From 7ac7df9ea36f6635e9c70970088c03e5fc3cb47b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Thu, 24 Oct 2019 16:48:29 +0300 Subject: [PATCH 1/6] Fix test news --- apps/news/urls/back.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/news/urls/back.py b/apps/news/urls/back.py index 4ab11727..9cc3d94a 100644 --- a/apps/news/urls/back.py +++ b/apps/news/urls/back.py @@ -8,7 +8,7 @@ app_name = 'news' urlpatterns = [ path('', views.NewsBackOfficeLCView.as_view(), name='list-create'), path('/', views.NewsBackOfficeRUDView.as_view(), - name='gallery-retrieve-update-destroy'), + name='retrieve-update-destroy'), path('/gallery/', views.NewsBackOfficeGalleryListView.as_view(), name='gallery-list'), path('/gallery//', views.NewsBackOfficeGalleryCreateDestroyView.as_view(), From 851ba7f9ddf43b7a26e15553480da25a09d2930b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Fri, 25 Oct 2019 10:14:50 +0300 Subject: [PATCH 2/6] Test edit --- apps/comment/tests.py | 44 ++++++++++++++++++++++++++++++++++---- apps/comment/views/back.py | 2 +- apps/utils/permissions.py | 35 ++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 5 deletions(-) diff --git a/apps/comment/tests.py b/apps/comment/tests.py index 9b060f4e..87b7d32f 100644 --- a/apps/comment/tests.py +++ b/apps/comment/tests.py @@ -5,8 +5,9 @@ from django.urls import reverse from django.contrib.contenttypes.models import ContentType from http.cookies import SimpleCookie from account.models import Role, User, UserRole +from account.serializers.common import UserSerializer from comment.models import Comment - +import json class CommentModeratorPermissionTests(BasePermissionTests): def setUp(self): @@ -28,18 +29,53 @@ class CommentModeratorPermissionTests(BasePermissionTests): ) self.userRole.save() - content_type = ContentType.objects.get(app_label='location', model='country') + self.content_type = ContentType.objects.get(app_label='location', model='country') self.user_test = get_tokens_for_user() self.comment = Comment.objects.create(text='Test comment', mark=1, user=self.user_test["user"], - object_id= self.country_ru.pk, - content_type_id=content_type.id, + object_id=self.country_ru.pk, + content_type_id=self.content_type.id, country=self.country_ru ) self.comment.save() self.url = reverse('back:comment:comment-crud', kwargs={"id": self.comment.id}) + def test_post(self): + self.url = reverse('back:comment:comment-list-create') + + comment = { + "text": "Test comment POST", + "user_id": self.user_test["user"].id, + "object_id": self.country_ru.pk, + "content_type_id": self.content_type.id, + "country_id": self.country_ru.id + } + # + # response = self.client.post(self.url, format='json', data=comment) + # self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) + json_user = json.dumps(self.moderator) + user = UserSerializer(data=self.moderator) + user.is_valid() + u_data = user.data + self.assertFalse(user.is_valid()) + # comment = { + # "text": "Test comment POST moder", + # "user": user, + # "object_id": self.country_ru.pk, + # "content_type_id": self.content_type.id, + # "country_id": self.country_ru.id + # } + # # + # tokens = User.create_jwt_tokens(self.moderator) + # self.client.cookies = SimpleCookie( + # {'access_token': tokens.get('access_token'), + # 'refresh_token': tokens.get('access_token')}) + # + # response = self.client.post(self.url, format='json', data=comment) + # self.assertEqual(response.status_code, status.HTTP_201_CREATED) + + # self.assertTrue(True) def test_put_moderator(self): tokens = User.create_jwt_tokens(self.moderator) diff --git a/apps/comment/views/back.py b/apps/comment/views/back.py index 2895fdbe..25c10a62 100644 --- a/apps/comment/views/back.py +++ b/apps/comment/views/back.py @@ -8,7 +8,7 @@ class CommentLstView(generics.ListCreateAPIView): """Comment list create view.""" serializer_class = serializers.CommentBaseSerializer queryset = models.Comment.objects.all() - permission_classes = [permissions.IsAuthenticatedOrReadOnly,] + permission_classes = [permissions.IsAuthenticatedOrReadOnly|IsCommentModerator] class CommentRUDView(generics.RetrieveUpdateDestroyAPIView): diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 45d978a0..aee2ab57 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -72,6 +72,20 @@ class IsStandardUser(IsGuest): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + + # and request.user.email_confirmed, + if hasattr(request, 'user'): + rules = [ + request.user.is_authenticated, + super().has_permission(request, view) + ] + + return any(rules) + def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request rules = [ @@ -131,6 +145,27 @@ class IsCommentModerator(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + + # and request.user.email_confirmed, + if hasattr(request.data, 'user') and hasattr(request.data, 'country_id'): + # Read permissions are allowed to any request. + + role = Role.objects.filter(role=Role.COMMENTS_MODERATOR, + country_id=request.data.country_id) \ + .first() # 'Comments moderator' + + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists(), + super().has_permission(request, view) + ] + + return