diff --git a/apps/product/views/back.py b/apps/product/views/back.py index 3029e194..504172a0 100644 --- a/apps/product/views/back.py +++ b/apps/product/views/back.py @@ -92,6 +92,7 @@ class ProductDetailBackOfficeView(ProductBackOfficeMixinView, generics.RetrieveUpdateDestroyAPIView): """Product back-office R/U/D view.""" serializer_class = serializers.ProductBackOfficeDetailSerializer + permission_classes = [IsLiquorReviewer] class ProductListCreateBackOfficeView(BackOfficeListCreateMixin, ProductBackOfficeMixinView, @@ -101,6 +102,7 @@ class ProductListCreateBackOfficeView(BackOfficeListCreateMixin, ProductBackOffi permission_classes = [IsLiquorReviewer] + class ProductTypeListCreateBackOfficeView(BackOfficeListCreateMixin, ProductTypeBackOfficeMixinView, generics.ListCreateAPIView): diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 3f1212d9..63571314 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -8,7 +8,9 @@ from account.models import UserRole, Role from authorization.models import JWTRefreshToken from utils.tokens import GMRefreshToken from establishment.models import EstablishmentSubType -from location.models import Address +from location.models import Address +from product.models import Product + class IsAuthenticatedAndTokenIsValid(permissions.BasePermission): """ @@ -81,33 +83,21 @@ class IsStandardUser(IsGuest): """ def has_permission(self, request, view): - rules = [ - super().has_permission(request, view) - ] - # and request.user.email_confirmed, - if hasattr(request, 'user'): - rules = [ - request.user.is_authenticated, - super().has_permission(request, view) - ] + rules = [super().has_permission(request, view), + request.user.is_authenticated, + hasattr(request, 'user') + ] return any(rules) def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request - rules = [ - super().has_object_permission(request, view, obj) - ] - if hasattr(obj, 'user'): - rules = [ - obj.user == request.user - and obj.user.email_confirmed - and request.user.is_authenticated, - - super().has_object_permission(request, view, obj) - ] + rules = [super().has_object_permission(request, view, obj), + request.user.is_authenticated, + hasattr(request, 'user') + ] return any(rules) @@ -452,15 +442,44 @@ class IsWineryReviewer(IsStandardUser): class IsLiquorReviewer(IsStandardUser): - # Через establishment получать страну def has_permission(self, request, view): rules = [ super().has_permission(request, view) ] + + pk_object = None + product = None + permission = False + if 'pk' in view.kwargs: + pk_object = view.kwargs['pk'] + + if pk_object is not None: + product = Product.objects.get(pk=pk_object) + + if hasattr(product, 'sites') and product.sites.exists(): + role = Role.objects.filter(role=Role.LIQUOR_REVIEWER, site__in=[site for site in product.sites]) + permission = UserRole.objects.filter(user=request.user, role=role).exists() + + rules.append(permission) return any(rules) def has_object_permission(self, request, view, obj): rules = [ super().has_object_permission(request, view, obj) ] + pk_object = None + product = None + permission = False + + if 'pk' in view.kwargs: + pk_object = view.kwargs['pk'] + + if pk_object is not None: + product = Product.objects.get(pk=pk_object) + + if product.sites.exists(): + role = Role.objects.filter(role=Role.LIQUOR_REVIEWER, site__in=[site for site in product.sites]) + permission = UserRole.objects.filter(user=request.user, role=role).exists() + + rules.append(permission) return any(rules) \ No newline at end of file diff --git a/project/settings/local.py b/project/settings/local.py index d9c7cab8..5581a50d 100644 --- a/project/settings/local.py +++ b/project/settings/local.py @@ -29,8 +29,7 @@ MEDIA_ROOT = os.path.join(PUBLIC_ROOT, MEDIA_LOCATION) # SORL thumbnails THUMBNAIL_DEBUG = True -# ADDED TRANSFER APP -INSTALLED_APPS.append('transfer.apps.TransferConfig') + # DATABASES DATABASES = {