def has_permission(self, request, view):
url_username = request.parser_context.get('kwargs', {}).get('username', '')
if request.user.username.lower() == url_username.lower():
return True
# Staff can always see profiles.
if request.user.is_staff:
return True
# This should never return Multiple, as we don't allow case name collisions on registration.
user = get_object_or_404(User, username__iexact=url_username)
if field_name in visible_fields(user.profile, user):
return True
raise Http404()
def _viewable_by_requestor(self, request, username):
"""
Returns whether or not the requesting user is allowed to view the given user's certificates.
"""
try:
user = User.objects.select_related('profile').get(username=username)
except User.DoesNotExist:
return False
is_owner = request.user.username == username
is_staff = request.user.is_staff
certificates_viewable = 'course_certificates' in visible_fields(user.profile, user)
return is_owner or is_staff or certificates_viewable
