def has_permission(self, request, view):
"""
Check if the user is authenticated and employee or read-only.
This permission will also provide (full) access to the
administrator.
:param request: The current request instance
:type request: rest_framework.request.Request
:param view: The current view instance
:type view: rest_framework.views.APIView
:return: Whether the permission was granted or not
:rtype: bool
"""
if not IsAuthenticated.has_permission(self, request, view):
return False
if (
is_management(request.user, False) or
is_employer(request.user, False)
):
return request.method.upper() in (
'GET', 'HEAD', 'OPTIONS', 'TRACE'
)
return is_employee(request.user)
def has_permission(self, request, view):
"""
Check if the user is authenticated and a employer.
This permission will also provide (full) access to the
administrator.
:param request: The current request instance
:type request: rest_framework.request.Request
:param view: The current view instance
:type view: rest_framework.views.APIView
:return: Whether the permission was granted or not
:rtype: bool
"""
return (
IsAuthenticated.has_permission(self, request, view)
and is_employer(request.user)
)
def filter_queryset(self, queryset):
"""
Filter the queryset for the appropriate users.
:param queryset: The queryset to filter
:type queryset: django.db.models.query.QuerySet
:return: The queryset with the appropriate allowed users
:rtype: django.db.models.query.QuerySet
"""
query = Q()
if is_employee(self.request.user, False):
query &= Q(id=self.request.user.id)
if is_employer(self.request.user, False):
query &= Q(group=Groups.employee)
query &= Q(member__company=self.request.user.member.company)
if is_management(self.request.user, False):
query &= ~Q(group=Groups.admin)
return queryset.filter(query)