def update(self, request, pk): """Update Location. This requires the user to have the 'Location' institute permission or BodyRole for the event using the location if the it is not reusable.""" # Allow insti privelege to do anything if user_has_insti_privilege(request.user.profile, 'Location'): return super().update(request, pk) # Disallow modifying reusable locations or marking reusable location = Location.objects.get(id=pk) if 'reusable' in request.data: if (request.data['reusable'] != location.reusable) or location.reusable: return forbidden_no_privileges() # Check if user has update privileges for each associated event for event in location.events.all(): can_update = any([ user_has_privilege(request.user.profile, str(b.id), 'UpdE') for b in event.bodies.all() ]) if not can_update: return forbidden_no_privileges() return super().update(request, pk)
def destroy(self, request, pk): if user_has_insti_privilege(request.user.profile, 'RoleB'): return super().destroy(request, pk) bodyid = str(BodyRole.objects.get(id=pk).body.id) if not user_has_privilege(request.user.profile, bodyid, 'Role'): return forbidden_no_privileges() return super().destroy(request, pk)
def create(self, request): if user_has_insti_privilege(request.user.profile, 'RoleB'): return super().create(request) if not 'body' in request.data or not request.data['body']: return Response({"body": "body is required"}, status=400) if not user_has_privilege(request.user.profile, request.data['body'], 'Role'): return forbidden_no_privileges() return super().create(request)
def update(self, request, pk): if user_has_insti_privilege(request.user.profile, 'RoleB'): return super().update(request, pk) body = BodyRole.objects.get(id=pk).body if request.data['body'] != str(body.id): return Response({ 'message': 'body is immutable', 'detail': 'Body cannot be changed. Create a new role.' }, status=400) if not user_has_privilege(request.user.profile, str(body.id), 'Role'): return forbidden_no_privileges() return super().update(request, pk)
def destroy(self, request, pk): if user_has_insti_privilege(request.user.profile, 'RoleB'): return super().destroy(request, pk) # Check for permission body_role = BodyRole.objects.get(id=pk) bodyid = str(body_role.body.id) if not user_has_privilege(request.user.profile, bodyid, 'Role'): return forbidden_no_privileges() # Check for former users if body_role.former_users.count() > 0: return forbidden_no_privileges() return super().destroy(request, pk)