class CollectionViewSet(ModelViewSet):
permission_classes = [
AnyOf(
# Collection authors can do everything.
AllowCollectionAuthor,
# Collection contributors can access an existing collection, and
# change it's addons, but can't delete or edit it's details.
AllOf(
AllowCollectionContributor,
PreventActionPermission(
['create', 'list', 'update', 'destroy',
'partial_update'])),
# Admins can do everything except create.
AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT),
PreventActionPermission('create')),
# Everyone else can do read-only stuff, except list.
AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))),
]
lookup_url_kwarg = 'slug'
@property
def lookup_field(self):
identifier = self.kwargs.get(self.lookup_url_kwarg)
if identifier and identifier.isdigit():
lookup_field = 'pk'
else:
# If the identifier is anything other than a digit, it's the slug.
lookup_field = 'slug'
return lookup_field
def get_account_viewset(self):
if not hasattr(self, 'account_viewset'):
self.account_viewset = AccountViewSet(
request=self.request,
permission_classes=[], # We handled permissions already.
kwargs={'pk': self.kwargs['user_pk']})
return self.account_viewset
def get_serializer_class(self):
with_addons = ('with_addons' in self.request.GET
and self.action == 'retrieve')
return (CollectionSerializer
if not with_addons else CollectionWithAddonsSerializer)
def get_queryset(self):
return Collection.objects.filter(author=self.get_account_viewset().
get_object()).order_by('-modified')
def get_addons_queryset(self):
collection_addons_viewset = CollectionAddonViewSet(
request=self.request)
# Set this to avoid a pointless lookup loop.
collection_addons_viewset.collection_viewset = self
# This needs to be list to make the filtering work.
collection_addons_viewset.action = 'list'
qs = collection_addons_viewset.get_queryset()
# Now limit and sort
limit = settings.REST_FRAMEWORK['PAGE_SIZE']
sort = collection_addons_viewset.ordering[0]
return qs.order_by(sort)[:limit]
class CollectionViewSet(ModelViewSet):
permission_classes = [
AnyOf(
# Collection authors can do everything.
AllowCollectionAuthor,
# Admins can do everything except create.
AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT),
PreventActionPermission('create')),
# Everyone else can do read-only stuff, except list.
AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))),
]
serializer_class = CollectionSerializer
lookup_field = 'slug'
def get_account_viewset(self):
if not hasattr(self, 'account_viewset'):
self.account_viewset = AccountViewSet(
request=self.request,
permission_classes=[], # We handled permissions already.
kwargs={'pk': self.kwargs['user_pk']})
return self.account_viewset
def get_queryset(self):
return Collection.objects.filter(
author=self.get_account_viewset().get_object())
class CollectionViewSet(ModelViewSet):
permission_classes = [
AnyOf(
# Collection authors can do everything.
AllowCollectionAuthor,
# Collection contributors can access an existing collection, and
# change it's addons, but can't delete or edit it's details.
AllOf(
AllowCollectionContributor,
PreventActionPermission(
['create', 'list', 'update', 'destroy',
'partial_update'])),
# Admins can do everything except create.
AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT),
PreventActionPermission('create')),
# Everyone else can do read-only stuff, except list.
AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))),
]
serializer_class = CollectionSerializer
lookup_field = 'slug'
def get_account_viewset(self):
if not hasattr(self, 'account_viewset'):
self.account_viewset = AccountViewSet(
request=self.request,
permission_classes=[], # We handled permissions already.
kwargs={'pk': self.kwargs['user_pk']})
return self.account_viewset
def get_queryset(self):
return Collection.objects.filter(author=self.get_account_viewset().
get_object()).order_by('-modified')
class CollectionViewSet(ModelViewSet):
# Note: CollectionAddonViewSet will call CollectionViewSet().get_object(),
# causing the has_object_permission() method of these permissions to be
# called. It will do so without setting an action however, bypassing the
# PreventActionPermission() parts.
permission_classes = [
AnyOf(
# Collection authors can do everything.
AllowCollectionAuthor,
# Collection contributors can access the featured themes collection
# (it's community-managed) and change it's addons, but can't delete
# or edit it's details.
AllOf(
AllowCollectionContributor,
PreventActionPermission(
('create', 'list', 'update', 'destroy', 'partial_update')),
),
# Content curators can modify existing mozilla collections as they
# see fit, but can't list or delete them.
AllOf(
AllowContentCurators,
PreventActionPermission(('create', 'destroy', 'list')),
),
# Everyone else can do read-only stuff, except list.
AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list')),
),
]
lookup_field = 'slug'
def get_account_viewset(self):
if not hasattr(self, 'account_viewset'):
self.account_viewset = AccountViewSet(
request=self.request,
permission_classes=[], # We handled permissions already.
kwargs={'pk': self.kwargs['user_pk']},
)
return self.account_viewset
def get_serializer_class(self):
with_addons = 'with_addons' in self.request.GET and self.action == 'retrieve'
return (CollectionSerializer
if not with_addons else CollectionWithAddonsSerializer)
def get_queryset(self):
return Collection.objects.filter(author=self.get_account_viewset().
get_object()).order_by('-modified')
def get_addons_queryset(self):
collection_addons_viewset = CollectionAddonViewSet(
request=self.request)
# Set this to avoid a pointless lookup loop.
collection_addons_viewset.collection = self.get_object()
# This needs to be list to make the filtering work.
collection_addons_viewset.action = 'list'
qs = collection_addons_viewset.get_queryset()
# Now limit and sort
limit = settings.REST_FRAMEWORK['PAGE_SIZE']
sort = collection_addons_viewset.ordering[0]
return qs.order_by(sort)[:limit]
