def put(self, request, *args, **kwargs): """ Service To update a time :param request: with the time information an time_id :return: the time updated """ if int(request.user.id) != request.data.get("user") and not is_admin_group(request.user): return HttpResponseBadRequest("Permission denied") return self.update(request, *args, **kwargs)
def get(self, request, format=None): """ Retrive all the times. A user can only retrieve his times. Only Admin users can view other users times. :param request: optionally with userid query param :param format: :return: The list of times, or HttpResponseBadRequest if the user has no permission to query """ if "userid" in request.query_params.iterkeys(): userid = int(request.query_params.get("userid")) if int(request.user.id) == userid or is_admin_group(request.user): times = Time.objects.filter(user__pk=userid) else: return HttpResponseBadRequest("Permission denied") else: if is_admin_group(request.user): times = Time.objects.all() else: return HttpResponseBadRequest("Permission denied") serializer = TimeSerializer(times, many=True) return Response(serializer.data)