feat(back): add is owner permission in spot, bar & shop views

MesseBasseProduction · Dec 11, 2022 · 7b1f63c · 7b1f63c
1 parent c6b419b
commit 7b1f63c
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 1 deletion.
diff --git a/.conf/development/conf.env b/.conf/development/conf.env
@@ -10,7 +10,7 @@ BACKEND_CONTAINER_PORT=8000
 BACKEND_SECRET_KEY=secretKeyHasToBeChanged!
 BACKEND_DEBUG=1
 BACKEND_ALLOWED_HOSTS=*
-BACKEND_USE_EMAIL_FILE_SYSTEM=0
+BACKEND_USE_EMAIL_FILE_SYSTEM=1
 
 # DATABASE
 DB_POSTGRES_VERSION=14.2-alpine

diff --git a/back/api/permissions/__init__.py b/back/api/permissions/__init__.py
@@ -0,0 +1 @@
+from .is_owner_or_read_only import IsOwnerOrReadOnly
diff --git a/back/api/permissions/is_owner_or_read_only.py b/back/api/permissions/is_owner_or_read_only.py
@@ -0,0 +1,9 @@
+from rest_framework.permissions import BasePermission, SAFE_METHODS
+
+
+class IsOwnerOrReadOnly(BasePermission):
+    def has_object_permission(self, request, view, obj):
+        if request.method in SAFE_METHODS:
+            return True
+
+        return obj.user == request.user
diff --git a/back/api/views/bar.py b/back/api/views/bar.py
@@ -1,11 +1,14 @@
 from rest_framework import viewsets
+from rest_framework.permissions import IsAdminUser
 
+from api.permissions import IsOwnerOrReadOnly
 from api.serializers.bar import BarExtendedSerializer, BarSerializer
 from app.models.bar import Bar
 
 
 class BarViewSet(viewsets.ModelViewSet):
     queryset = Bar.objects.all()
+    permission_classes = [IsOwnerOrReadOnly | IsAdminUser]
 
     def get_serializer_class(self):
         if hasattr(self, 'action'):

diff --git a/back/api/views/shop.py b/back/api/views/shop.py
@@ -1,11 +1,14 @@
 from rest_framework import viewsets
+from rest_framework.permissions import IsAdminUser
 
+from api.permissions import IsOwnerOrReadOnly
 from api.serializers.shop import ShopExtendedSerializer, ShopSerializer
 from app.models.shop import Shop
 
 
 class ShopViewSet(viewsets.ModelViewSet):
     queryset = Shop.objects.all()
+    permission_classes = [IsOwnerOrReadOnly | IsAdminUser]
 
     def get_serializer_class(self):
         if hasattr(self, 'action'):

diff --git a/back/api/views/spot.py b/back/api/views/spot.py
@@ -1,11 +1,14 @@
 from rest_framework import viewsets
+from rest_framework.permissions import IsAdminUser
 
+from api.permissions import IsOwnerOrReadOnly
 from api.serializers.spot import SpotExtendedSerializer, SpotSerializer
 from app.models.spot import Spot
 
 
 class SpotViewSet(viewsets.ModelViewSet):
     queryset = Spot.objects.all()
+    permission_classes = [IsOwnerOrReadOnly | IsAdminUser]
 
     def get_serializer_class(self):
         if hasattr(self, 'action'):
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		from .is_owner_or_read_only import IsOwnerOrReadOnly