def create(self, request, **kwargs):
app = self.get_object()
if not permissions.IsOwnerOrAdmin.has_object_permission(
permissions.IsOwnerOrAdmin(), request, self, app):
raise PermissionDenied()
user = get_object_or_404(User, username=request.data['username'])
assign_perm(self.perm, user, app)
app.log("User {} was granted access to {}".format(user, app))
return Response(status=status.HTTP_201_CREATED)
def destroy(self, request, **kwargs):
app = get_object_or_404(models.App, id=self.kwargs['id'])
user = get_object_or_404(User, username=kwargs['username'])
perm_name = "api.{}".format(self.perm)
if not user.has_perm(perm_name, app):
raise PermissionDenied()
if (user != request.user
and not permissions.IsOwnerOrAdmin.has_object_permission(
permissions.IsOwnerOrAdmin(), request, self, app)):
raise PermissionDenied()
remove_perm(self.perm, user, app)
app.log("User {} was revoked access to {}".format(user, app))
return Response(status=status.HTTP_204_NO_CONTENT)
