def create(self, request): comment_creation_fields = { 'course_uuid': request.data.get('course_uuid'), 'comment': request.data.get('comment'), } missing_values = [k for k, v in comment_creation_fields.items() if v is None] error_message = '' if missing_values: error_message += ''.join([_('Missing value for: [{name}]. ').format(name=name) for name in missing_values]) if error_message: return Response((_('Incorrect data sent. ') + error_message).strip(), status=status.HTTP_400_BAD_REQUEST) partner = self.request.site.partner course = self._get_course_or_404(partner, comment_creation_fields.get('course_uuid')) if not CourseEditor.is_course_editable(request.user, course): raise PermissionDenied util = self._get_salesforce_util_or_404(partner) try: comment = util.create_comment_for_course_case( course, request.user, comment_creation_fields.get('comment'), course_run_key=request.data.get('course_run_key') ) send_email_for_comment(comment, course, request.user) return Response(comment, status=status.HTTP_201_CREATED) except SalesforceMissingCaseException as ex: return Response(ex.message, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
def has_permission(self, request, view): if request.method in SAFE_METHODS: return True else: course = request.data.get('course') if not course: # Fail happily because OPTIONS goes down this path too with a fake POST. # If this is a real POST, we'll complain about the missing course in the view. return True # We could do a lookup on the course from the request above, but the logic already exists in the view so we # use that to avoid writing it twice return CourseEditor.is_course_editable(request.user, view.course)
def has_object_permission(self, request, view, obj): if request.method in SAFE_METHODS: return True else: return CourseEditor.is_course_editable(request.user, obj.course)