refactored permission a little

2020-02-07 09:44:04 +03:00 · 2020-02-07 09:44:04 +03:00 · 14da53ed94
commit 14da53ed94
parent 4388253bf9
2 changed files with 15 additions and 5 deletions
--- a/apps/utils/methods.py
+++ b/apps/utils/methods.py
@ -7,6 +7,7 @@ import string
 from collections import namedtuple
 from functools import reduce
 from io import BytesIO
+from operator import or_

 import requests
 from PIL import Image
@ -242,12 +243,12 @@ def get_image_meta_by_url(url) -> (int, int, int):
 def get_permission_classes(*args) -> list:
    """Return permission_class object with admin permissions."""
    from rest_framework.permissions import IsAdminUser
-    from utils.permissions import IsCountryAdmin
+    from utils.permissions import IsCountryAdmin, IsReadOnly

-    admin_permission_classes = [IsCountryAdmin, IsAdminUser]
+    admin_permission_classes = [IsCountryAdmin, IsAdminUser, IsReadOnly]
    permission_classes = [
        reduce(
-            lambda a, b: a | b, admin_permission_classes + list(args)
+            or_, admin_permission_classes + list(args)
        )
    ]
    return permission_classes
--- a/apps/utils/permissions.py
+++ b/apps/utils/permissions.py
@ -53,7 +53,7 @@ class IsRefreshTokenValid(permissions.BasePermission):
        return False


-class IsGuest(permissions.IsAuthenticatedOrReadOnly):
+class IsGuest(permissions.BasePermission):
    """
    Object-level permission to only allow owners of an object to edit it.
    """
@ -66,6 +66,15 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly):
        return all(rules)


+class IsReadOnly(permissions.BasePermission):
+    """
+    Allows getting access to resource only if request method in SAFE_METHODs.
+    """
+
+    def has_permission(self, request, view):
+        return request.method in SAFE_HTTP_METHODS
+
+
 class IsApprovedUser(IsAuthenticatedAndTokenIsValid):
    """
    Object-level permission to only allow owners of an object to edit it.
@ -200,7 +209,7 @@ class IsEstablishmentAdministrator(IsApprovedUser):
                ).only('id')
                has_permission = True if user_role.exists() else has_permission
        rules.append(has_permission)
-        return all(rules)
+        return bool(request.method in SAFE_HTTP_METHODS or all(rules))

    def has_object_permission(self, request, view, obj):
        rules = [