def get_tag(self, request, tag_pk): model, instance_pk = self.kwargs["model"], self.kwargs["instance_pk"] tag = Tag.objects.get(pk=tag_pk) if tag.namespace.scoped_to_model != "global" and not user_can_link_tag_to( request.user, tag, Tag.get_linked_instance(model, instance_pk)): raise PermissionDenied("Cannot edit link for {} with id {}".format( model, tag)) return tag
def has_permission(self, request, view): # `len(request.data) > 0` has to be here because, for some reason, DRF makes a POST request when the user just # asked for a GET request (it has to do with the form displayed in the viewsets). if request.method == "POST" and len(request.data) > 0: scoped_to_model = request.data.get("scoped_to_model") scoped_to_pk = request.data.get("scoped_to_pk") # Only the admins can edit a global namespace. if scoped_to_model == "global": return request.user.is_admin # Or, both parameters have to be provided. if scoped_to_model is None or scoped_to_pk is None: raise ValidationError( "Both scoped_to_model and scoped_to_pk parameters must be provided", 400, ) instance = Tag.get_linked_instance(scoped_to_model, scoped_to_pk) return can_manage_tags_for(request.user, instance) return True