any(rules) + def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. role = Role.objects.filter(role=Role.COMMENTS_MODERATOR, From 046d0c5fe677ece42bce72efa32804e9f4c2287b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Fri, 25 Oct 2019 10:59:31 +0300 Subject: [PATCH 3/6] Fix country and comment role --- apps/comment/serializers/back.py | 2 +- apps/comment/tests.py | 58 +++++++++++++-------------- apps/comment/views/back.py | 2 +- apps/utils/permissions.py | 20 +++++++++ apps/utils/tests/tests_permissions.py | 3 +- 5 files changed, 51 insertions(+), 34 deletions(-) diff --git a/apps/comment/serializers/back.py b/apps/comment/serializers/back.py index d0cd47c8..325086c0 100644 --- a/apps/comment/serializers/back.py +++ b/apps/comment/serializers/back.py @@ -6,4 +6,4 @@ from rest_framework import serializers class CommentBaseSerializer(serializers.ModelSerializer): class Meta: model = models.Comment - fields = ('id', 'text', 'mark', 'user') \ No newline at end of file + fields = ('id', 'text', 'mark', 'user', 'object_id', 'content_type') \ No newline at end of file diff --git a/apps/comment/tests.py b/apps/comment/tests.py index 87b7d32f..e91ee2f4 100644 --- a/apps/comment/tests.py +++ b/apps/comment/tests.py @@ -5,9 +5,8 @@ from django.urls import reverse from django.contrib.contenttypes.models import ContentType from http.cookies import SimpleCookie from account.models import Role, User, UserRole -from account.serializers.common import UserSerializer from comment.models import Comment -import json + class CommentModeratorPermissionTests(BasePermissionTests): def setUp(self): @@ -46,36 +45,30 @@ class CommentModeratorPermissionTests(BasePermissionTests): comment = { "text": "Test comment POST", - "user_id": self.user_test["user"].id, + "user": self.user_test["user"].id, "object_id": self.country_ru.pk, - "content_type_id": self.content_type.id, + "content_type": self.content_type.id, "country_id": self.country_ru.id } - # - # response = self.client.post(self.url, format='json', data=comment) - # self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) - json_user = json.dumps(self.moderator) - user = UserSerializer(data=self.moderator) - user.is_valid() - u_data = user.data - self.assertFalse(user.is_valid()) - # comment = { - # "text": "Test comment POST moder", - # "user": user, - # "object_id": self.country_ru.pk, - # "content_type_id": self.content_type.id, - # "country_id": self.country_ru.id - # } - # # - # tokens = User.create_jwt_tokens(self.moderator) - # self.client.cookies = SimpleCookie( - # {'access_token': tokens.get('access_token'), - # 'refresh_token': tokens.get('access_token')}) - # - # response = self.client.post(self.url, format='json', data=comment) - # self.assertEqual(response.status_code, status.HTTP_201_CREATED) - # self.assertTrue(True) + response = self.client.post(self.url, format='json', data=comment) + self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) + + comment = { + "text": "Test comment POST moder", + "user": self.moderator.id, + "object_id": self.country_ru.id, + "content_type": self.content_type.id, + "country_id": self.country_ru.id + } + + tokens = User.create_jwt_tokens(self.moderator) + self.client.cookies = SimpleCookie( + {'access_token': tokens.get('access_token'), + 'refresh_token': tokens.get('access_token')}) + + response = self.client.post(self.url, format='json', data=comment) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) def test_put_moderator(self): tokens = User.create_jwt_tokens(self.moderator) @@ -87,7 +80,9 @@ class CommentModeratorPermissionTests(BasePermissionTests): "id": self.comment.id, "text": "test text moderator", "mark": 1, - "user": self.moderator.id + "user": self.moderator.id, + "object_id": self.comment.country_id, + "content_type": self.content_type.id } response = self.client.put(self.url, data=data, format='json') @@ -134,9 +129,10 @@ class CommentModeratorPermissionTests(BasePermissionTests): "id": self.comment.id, "text": "test text moderator", "mark": 1, - "user": super_user.id + "user": super_user.id, + "object_id": self.country_ru.id, + "content_type": self.content_type.id, } - response = self.client.put(self.url, data=data, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK) diff --git a/apps/comment/views/back.py b/apps/comment/views/back.py index 25c10a62..8d836177 100644 --- a/apps/comment/views/back.py +++ b/apps/comment/views/back.py @@ -8,7 +8,7 @@ class CommentLstView(generics.ListCreateAPIView): """Comment list create view.""" serializer_class = serializers.CommentBaseSerializer queryset = models.Comment.objects.all() - permission_classes = [permissions.IsAuthenticatedOrReadOnly|IsCommentModerator] + permission_classes = [permissions.IsAuthenticatedOrReadOnly|IsCountryAdmin|IsCommentModerator] class CommentRUDView(generics.RetrieveUpdateDestroyAPIView): diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index aee2ab57..8ad1ae32 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -126,6 +126,26 @@ class IsCountryAdmin(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + + # and request.user.email_confirmed, + if hasattr(request.data, 'user') and