class CollectionViewSet(ModelViewSet): permission_classes = [ AnyOf( # Collection authors can do everything. AllowCollectionAuthor, # Collection contributors can access an existing collection, and # change it's addons, but can't delete or edit it's details. AllOf( AllowCollectionContributor, PreventActionPermission( ['create', 'list', 'update', 'destroy', 'partial_update'])), # Admins can do everything except create. AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT), PreventActionPermission('create')), # Everyone else can do read-only stuff, except list. AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))), ] lookup_url_kwarg = 'slug' @property def lookup_field(self): identifier = self.kwargs.get(self.lookup_url_kwarg) if identifier and identifier.isdigit(): lookup_field = 'pk' else: # If the identifier is anything other than a digit, it's the slug. lookup_field = 'slug' return lookup_field def get_account_viewset(self): if not hasattr(self, 'account_viewset'): self.account_viewset = AccountViewSet( request=self.request, permission_classes=[], # We handled permissions already. kwargs={'pk': self.kwargs['user_pk']}) return self.account_viewset def get_serializer_class(self): with_addons = ('with_addons' in self.request.GET and self.action == 'retrieve') return (CollectionSerializer if not with_addons else CollectionWithAddonsSerializer) def get_queryset(self): return Collection.objects.filter(author=self.get_account_viewset(). get_object()).order_by('-modified') def get_addons_queryset(self): collection_addons_viewset = CollectionAddonViewSet( request=self.request) # Set this to avoid a pointless lookup loop. collection_addons_viewset.collection_viewset = self # This needs to be list to make the filtering work. collection_addons_viewset.action = 'list' qs = collection_addons_viewset.get_queryset() # Now limit and sort limit = settings.REST_FRAMEWORK['PAGE_SIZE'] sort = collection_addons_viewset.ordering[0] return qs.order_by(sort)[:limit]
class CollectionViewSet(ModelViewSet): permission_classes = [ AnyOf( # Collection authors can do everything. AllowCollectionAuthor, # Admins can do everything except create. AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT), PreventActionPermission('create')), # Everyone else can do read-only stuff, except list. AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))), ] serializer_class = CollectionSerializer lookup_field = 'slug' def get_account_viewset(self): if not hasattr(self, 'account_viewset'): self.account_viewset = AccountViewSet( request=self.request, permission_classes=[], # We handled permissions already. kwargs={'pk': self.kwargs['user_pk']}) return self.account_viewset def get_queryset(self): return Collection.objects.filter( author=self.get_account_viewset().get_object())
class CollectionViewSet(ModelViewSet): permission_classes = [ AnyOf( # Collection authors can do everything. AllowCollectionAuthor, # Collection contributors can access an existing collection, and # change it's addons, but can't delete or edit it's details. AllOf( AllowCollectionContributor, PreventActionPermission( ['create', 'list', 'update', 'destroy', 'partial_update'])), # Admins can do everything except create. AllOf(GroupPermission(amo.permissions.COLLECTIONS_EDIT), PreventActionPermission('create')), # Everyone else can do read-only stuff, except list. AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list'))), ] serializer_class = CollectionSerializer lookup_field = 'slug' def get_account_viewset(self): if not hasattr(self, 'account_viewset'): self.account_viewset = AccountViewSet( request=self.request, permission_classes=[], # We handled permissions already. kwargs={'pk': self.kwargs['user_pk']}) return self.account_viewset def get_queryset(self): return Collection.objects.filter(author=self.get_account_viewset(). get_object()).order_by('-modified')
class CollectionViewSet(ModelViewSet): # Note: CollectionAddonViewSet will call CollectionViewSet().get_object(), # causing the has_object_permission() method of these permissions to be # called. It will do so without setting an action however, bypassing the # PreventActionPermission() parts. permission_classes = [ AnyOf( # Collection authors can do everything. AllowCollectionAuthor, # Collection contributors can access the featured themes collection # (it's community-managed) and change it's addons, but can't delete # or edit it's details. AllOf( AllowCollectionContributor, PreventActionPermission( ('create', 'list', 'update', 'destroy', 'partial_update')), ), # Content curators can modify existing mozilla collections as they # see fit, but can't list or delete them. AllOf( AllowContentCurators, PreventActionPermission(('create', 'destroy', 'list')), ), # Everyone else can do read-only stuff, except list. AllOf(AllowReadOnlyIfPublic, PreventActionPermission('list')), ), ] lookup_field = 'slug' def get_account_viewset(self): if not hasattr(self, 'account_viewset'): self.account_viewset = AccountViewSet( request=self.request, permission_classes=[], # We handled permissions already. kwargs={'pk': self.kwargs['user_pk']}, ) return self.account_viewset def get_serializer_class(self): with_addons = 'with_addons' in self.request.GET and self.action == 'retrieve' return (CollectionSerializer if not with_addons else CollectionWithAddonsSerializer) def get_queryset(self): return Collection.objects.filter(author=self.get_account_viewset(). get_object()).order_by('-modified') def get_addons_queryset(self): collection_addons_viewset = CollectionAddonViewSet( request=self.request) # Set this to avoid a pointless lookup loop. collection_addons_viewset.collection = self.get_object() # This needs to be list to make the filtering work. collection_addons_viewset.action = 'list' qs = collection_addons_viewset.get_queryset() # Now limit and sort limit = settings.REST_FRAMEWORK['PAGE_SIZE'] sort = collection_addons_viewset.ordering[0] return qs.order_by(sort)[:limit]