def update(self, request, *args, **kwargs):
if request.user and request.user.is_staff:
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
elif request.user and request.user.employee and request.user.employee.position:
changable = get_changable(request.user.employee.position)
employee = get_object_or_404(Employee.objects.all(), pk=kwargs.get('pk', None))
request_isself = request.user.employee.id == employee.id
if not request_isself:
# Check if have_access to the employee
have_access = False
for position in changable:
if employee in position.employees.all():
have_access = True
continue
if not have_access:
raise PermissionDenied()
else:
if request.data and request.data['position'] and not request.data['position'] == request.user.employee.position.id:
raise CustomBadRequest("你不可以修改自己的职位")
# Check if have access to position;
if request.data and request.data['position'] and not request_isself:
position = get_object_or_404(Position.objects.all(), pk=request.data['position'])
if position not in changable:
raise PermissionDenied()
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
raise PermissionDenied()
def update(self, request, *args, **kwargs):
if request.user and request.user.is_staff:
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
elif request.user and request.user.employee and request.user.employee.position:
if request.data and request.data['position']:
position = get_object_or_404(Position.objects.all(), pk=request.data['position'])
if position in get_changable(request.user.employee.position):
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
raise PermissionDenied()
def update(self, instance, validated_data, **kwargs):
# We dont need to add bypass for admin user as they call replace directly
request = self.context.get('request', None)
changable = []
if request and request.user and request.user.employee and request.user.employee.position:
changable = get_changable(request.user.employee.position)
positions = validated_data.get('positions', [])
invalid_positions = []
for position in positions:
if position in changable:
position.department = instance
position.save()
elif (not position.department
) or position.department.id != instance.id:
invalid_positions.append(position.name)
instance.save()
if not invalid_positions:
return instance
else:
raise CustomPermissionDenied("你没有修改(%s)的权限" %
', '.join(invalid_positions))
def update(self, request, *args, **kwargs):
if request.user and request.user.is_staff:
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
elif request.user and request.user.employee and request.user.employee.position:
changable = get_changable(request.user.employee.position)
readable = get_readable(request.user.employee.position)
position = get_object_or_404(Position.objects.all(), pk=kwargs.get('pk', None))
# check permissions can be obtained
if request.data and request.data['permissions']:
permissions = Permission.objects.all()
for permissionId in request.data['permissions']:
permission = get_object_or_404(permissions, pk=permissionId)
if permission in position.permissions.all():
continue
if permission.permission == Permission.PERMISSION_VIEW and permission.position in readable:
continue
if permission.permission == Permission.PERMISSION_CHANGE and permission.position in changable:
continue
raise PermissionDenied()
# check position can be changed
if position in changable:
return super(FourSerializerViewSet, self).update(request, *args, **kwargs)
raise PermissionDenied()