def create(self, request, **kwargs): app = self.get_object() if not permissions.IsOwnerOrAdmin.has_object_permission( permissions.IsOwnerOrAdmin(), request, self, app): raise PermissionDenied() user = get_object_or_404(User, username=request.data['username']) assign_perm(self.perm, user, app) app.log("User {} was granted access to {}".format(user, app)) return Response(status=status.HTTP_201_CREATED)
def destroy(self, request, **kwargs): app = get_object_or_404(models.App, id=self.kwargs['id']) user = get_object_or_404(User, username=kwargs['username']) perm_name = "api.{}".format(self.perm) if not user.has_perm(perm_name, app): raise PermissionDenied() if (user != request.user and not permissions.IsOwnerOrAdmin.has_object_permission( permissions.IsOwnerOrAdmin(), request, self, app)): raise PermissionDenied() remove_perm(self.perm, user, app) app.log("User {} was revoked access to {}".format(user, app)) return Response(status=status.HTTP_204_NO_CONTENT)