106 lines
3.0 KiB
Python
106 lines
3.0 KiB
Python
from rest_framework import permissions
|
|
|
|
|
|
class IsCompanyOwner(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user.company same as obj.id
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if obj is not None:
|
|
# allow if authenticated and method is safe
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
# admins always have permission
|
|
if request.user.is_staff is True:
|
|
return True
|
|
# permission if user is the object's creator
|
|
return obj == request.user.company
|
|
return False
|
|
|
|
class IsProductOwner(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user same as obj.creator
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if obj is not None:
|
|
# allow if authenticated and method is safe
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
# admins always have permission
|
|
if request.user.is_staff is True:
|
|
return True
|
|
# permission if user is the object's creator
|
|
return obj.company == request.user.company
|
|
return False
|
|
|
|
class IsStaff(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user.is_staff is True
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if obj is not None:
|
|
if request.user.is_staff is True:
|
|
return True
|
|
return
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user.is_staff
|
|
|
|
|
|
class IsSiteAdmin(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user.role == 'SITE_ADMIN'
|
|
"""
|
|
|
|
admin_role = 'SITE_ADMIN'
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if request.user.is_authenticated:
|
|
return request.user.role == self.admin_role
|
|
return False
|
|
|
|
def has_permission(self, request, view):
|
|
if request.user.is_authenticated:
|
|
return request.user.role == self.admin_role
|
|
return False
|
|
|
|
|
|
class ReadOnly(permissions.BasePermission):
|
|
def has_permission(self, request, view):
|
|
return request.method in permissions.SAFE_METHODS
|
|
|
|
|
|
class CustomUserPermissions(permissions.BasePermission):
|
|
"""
|
|
Custom permissions for managing custom user instances
|
|
"""
|
|
def has_permission(self, request, view):
|
|
# allow anon users to create new CustomUser (inactive)
|
|
if request.method == 'POST' and request.user.is_anonymous is True:
|
|
return True
|
|
|
|
# only admins can change or delete
|
|
if request.user.is_staff is True:
|
|
return True
|
|
|
|
# for everything else
|
|
return False
|
|
|
|
|
|
class YourOwnUserPermissions(permissions.BasePermission):
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
# user can interact with own instance of CustomUser
|
|
if obj.email == request.user.email:
|
|
return True
|
|
elif request.user.is_staff is True:
|
|
return True
|
|
else:
|
|
return False
|
|
|