def has_delete_permission(self, request, registration=None):
"""Only give delete permission if the user is an organiser"""
if registration is not None and not services.is_organiser(
request.member, registration.event
):
return False
return super().has_delete_permission(request, registration)
def get_object(self):
instance = super().get_object()
if (
instance.name or instance.member.pk != self.request.member.pk
) and not services.is_organiser(self.request.member, instance.event):
raise NotFound()
return instance
def can_change_order(member, pizza_event):
"""
Determine if a certain member can edit orders of an event
:param member: Member who wants to change and order
:param pizza_event: The event for which we want to change an order
:return: True if we can change an order else False
"""
return (pizza_event and member.has_perm("pizzas.change_order")
and is_organiser(member, pizza_event.event))
def perform_update(self, serializer):
registration = serializer.instance
member = self.request.member
if (member and member.has_perm("events.change_registration")
and services.is_organiser(member, registration.event)):
services.update_registration_by_organiser(
registration, self.request.member, serializer.validated_data)
services.update_registration(registration=registration,
field_values=serializer.field_values())
serializer.information_fields = services.registration_fields(
serializer.context["request"], registration=registration)
def __call__(self, request, *args, **kwargs):
pizza_event = None
if "pk" in kwargs:
try:
pizza_event = PizzaEvent.objects.get(pk=kwargs.get("pk"))
except PizzaEvent.DoesNotExist:
pass
if pizza_event and services.is_organiser(request.member,
pizza_event.event):
return self.view_function(request, *args, **kwargs)
raise PermissionDenied
def registrations(self, request, pk):
"""
Defines a custom route for the event's registrations,
can filter on registration status if the user is an organiser
:param request: the request object
:param pk: the primary key of the event
:return: the registrations of the event
"""
event = get_object_or_404(Event, pk=pk)
if request.method.lower() == "post":
try:
registration = services.create_registration(
request.member, event)
serializer = EventRegistrationSerializer(
instance=registration, context={"request": request})
return Response(status=201, data=serializer.data)
except RegistrationError as e:
raise PermissionDenied(detail=e)
status = request.query_params.get("status", None)
# Make sure you can only access other registrations when you have
# the permissions to do so
context = {"request": request}
if services.is_organiser(self.request.member, event):
queryset = EventRegistration.objects.filter(event=pk)
if status == "queued":
queryset = EventRegistration.objects.filter(
event=pk, date_cancelled=None)[event.max_participants:]
elif status == "cancelled":
queryset = EventRegistration.objects.filter(
event=pk, date_cancelled__not=None)
elif status == "registered":
queryset = EventRegistration.objects.filter(
event=pk, date_cancelled=None)[:event.max_participants]
serializer = EventRegistrationAdminListSerializer(queryset,
many=True,
context=context)
else:
serializer = EventRegistrationListSerializer(
EventRegistration.objects.filter(
event=pk, date_cancelled=None)[:event.max_participants],
many=True,
context=context,
)
return Response(serializer.data)
def __call__(self, request, *args, **kwargs):
event = None
if "pk" in kwargs:
try:
event = Event.objects.get(pk=kwargs.get("pk"))
except Event.DoesNotExist:
pass
elif "registration" in kwargs:
try:
event = Event.objects.get(
registration__pk=kwargs.get("registration"))
except Event.DoesNotExist:
pass
if event and services.is_organiser(request.member, event):
return self.view_function(request, *args, **kwargs)
raise PermissionDenied
def perform_update(self, serializer):
try:
registration = serializer.instance
member = self.request.member
if (member and member.has_perm("events.change_registration")
and services.is_organiser(member, registration.event)):
services.update_registration_by_organiser(
registration, self.request.member,
serializer.validated_data)
services.update_registration(
registration=registration,
field_values=serializer.field_values())
serializer.information_fields = services.registration_fields(
serializer.context["request"], registration=registration)
except RegistrationError as e:
raise PermissionDenied(detail=e) from e
except PaymentError as e:
raise PermissionDenied(detail=e) from e
def test_is_organiser(self):
self.assertFalse(services.is_organiser(AnonymousUser(), self.event))
self.assertFalse(services.is_organiser(self.member, self.event))
self.member.is_superuser = True
self.assertTrue(services.is_organiser(self.member, self.event))
self.member.is_superuser = False
self._toggle_override_organiser_perm(True)
self.assertTrue(services.is_organiser(self.member, self.event))
self._toggle_override_organiser_perm(False)
self._toggle_event_change_perm(True)
self.assertFalse(services.is_organiser(self.member, self.event))
membership = MemberGroupMembership.objects.create(member=self.member,
group=self.committee)
self.assertTrue(services.is_organiser(self.member, self.event))
self.assertFalse(services.is_organiser(self.member, None))
self._toggle_event_change_perm(False)
membership.delete()
def save_model(self, request, registration, form, change):
if not services.is_organiser(request.member, registration.event):
raise PermissionDenied
return super().save_model(request, registration, form, change)
def has_change_permission(self, request, event=None):
"""Only allow access to the change form if the user is an organiser"""
if event is not None and not services.is_organiser(request.member, event):
return False
return super().has_change_permission(request, event)
def _is_admin(self, instance):
member = self.context["request"].member
return services.is_organiser(member, instance)
def has_view_permission(self, request, order=None):
"""Only give view permission if the user is an organiser"""
if order is not None and not is_organiser(request.member,
order.pizza_event.event):
return False
return super().has_view_permission(request, order)
def save_model(self, request, obj, form, change):
"""You can only save the orders if you have permission"""
if not is_organiser(request.member, obj.pizza_event.event):
raise PermissionDenied
return super().save_model(request, obj, form, change)
def has_delete_permission(self, request, obj=None):
"""Only allow access to delete if the user is an organiser"""
if obj is not None and not services.is_organiser(
request.member, obj.event):
return False
return super().has_delete_permission(request, obj)
