def has_permission(self, request, view):
"""
Check if the user is authenticated and employee or read-only.
This permission will also provide (full) access to the
administrator.
:param request: The current request instance
:type request: rest_framework.request.Request
:param view: The current view instance
:type view: rest_framework.views.APIView
:return: Whether the permission was granted or not
:rtype: bool
"""
if not IsAuthenticated.has_permission(self, request, view):
return False
if (
is_management(request.user, False) or
is_employer(request.user, False)
):
return request.method.upper() in (
'GET', 'HEAD', 'OPTIONS', 'TRACE'
)
return is_employee(request.user)
def filter_queryset(self, queryset):
"""
Filter out the memberships that aren't accessible to the user.
:param queryset: The queryset with all the memberships
:type queryset: django.db.models.query.QuerySet
:return: The filtered queryset
:rtype: django.db.models.query.QuerySet
"""
if is_management(self.request.user):
return queryset
if is_employee(self.request.user, False):
return queryset.filter(account=self.request.user)
return queryset.filter(company__members__account=self.request.user)
def get_field_names(self, declared_fields, info):
"""
Filter out the 'members' field when the user is a employee.
:param declared_fields: A mapping of the declared fields in order
:type declared_fields: collections.OrderedDict
:param info: Additional information about the current models fields
:type info: rest_framework.utils.model_meta.FieldInfo
:return: A sequence with the fields to serialize
:rtype: tuple
"""
fields = ModelSerializer.get_field_names(self, declared_fields, info)
if not is_employee(self.context["request"].user, False):
return fields
return tuple(field for field in fields if field != "members")
def get_extra_kwargs(self):
"""
Overridden to hide the answerer for management or employer.
This is because a employee may never know who gave answers
except when the user created a reflection, but that's handled
within the ReflectionSerializer.
:return: The extra keyword arguments for the fields
:rtype: dict
"""
extra = ModelSerializer.get_extra_kwargs(self)
if is_employee(self.context.request.user):
current_arguments = extra.get(extra["answerer"], {})
extra["answerer"] = {**current_arguments, "write_only": False}
return extra
def has_permission(self, request, view):
"""
Check if the user is authenticated and a employee and read-only.
This permission will also provide (full) access to the
administrator.
:param request: The current request instance
:type request: rest_framework.request.Request
:param view: The current view instance
:type view: rest_framework.views.APIView
:return: Whether the permission was granted or not
:rtype: bool
"""
return (
IsAuthenticated.has_permission(self, request, view)
and is_employee(request.user)
)
def filter_queryset(self, queryset):
"""
Filter the queryset for the appropriate users.
:param queryset: The queryset to filter
:type queryset: django.db.models.query.QuerySet
:return: The queryset with the appropriate allowed users
:rtype: django.db.models.query.QuerySet
"""
query = Q()
if is_employee(self.request.user, False):
query &= Q(id=self.request.user.id)
if is_employer(self.request.user, False):
query &= Q(group=Groups.employee)
query &= Q(member__company=self.request.user.member.company)
if is_management(self.request.user, False):
query &= ~Q(group=Groups.admin)
return queryset.filter(query)