def has_permission(self, request, view):
# print(request.query_params)
if request.user.is_staff:
return True
pk = request.data.get('course', None)
if pk is None:
pk = request.data.get('pk', None)
if pk is None:
pk = request.data.get('id', None)
if pk is None:
pk = dict(request.query_params).get('courses[]', None)
if pk is not None:
pk = int(pk[0])
print("course pk={}".format(pk))
if super().has_permission(request, view) and pk is not None:
course = Course.objects.get(pk=pk)
try:
role = UserRole.get(user=request.user, course=course).role
perm = Permission.get(codename='view_question')
print(role.permissions.all())
print(perm)
if perm in role.permissions.all():
return True
except UserRole.DoesNotExist:
pass
return False
def filter_data_by_user_and_perm(query_set, user, perm):
'''
API 目前暂无地方调用
根据用户user的角色和权限对记录集query_set进行过滤,返回其中用户具有perm权限的记录集
'''
model=query_set.model
ct=ContentType.objects.get_for_model(model)
if isinstance(perm, Permission):
p=perm
else:
p=Permission.get(content_type=ct, codename=perm)
q=models.Q(pk__in=[])
for ur in user_role.objects.filter(user=user): #检查该用户的所有角色
if p in ur.role.permissions.all():
f=model_owner_rel(ur.role.object_type.model, model) #得到该角色对应的对象数据查询条件
if f:
q|=models.Q(**{f:ur.object_id})
return query_set.filter(q)
def has_permission(self, request, view):
user = request.user
if super().has_permission(request, view) is False:
return False
if user.is_staff:
return True
pk = view.kwargs.get('course_id', None)
if pk is None:
pk = view.kwargs.get('pk', None)
print("course pk={}".format(pk))
if pk is not None:
course = Course.objects.get(pk=pk)
try:
role = UserRole.objects.get(user=user, course=course).role
perm = Permission.get(codename='')
if perm in role.permissions.all():
return True
except UserRole.DoesNotExist:
pass
return False
def get_quizzes_attempt_by_quiz_id(request, quiz_id):
'''
permission: admin sees all attempts
instructor sees their courses attempts
student sees their own attempts
'''
student = request.user
quiz = get_object_or_404(Quiz, pk=quiz_id)
if request.user.is_staff:
attempts = Attempt.objects.filter(quiz=quiz)
else:
role = get_object_or_404(UserRole, user=request.user, course=quiz.course).role
perm = Permission.get(codename='view_attempt')
if perm in role.permissions.all():
attempts = Attempt.objects.filter(quiz=quiz)
else:
attempts = Attempt.objects.filter(student=student, quiz=quiz)
data = {"quiz_attempts": [serilizer_quiz_attempt(attempt) for attempt in attempts]}
return HttpResponse(status=200, data=data)
