def update(self, request, pk):
"""Update Location.
This requires the user to have the 'Location' institute permission
or BodyRole for the event using the location if the it is not reusable."""
# Allow insti privelege to do anything
if user_has_insti_privilege(request.user.profile, 'Location'):
return super().update(request, pk)
# Disallow modifying reusable locations or marking reusable
location = Location.objects.get(id=pk)
if 'reusable' in request.data:
if (request.data['reusable'] !=
location.reusable) or location.reusable:
return forbidden_no_privileges()
# Check if user has update privileges for each associated event
for event in location.events.all():
can_update = any([
user_has_privilege(request.user.profile, str(b.id), 'UpdE')
for b in event.bodies.all()
])
if not can_update:
return forbidden_no_privileges()
return super().update(request, pk)
def destroy(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().destroy(request, pk)
bodyid = str(BodyRole.objects.get(id=pk).body.id)
if not user_has_privilege(request.user.profile, bodyid, 'Role'):
return forbidden_no_privileges()
return super().destroy(request, pk)
def create(self, request):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().create(request)
if not 'body' in request.data or not request.data['body']:
return Response({"body": "body is required"}, status=400)
if not user_has_privilege(request.user.profile, request.data['body'], 'Role'):
return forbidden_no_privileges()
return super().create(request)
def update(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().update(request, pk)
body = BodyRole.objects.get(id=pk).body
if request.data['body'] != str(body.id):
return Response({
'message': 'body is immutable',
'detail': 'Body cannot be changed. Create a new role.'
}, status=400)
if not user_has_privilege(request.user.profile, str(body.id), 'Role'):
return forbidden_no_privileges()
return super().update(request, pk)
def destroy(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().destroy(request, pk)
# Check for permission
body_role = BodyRole.objects.get(id=pk)
bodyid = str(body_role.body.id)
if not user_has_privilege(request.user.profile, bodyid, 'Role'):
return forbidden_no_privileges()
# Check for former users
if body_role.former_users.count() > 0:
return forbidden_no_privileges()
return super().destroy(request, pk)
