
        model = models.Event
@@ -19,9 +18,6 @@ class EventSerializer(serializers.ModelSerializer):
    def get_visitor_number(self, obj):
        return obj.visitors.all().count()
-    # def get_visitors(self, obj):
-    #     return obj.visitors.all()
 class NoteSerializer(serializers.ModelSerializer):
    created_by = serializers.HiddenField(default=CurrentUserProfileDefault())