def perform_update(self, serializer):
allowed_to_view_folders = user_allowed_folders_ids(
self.request.user, require_view_permission=True)
allowed_to_view_folders_ids = user_allowed_folders_ids(
self.request.user, require_view_permission=True)
if serializer.instance.id not in allowed_to_view_folders_ids:
raise PermissionDenied(
detail="You are not allowed to update this folder")
if 'parent' in serializer.validated_data and serializer.validated_data[
'parent'].id not in allowed_to_view_folders_ids:
raise PermissionDenied(
detail="You are not allowed to move folder here")
super(FolderFlatViewSet, self).perform_update(serializer)
def perform_destroy(self, instance):
if instance.id not in user_allowed_folders_ids(
self.request.user, require_view_permission=True):
raise PermissionDenied(
detail="You are not allowed to delete this folder.")
if instance.children.count() > 0 or instance.connections.count() > 0:
raise PermissionDenied(
detail="Cannot delete: folder is not empty.")
super(FolderFlatViewSet, self).perform_destroy(instance)
def __init__(self, *args, **kwargs):
super(TicketSerializer, self).__init__(*args, **kwargs)
try:
user = kwargs['context']['request'].user
# Limit connection dropdown list in API browser
# to connections user is allowed to view
self.fields['connection'].queryset = Connection.objects \
.filter(parent__in=user_allowed_folders_ids(user, require_view_permission=True))
except KeyError:
pass
def has_object_permission(self, request, view, obj):
if request.method in ["GET", 'HEAD', 'OPTIONS', 'POST']:
return True
allowed_folders_id = user_allowed_folders_ids(
request.user, require_view_permission=True)
if request.method in ['PUT', 'PATCH', 'DELETE']:
# Check that user has view permission to a parent if we want to show modification ui
if obj.parent is not None:
if obj.parent.id in allowed_folders_id:
return True
elif obj.id in allowed_folders_id and request.user.is_staff:
# Folder has no parent, it means one of root folders.
# If a user has been given access to root folder - and user has is_staff status,
# user should be able modify folder
return True
# Nothing matched - deny access
return False
def create(self, request, *args, **kwargs):
context = self.get_serializer_context()
ticket_serializer = TicketSerializer(data=request.data,
context=context)
if not ticket_serializer.is_valid():
raise ValidationError(ticket_serializer.errors)
# Check that user is allowed to use this connection
if ticket_serializer.validated_data['connection'].parent.id not in \
user_allowed_folders_ids(request.user, require_view_permission=True):
raise ValidationError("Wrong connection specified")
try:
existing_tickets = Ticket.objects.filter(
connection=request.data['connection'],
user=request.user,
author=request.user).order_by('created')
# check tickets validity period and return first valid ticket found
for ticket in existing_tickets:
if ticket.check_validity():
# return valid ticket
return Response(TicketSerializer(ticket).data,
status=status.HTTP_202_ACCEPTED)
# if there are no valid tickets
raise Ticket.DoesNotExist
except Ticket.DoesNotExist:
self.perform_create(ticket_serializer)
# ticket = Ticket.objects.create(serializer.data)
headers = self.get_success_headers(ticket_serializer.data)
# return new ticket
return Response(ticket_serializer.data,
status=status.HTTP_201_CREATED,
headers=headers)
def get_queryset(self):
return Folder.objects.filter(
id__in=user_allowed_folders_ids(self.request.user))
def get_queryset(self):
allowed_to_view_folders = user_allowed_folders_ids(
self.request.user, require_view_permission=True)
return Connection.objects.filter(parent__in=allowed_to_view_folders)
