def get_tag(self, request, tag_pk):
model, instance_pk = self.kwargs["model"], self.kwargs["instance_pk"]
tag = Tag.objects.get(pk=tag_pk)
if tag.namespace.scoped_to_model != "global" and not user_can_link_tag_to(
request.user, tag, Tag.get_linked_instance(model,
instance_pk)):
raise PermissionDenied("Cannot edit link for {} with id {}".format(
model, tag))
return tag
def has_permission(self, request, view):
# `len(request.data) > 0` has to be here because, for some reason, DRF makes a POST request when the user just
# asked for a GET request (it has to do with the form displayed in the viewsets).
if request.method == "POST" and len(request.data) > 0:
scoped_to_model = request.data.get("scoped_to_model")
scoped_to_pk = request.data.get("scoped_to_pk")
# Only the admins can edit a global namespace.
if scoped_to_model == "global":
return request.user.is_admin
# Or, both parameters have to be provided.
if scoped_to_model is None or scoped_to_pk is None:
raise ValidationError(
"Both scoped_to_model and scoped_to_pk parameters must be provided",
400,
)
instance = Tag.get_linked_instance(scoped_to_model, scoped_to_pk)
return can_manage_tags_for(request.user, instance)
return True
