def has_permission(self, request, view): owner = view.kwargs.get('owner') is_authenticated = request and request.user.is_authenticated() if 'pk' in view.kwargs: # Always allow listing xform (again, this is to match unit tests) # since we are filtering them down the road. if view.action == 'list': return True # Allow getting a shared xform is you are anonymous. pk = view.kwargs.get('pk') if view.action == 'retrieve': xform = XForm.objects.get(pk=pk) if xform.shared_data or xform.shared: return True check_inherit_permission_from_project(view.kwargs.get('pk'), request.user) if is_authenticated and view.action == 'create': owner = owner or request.user.username return request.user.has_perm(CAN_ADD_XFORM_TO_PROFILE, get_user_profile_or_none(owner)) return super(XFormPermissions, self).has_permission(request, view)
def has_permission(self, request, view): owner = view.kwargs.get('owner') is_authenticated = request and request.user.is_authenticated if 'pk' in view.kwargs: check_inherit_permission_from_project(view.kwargs['pk'], request.user) if is_authenticated and view.action == 'create': owner = owner or request.user.username return request.user.has_perm(CAN_ADD_XFORM_TO_PROFILE, get_user_profile_or_none(owner)) return super(XFormPermissions, self).has_permission(request, view)
def has_permission(self, request, view): owner = view.kwargs.get('owner') is_authenticated = request and request.user.is_authenticated() if 'pk' in view.kwargs: # Allow anonymous users to access shared data if request.method == 'GET' and view.action in ('list', 'retrieve'): pk = view.kwargs.get('pk') xform = get_object_or_404(XForm, pk=pk) if xform.shared_data: return True check_inherit_permission_from_project(view.kwargs.get('pk'), request.user) if is_authenticated and view.action == 'create': owner = owner or request.user.username return request.user.has_perm(CAN_ADD_XFORM_TO_PROFILE, get_user_profile_or_none(owner)) return super(XFormPermissions, self).has_permission(request, view)