67 lines
1.9 KiB
Python
67 lines
1.9 KiB
Python
from rest_framework import permissions
|
|
|
|
|
|
class IsCreator(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user same as obj.creator
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if obj is not None:
|
|
# allow if authenticated and method is safe
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
# admins always have permission
|
|
if request.user.is_staff is True:
|
|
return True
|
|
# permission if user is the object's creator
|
|
return obj.creator == request.user
|
|
return False
|
|
|
|
|
|
class IsStaff(permissions.BasePermission):
|
|
"""
|
|
Grant permission if request.user.is_staff is True
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if obj is not None:
|
|
if request.user.is_staff is True:
|
|
return True
|
|
return False
|
|
|
|
|
|
class ReadOnly(permissions.BasePermission):
|
|
def has_permission(self, request, view):
|
|
return request.method in permissions.SAFE_METHODS
|
|
|
|
|
|
class CustomUserPermissions(permissions.BasePermission):
|
|
"""
|
|
Custom permissions for managing custom user instances
|
|
"""
|
|
def has_permission(self, request, view):
|
|
# allow anon users to create new CustomUser (inactive)
|
|
if request.method == 'POST' and request.user.is_anonymous is True:
|
|
return True
|
|
|
|
# only admins can change or delete
|
|
if request.user.is_staff is True:
|
|
return True
|
|
|
|
# for everything else
|
|
return False
|
|
|
|
|
|
class YourOwnUserPermissions(permissions.BasePermission):
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
# user can interact with own instance of CustomUser
|
|
if obj.email == request.user.email:
|
|
return True
|
|
elif request.user.is_staff is True:
|
|
return True
|
|
else:
|
|
return False
|