def has_permission(self, request, view): url_username = request.parser_context.get('kwargs', {}).get('username', '') if request.user.username.lower() == url_username.lower(): return True # Staff can always see profiles. if request.user.is_staff: return True # This should never return Multiple, as we don't allow case name collisions on registration. user = get_object_or_404(User, username__iexact=url_username) if field_name in visible_fields(user.profile, user): return True raise Http404()
def _viewable_by_requestor(self, request, username): """ Returns whether or not the requesting user is allowed to view the given user's certificates. """ try: user = User.objects.select_related('profile').get(username=username) except User.DoesNotExist: return False is_owner = request.user.username == username is_staff = request.user.is_staff certificates_viewable = 'course_certificates' in visible_fields(user.profile, user) return is_owner or is_staff or certificates_viewable