def has_object_permission(self, request: Request, view,
obj: tm.Work) -> bool:
if request.method in permissions.SAFE_METHODS:
return True
if request.method in ("PUT", "PATCH"):
return user_is_kiosk(request)
# REVIEW: Why is this needed?
if type(obj) is tm.Work:
return user_is_kiosk(request)
return False
def has_object_permission(self, request: Request, view, obj):
memb = request.user.member # type: mm.Member
if request.method in permissions.SAFE_METHODS:
return True
if request.method in ["PUT", "PATCH"]:
if user_is_kiosk(request):
return True
if memb == obj.claiming_member:
# The claiming_member is the owner of a Claim.
return True
def has_permission(self, request: Request, view) -> bool:
if request.method in permissions.SAFE_METHODS:
return True
if request.method in ["PATCH", "PUT"]:
# I believe this is safe because Django subsequently goes to has_object_permissions
return True
if request.method == "POST":
if user_is_kiosk(request):
return True
# Web interface to REST API sends POST with no body to determine if
# a read/write or read-only interface should be presented. In general,
# anybody can post a claim, so we'll return True for this case.
datalen = request.META.get('CONTENT_LENGTH', '0') # type: str
if datalen == '0' or datalen == '':
return True
claimed_task_pk = getpk(request.data["claimed_task"])
claiming_member_pk = getpk(request.data["claiming_member"])
calling_member_pk = request.user.member.pk
if calling_member_pk != claiming_member_pk:
# Only allowing callers to create their own claims.
return False
claiming_member = mm.Member.objects.get(pk=claiming_member_pk)
claimed_task = tm.Task.objects.get(
pk=claimed_task_pk) # type: tm.Task
# Not allowed to claim a task that's already fully claimed.
if request.data["status"] == tm.Claim.STAT_CURRENT:
if claimed_task.is_fully_claimed:
return False
if claiming_member not in claimed_task.all_eligible_claimants():
# Don't allow non-eligible claimant.
return False
return True
else:
return False
def has_permission(self, request: Request, view) -> bool:
if request.method in permissions.SAFE_METHODS:
return True
if request.method in ["PATCH", "PUT"]:
return False
if request.method == "POST" and user_is_kiosk(request):
# DRF's web interface sends POST with no body to determine if
# a read/write or read-only options should be presented.
datalen = request.META.get('CONTENT_LENGTH', '0') # type: str
if datalen == '0' or datalen == '':
return True
product_id = getpk(request.data["product"])
product = get_object_or_404(sm.Product, pk=product_id)
return product.is_in_machine
return False
def has_object_permission(self, request: Request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
else:
return user_is_kiosk(request)
def get_queryset(self):
if user_is_kiosk(self.request):
return sm.VendLog.objects.all().order_by('id')
else:
return sm.VendLog.objects.all().order_by('id')