diff --git a/apps/comment/tests.py b/apps/comment/tests.py index 8cbcee88..9b060f4e 100644 --- a/apps/comment/tests.py +++ b/apps/comment/tests.py @@ -59,7 +59,7 @@ class CommentModeratorPermissionTests(BasePermissionTests): def test_get(self): response = self.client.get(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) def test_put_other_user(self): other_user = User.objects.create_user(username='test', diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 0450e4d3..4cfabee8 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -53,11 +53,16 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly): """ Object-level permission to only allow owners of an object to edit it. """ - def has_object_permission(self, request, view, obj): - if request.method in permissions.SAFE_METHODS or request.user.is_superuser: - return True + def has_permission(self, request, view): + return request.user.is_authenticated - return False + def has_object_permission(self, request, view, obj): + + rules = [ + request.user.is_superuser, + request.method in permissions.SAFE_METHODS + ] + return any(rules) class IsStandardUser(IsGuest): @@ -67,34 +72,32 @@ class IsStandardUser(IsGuest): """ def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request - if obj.user == request.user and obj.user.email_confirmed: - return True + rules = [ + obj.user == request.user and obj.user.email_confirmed, + super().has_object_permission(request, view, obj) + ] - if super().has_object_permission(request, view, obj): - return True + return any(rules) - return False class IsContentPageManager(IsStandardUser): """ Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ - def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. + role = Role.objects.filter(role=Role.CONTENT_PAGE_MANAGER, country_id=obj.country_id)\ .first() # 'Comments moderator' - is_access = UserRole.objects.filter(user=request.user, role=role).exists() - if obj.user != request.user and is_access: - return True - - if super().has_object_permission(request, view, obj): - return True - - return False + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists() and + obj.user != request.user, + super().has_object_permission(request, view, obj) + ] + return any(rules) class IsCountryAdmin(IsStandardUser): @@ -108,15 +111,13 @@ class IsCountryAdmin(IsStandardUser): country_id=obj.country_id) \ .first() # 'Comments moderator' - is_access = UserRole.objects.filter(user=request.user, role=role).exists() + rules = [ + obj.user != request.user and + UserRole.objects.filter(user=request.user, role=role).exists(), + super().has_object_permission(request, view, obj), + ] - if obj.user != request.user and is_access: - return True - - if super().has_object_permission(request, view, obj): - return True - - return False + return any(rules) class IsCommentModerator(IsStandardUser): @@ -124,22 +125,18 @@ class IsCommentModerator(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ - def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. role = Role.objects.filter(role=Role.COMMENTS_MODERATOR, country_id=obj.country_id)\ .first() # 'Comments moderator' - is_access = UserRole.objects.filter(user=request.user, role=role).exists() - - if obj.user != request.user and is_access: - return True - - if super().has_object_permission(request, view, obj): - return True - - return False + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists() and + obj.user != request.user, + super().has_object_permission(request, view, obj) + ] + return any(rules) class IsEstablishmentManager(IsStandardUser): @@ -148,24 +145,27 @@ class IsEstablishmentManager(IsStandardUser): role = Role.objects.filter(role=Role.ESTABLISHMENT_MANAGER)\ .first() # 'Comments moderator' - is_access = UserRole.objects.filter(user=request.user, role=role, - establishment_id=obj.establishment_id).exists() - if is_access: - return True + rules = [ + UserRole.objects.filter(user=request.user, role=role, + establishment_id=obj.establishment_id).exists(), + super().has_object_permission(request, view, obj) + ] - if super().has_object_permission(request, view, obj): - return True - - return False + return any(rules) class IsReviewerManager(IsStandardUser): + def has_object_permission(self, request, view, obj): - access_models=[""] - role = Role.objects.filter(role=Role.REVIEWER_MANGER)\ - .first() # 'Comments moderator' + role = Role.objects.filter(role=Role.REVIEWER_MANGER, + country_id=obj.country_id)\ + .first() - is_access = UserRole.objects.filter(user=request.user, role=role) - return False + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists(), + super().has_object_permission(request, view, obj) + ] + + return any(rules)