Fix IsContentPageManager

apps/location/views/back.py

@@ -6,42 +6,46 @@ from location.views import common
 from utils.permissions import IsCountryAdmin
 from rest_framework.permissions import  IsAuthenticatedOrReadOnly
 # Address
+
+
 class AddressListCreateView(common.AddressViewMixin, generics.ListCreateAPIView):
     """Create view for model Address."""
     serializer_class = serializers.AddressDetailSerializer
     queryset = models.Address.objects.all()
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
 
 
 class AddressRUDView(common.AddressViewMixin, generics.RetrieveUpdateDestroyAPIView):
     """RUD view for model Address."""
     serializer_class = serializers.AddressDetailSerializer
     queryset = models.Address.objects.all()
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
 
 
 # City
 class CityListCreateView(common.CityViewMixin, generics.ListCreateAPIView):
     """Create view for model City."""
     serializer_class = serializers.CitySerializer
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
+
 
 class CityRUDView(common.CityViewMixin, generics.RetrieveUpdateDestroyAPIView):
     """RUD view for model City."""
     serializer_class = serializers.CitySerializer
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
 
 
 # Region
 class RegionListCreateView(common.RegionViewMixin, generics.ListCreateAPIView):
     """Create view for model Region"""
     serializer_class = serializers.RegionSerializer
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
+
 
 class RegionRUDView(common.RegionViewMixin, generics.RetrieveUpdateDestroyAPIView):
     """Retrieve view for model Region"""
     serializer_class = serializers.RegionSerializer
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
 
 
 # Country
@@ -52,8 +56,9 @@ class CountryListCreateView(generics.ListCreateAPIView):
     pagination_class = None
     permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
 
+
 class CountryRUDView(generics.RetrieveUpdateDestroyAPIView):
     """RUD view for model Country."""
     serializer_class = serializers.CountryBackSerializer
-    permission_classes = [IsCountryAdmin]
+    permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin]
     queryset = models.Country.objects.all()

apps/news/tests.py

@@ -66,6 +66,22 @@ class NewsTestCase(BaseTestCase):
     def setUp(self):
         super().setUp()
 
+    def test_news_post(self):
+        test_news ={
+            "title": {"en-GB": "Test news POST"},
+            "news_type_id": self.test_news_type.id,
+            "description": {"en-GB": "Description test news"},
+            "start": datetime.now() + timedelta(hours=-2),
+            "end": datetime.now() + timedelta(hours=2),
+            "state": News.PUBLISHED,
+            "slug": 'test-news-slug_post',
+            "country_id": self.country_ru.id,
+        }
+
+        url = reverse("back:news:list-create")
+        response = self.client.post(url, data=test_news, format='json')
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+
     def test_web_news(self):
         response = self.client.get(reverse('web:news:list'))
         self.assertEqual(response.status_code, status.HTTP_200_OK)

apps/utils/permissions.py

@@ -57,13 +57,9 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly):
     """
     def has_permission(self, request, view):
         rules = [
+            request.user.is_superuser,
             request.method in permissions.SAFE_METHODS
         ]
-    #     if hasattr(request, 'user.is_superuser'):
-    #         rules = [
-    #             request.user.is_superuser,
-    #             request.method in permissions.SAFE_METHODS
-    #         ]
         return any(rules)
 
     def has_object_permission(self, request, view, obj):
@@ -114,6 +110,24 @@ class IsContentPageManager(IsStandardUser):
     Object-level permission to only allow owners of an object to edit it.
     Assumes the model instance has an `owner` attribute.
     """
+
+    def has_permission(self, request, view):
+        rules = [
+            super().has_permission(request, view)
+        ]
+        # and request.user.email_confirmed,
+        if hasattr(request, 'user'):
+            role = Role.objects.filter(role=Role.CONTENT_PAGE_MANAGER,
+                                       country_id=request.country_id)\
+                .first()  # 'Comments moderator'
+
+            rules = [
+                UserRole.objects.filter(user=request.user, role=role).exists(),
+                # and obj.user != request.user,
+                super().has_permission(request, view)
+            ]
+        return any(rules)
+
     def has_object_permission(self, request, view, obj):
         # Read permissions are allowed to any request.
 
@@ -134,8 +148,8 @@ class IsCountryAdmin(IsStandardUser):
         Object-level permission to only allow owners of an object to edit it.
         Assumes the model instance has an `owner` attribute.
     """
-
     def has_permission(self, request, view):
+
         rules = [
             super().has_permission(request, view)
         ]