kit-eco.social/consumocuidado-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

user modification enabled

Browse Source
This commit is contained in:
Sam
2021-02-01 13:32:34 +00:00
parent b8cd663fee
commit ee33b327fa
5 changed files with 45 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
back_latienda/permissions.py
View File

@@ -41,13 +41,24 @@ class CustomUserPermissions(permissions.BasePermission):
""" """
Custom permissions for managing custom user instances Custom permissions for managing custom user instances
""" """
def has_object_permission(self, request, view, obj):
# check for object permissions
if obj.email == request.user.email:
return True
elif request.user.is_staff is True:
return True
else:
return False
def has_permission(self, request, view): def has_permission(self, request, view):
# allow anon users to create new CustomUser (inactive) # allow anon users to create new CustomUser (inactive)
if request.method == 'POST' and request.user.is_anonymous is True: if request.method == 'POST' and request.user.is_anonymous is True:
return True return True
elif request.method == 'PUT' and request.user.is_authenticated is True:
return True
# only admins can change or delete # only admins can change or delete
if request.user.is_staff is True: elif request.user.is_staff is True:
return True return True
# for everything else # for everything else

4
core/models.py
View File

@@ -46,8 +46,8 @@ class CustomUser(AbstractBaseUser, PermissionsMixin):
email_verified = models.BooleanField('Email verificado', default=False, null=True) email_verified = models.BooleanField('Email verificado', default=False, null=True)
company = models.ForeignKey(Company, null=True, on_delete=models.DO_NOTHING, related_name='custom_user') company = models.ForeignKey(Company, null=True, on_delete=models.DO_NOTHING, related_name='custom_user')
is_active = models.BooleanField('Activo', default=True) is_active = models.BooleanField('Activo', default=False)
is_staff = models.BooleanField('Empleado',default=False ) is_staff = models.BooleanField('Empleado',default=False)
modified = models.DateTimeField(auto_now=True, null=True, blank=True) modified = models.DateTimeField(auto_now=True, null=True, blank=True)
created = models.DateTimeField(auto_now_add=True, null=True, blank=True) created = models.DateTimeField(auto_now_add=True, null=True, blank=True)

4
core/serializers.py
View File

@@ -11,14 +11,14 @@ class CustomUserReadSerializer(serializers.ModelSerializer):
class Meta: class Meta:
model = User model = User
fields = ('email', 'full_name', 'role', 'is_active',) fields = ('email', 'full_name', 'role', 'is_active', 'provider')
class CustomUserWriteSerializer(serializers.ModelSerializer): class CustomUserWriteSerializer(serializers.ModelSerializer):
class Meta: class Meta:
model = User model = User
fields = ('email', 'full_name', 'role', 'is_active', 'password') fields = ('email', 'full_name', 'role', 'password', 'provider')
class CreatorSerializer(serializers.ModelSerializer): class CreatorSerializer(serializers.ModelSerializer):

23
core/tests.py
View File

@@ -43,6 +43,7 @@ class CustomUserViewSetTest(APITestCase):
'email': 'test@email.com', 'email': 'test@email.com',
'full_name': 'TEST NAME', 'full_name': 'TEST NAME',
'password': 'VENTILADORES1234499.89', 'password': 'VENTILADORES1234499.89',
'provider': 'TWITTER',
} }
# Query endpoint # Query endpoint
@@ -57,7 +58,6 @@ class CustomUserViewSetTest(APITestCase):
self.assertNotEqual('', new_user.password) self.assertNotEqual('', new_user.password)
# assert instance is inactive # assert instance is inactive
info = json.loads(response.content) info = json.loads(response.content)
self.assertFalse(info['is_active']) self.assertFalse(info['is_active'])
def test_anon_user_cannot_modify_existing_instance(self): def test_anon_user_cannot_modify_existing_instance(self):
@@ -110,6 +110,27 @@ class CustomUserViewSetTest(APITestCase):
# Assert access is forbidden # Assert access is forbidden
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_regular_user_can_modify_own_instance(self):
"""Regular user can modify own instance
"""
# Create instance
data = {
"email": "new_email@mail.com",
"full_name": "New Full Name",
"password": "SUPERSECRETNEWPASSWORD",
}
# Authenticate
token = get_tokens_for_user(self.user)
self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
# Query endpoint
url = self.endpoint + f'{self.user.pk}/'
response = self.client.put(url, data=data, format='json')
# Assert forbidden code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_regular_user_cannot_modify_existing_instance(self): def test_regular_user_cannot_modify_existing_instance(self):
"""Regular user cannot modify existing instance """Regular user cannot modify existing instance
""" """

7
core/views.py
View File

@@ -1,4 +1,4 @@
from django.shortcuts import render from django.shortcuts import render, get_object_or_404
from django.http import HttpResponse from django.http import HttpResponse
from rest_framework import status from rest_framework import status
@@ -44,3 +44,8 @@ class CustomUserViewSet(viewsets.ModelViewSet):
serializer.errors, status=status.HTTP_406_NOT_ACCEPTABLE) serializer.errors, status=status.HTTP_406_NOT_ACCEPTABLE)
except Exception as e: except Exception as e:
return Response(str(e), status=status.HTTP_500_INTERNAL_SERVER_ERROR) return Response(str(e), status=status.HTTP_500_INTERNAL_SERVER_ERROR)
def get_object(self):
obj = get_object_or_404(self.get_queryset(), pk=self.kwargs["pk"])
self.check_object_permissions(self.request, obj)
return obj