Exemplo n.º 1
0
    def has_object_permission(self, request: Request, view,
                              obj: tm.Work) -> bool:

        if request.method in permissions.SAFE_METHODS:
            return True

        if request.method in ("PUT", "PATCH"):
            return user_is_kiosk(request)

        # REVIEW: Why is this needed?
        if type(obj) is tm.Work:
            return user_is_kiosk(request)

        return False
Exemplo n.º 2
0
    def has_object_permission(self, request: Request, view, obj):
        memb = request.user.member  # type: mm.Member

        if request.method in permissions.SAFE_METHODS:
            return True

        if request.method in ["PUT", "PATCH"]:
            if user_is_kiosk(request):
                return True

        if memb == obj.claiming_member:
            # The claiming_member is the owner of a Claim.
            return True
Exemplo n.º 3
0
    def has_permission(self, request: Request, view) -> bool:

        if request.method in permissions.SAFE_METHODS:
            return True

        if request.method in ["PATCH", "PUT"]:
            # I believe this is safe because Django subsequently goes to has_object_permissions
            return True

        if request.method == "POST":

            if user_is_kiosk(request):
                return True

            # Web interface to REST API sends POST with no body to determine if
            # a read/write or read-only interface should be presented. In general,
            # anybody can post a claim, so we'll return True for this case.
            datalen = request.META.get('CONTENT_LENGTH', '0')  # type: str
            if datalen == '0' or datalen == '':
                return True

            claimed_task_pk = getpk(request.data["claimed_task"])
            claiming_member_pk = getpk(request.data["claiming_member"])
            calling_member_pk = request.user.member.pk

            if calling_member_pk != claiming_member_pk:
                # Only allowing callers to create their own claims.
                return False

            claiming_member = mm.Member.objects.get(pk=claiming_member_pk)
            claimed_task = tm.Task.objects.get(
                pk=claimed_task_pk)  # type: tm.Task

            # Not allowed to claim a task that's already fully claimed.
            if request.data["status"] == tm.Claim.STAT_CURRENT:
                if claimed_task.is_fully_claimed:
                    return False

            if claiming_member not in claimed_task.all_eligible_claimants():
                # Don't allow non-eligible claimant.
                return False

            return True

        else:
            return False
Exemplo n.º 4
0
    def has_permission(self, request: Request, view) -> bool:

        if request.method in permissions.SAFE_METHODS:
            return True

        if request.method in ["PATCH", "PUT"]:
            return False

        if request.method == "POST" and user_is_kiosk(request):

            # DRF's web interface sends POST with no body to determine if
            # a read/write or read-only options should be presented.
            datalen = request.META.get('CONTENT_LENGTH', '0')  # type: str
            if datalen == '0' or datalen == '':
                return True

            product_id = getpk(request.data["product"])
            product = get_object_or_404(sm.Product, pk=product_id)
            return product.is_in_machine

        return False
Exemplo n.º 5
0
 def has_object_permission(self, request: Request, view, obj):
     if request.method in permissions.SAFE_METHODS:
         return True
     else:
         return user_is_kiosk(request)
Exemplo n.º 6
0
    def get_queryset(self):

        if user_is_kiosk(self.request):
            return sm.VendLog.objects.all().order_by('id')
        else:
            return sm.VendLog.objects.all().order_by('id')