def perform_update(self, serializer): allowed_to_view_folders = user_allowed_folders_ids( self.request.user, require_view_permission=True) allowed_to_view_folders_ids = user_allowed_folders_ids( self.request.user, require_view_permission=True) if serializer.instance.id not in allowed_to_view_folders_ids: raise PermissionDenied( detail="You are not allowed to update this folder") if 'parent' in serializer.validated_data and serializer.validated_data[ 'parent'].id not in allowed_to_view_folders_ids: raise PermissionDenied( detail="You are not allowed to move folder here") super(FolderFlatViewSet, self).perform_update(serializer)
def perform_destroy(self, instance): if instance.id not in user_allowed_folders_ids( self.request.user, require_view_permission=True): raise PermissionDenied( detail="You are not allowed to delete this folder.") if instance.children.count() > 0 or instance.connections.count() > 0: raise PermissionDenied( detail="Cannot delete: folder is not empty.") super(FolderFlatViewSet, self).perform_destroy(instance)
def __init__(self, *args, **kwargs): super(TicketSerializer, self).__init__(*args, **kwargs) try: user = kwargs['context']['request'].user # Limit connection dropdown list in API browser # to connections user is allowed to view self.fields['connection'].queryset = Connection.objects \ .filter(parent__in=user_allowed_folders_ids(user, require_view_permission=True)) except KeyError: pass
def has_object_permission(self, request, view, obj): if request.method in ["GET", 'HEAD', 'OPTIONS', 'POST']: return True allowed_folders_id = user_allowed_folders_ids( request.user, require_view_permission=True) if request.method in ['PUT', 'PATCH', 'DELETE']: # Check that user has view permission to a parent if we want to show modification ui if obj.parent is not None: if obj.parent.id in allowed_folders_id: return True elif obj.id in allowed_folders_id and request.user.is_staff: # Folder has no parent, it means one of root folders. # If a user has been given access to root folder - and user has is_staff status, # user should be able modify folder return True # Nothing matched - deny access return False
def create(self, request, *args, **kwargs): context = self.get_serializer_context() ticket_serializer = TicketSerializer(data=request.data, context=context) if not ticket_serializer.is_valid(): raise ValidationError(ticket_serializer.errors) # Check that user is allowed to use this connection if ticket_serializer.validated_data['connection'].parent.id not in \ user_allowed_folders_ids(request.user, require_view_permission=True): raise ValidationError("Wrong connection specified") try: existing_tickets = Ticket.objects.filter( connection=request.data['connection'], user=request.user, author=request.user).order_by('created') # check tickets validity period and return first valid ticket found for ticket in existing_tickets: if ticket.check_validity(): # return valid ticket return Response(TicketSerializer(ticket).data, status=status.HTTP_202_ACCEPTED) # if there are no valid tickets raise Ticket.DoesNotExist except Ticket.DoesNotExist: self.perform_create(ticket_serializer) # ticket = Ticket.objects.create(serializer.data) headers = self.get_success_headers(ticket_serializer.data) # return new ticket return Response(ticket_serializer.data, status=status.HTTP_201_CREATED, headers=headers)
def get_queryset(self): return Folder.objects.filter( id__in=user_allowed_folders_ids(self.request.user))
def get_queryset(self): allowed_to_view_folders = user_allowed_folders_ids( self.request.user, require_view_permission=True) return Connection.objects.filter(parent__in=allowed_to_view_folders)