hasattr(request.data, 'country_id'): + # Read permissions are allowed to any request. + + role = Role.objects.filter(role=Role.COUNTRY_ADMIN, + country_id=request.data.country_id) \ + .first() # 'Comments moderator' + + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists(), + super().has_permission(request, view) + ] + return any(rules) + def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. role = Role.objects.filter(role=Role.COUNTRY_ADMIN, diff --git a/apps/utils/tests/tests_permissions.py b/apps/utils/tests/tests_permissions.py index edc1a5d7..3bba7b7d 100644 --- a/apps/utils/tests/tests_permissions.py +++ b/apps/utils/tests/tests_permissions.py @@ -9,10 +9,11 @@ class BasePermissionTests(APITestCase): title='Russia', locale='ru-RU' ) + self.lang.save() self.country_ru = Country.objects.get( name={"en-GB": "Russian"} ) - + self.country_ru.save() From 7f4b46dbf83e989bad971831090d086f0896f3c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Fri, 25 Oct 2019 12:42:01 +0300 Subject: [PATCH 4/6] Fix country admin --- apps/comment/tests.py | 2 +- apps/comment/views/back.py | 5 +++-- apps/location/serializers/back.py | 1 + apps/location/tests.py | 5 ----- apps/location/views/back.py | 4 ++-- apps/utils/permissions.py | 28 +++++++++++++++++++++++----- 6 files changed, 30 insertions(+), 15 deletions(-) diff --git a/apps/comment/tests.py b/apps/comment/tests.py index e91ee2f4..786f68d3 100644 --- a/apps/comment/tests.py +++ b/apps/comment/tests.py @@ -90,7 +90,7 @@ class CommentModeratorPermissionTests(BasePermissionTests): def test_get(self): response = self.client.get(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) + self.assertEqual(response.status_code, status.HTTP_200_OK) def test_put_other_user(self): other_user = User.objects.create_user(username='test', diff --git a/apps/comment/views/back.py b/apps/comment/views/back.py index 8d836177..3b96cbd2 100644 --- a/apps/comment/views/back.py +++ b/apps/comment/views/back.py @@ -8,12 +8,13 @@ class CommentLstView(generics.ListCreateAPIView): """Comment list create view.""" serializer_class = serializers.CommentBaseSerializer queryset = models.Comment.objects.all() - permission_classes = [permissions.IsAuthenticatedOrReadOnly|IsCountryAdmin|IsCommentModerator] + permission_classes = [permissions.IsAuthenticatedOrReadOnly| IsCommentModerator|IsCountryAdmin] class CommentRUDView(generics.RetrieveUpdateDestroyAPIView): """Comment RUD view.""" serializer_class = serializers.CommentBaseSerializer queryset = models.Comment.objects.all() - permission_classes = [IsCountryAdmin|IsCommentModerator] + + permission_classes = [IsCountryAdmin | IsCommentModerator] lookup_field = 'id' diff --git a/apps/location/serializers/back.py b/apps/location/serializers/back.py index f25aacf6..c178f7fd 100644 --- a/apps/location/serializers/back.py +++ b/apps/location/serializers/back.py @@ -16,4 +16,5 @@ class CountryBackSerializer(common.CountrySerializer): 'code', 'svg_image', 'name', + 'country_id' ] diff --git a/apps/location/tests.py b/apps/location/tests.py index cb574036..eed68071 100644 --- a/apps/location/tests.py +++ b/apps/location/tests.py @@ -19,11 +19,6 @@ class BaseTestCase(APITestCase): self.user = User.objects.create_user( username=self.username, email=self.email, password=self.password) - # get tokens - - # self.user.is_superuser = True - # self.user.save() - tokkens = User.create_jwt_tokens(self.user) self.client.cookies = SimpleCookie( {'access_token': tokkens.get('access_token'), diff --git a/apps/location/views/back.py b/apps/location/views/back.py index cb8246a4..1cdd91da 100644 --- a/apps/location/views/back.py +++ b/apps/location/views/back.py @@ -4,7 +4,7 @@ from rest_framework import generics from location import models, serializers from location.views import common from utils.permissions import IsCountryAdmin - +from rest_framework.permissions import IsAuthenticatedOrReadOnly # Address class AddressListCreateView(common.AddressViewMixin, generics.ListCreateAPIView): """Create view for model Address.""" @@ -50,7 +50,7 @@ class CountryListCreateView(generics.ListCreateAPIView): queryset = models.Country.objects.all() serializer_class = serializers.CountryBackSerializer pagination_class = None - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] class CountryRUDView(generics.RetrieveUpdateDestroyAPIView): """RUD view for model Country.""" diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 8ad1ae32..2a10200c 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -56,7 +56,15 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly): Object-level permission to only allow owners of an object to edit it. """ def has_permission(self, request, view): - return request.user.is_authenticated + rules = [ + request.method in permissions.SAFE_METHODS + ] + # if hasattr(request, 'user.is_superuser'): + # rules = [ + # request.user.is_superuser, + # request.method in permissions.SAFE_METHODS + # ] + return any(rules) def has_object_permission(self, request, view, obj): @@ -131,7 +139,6 @@ class IsCountryAdmin(IsStandardUser): rules = [ super().has_permission(request, view) ] - # and request.user.email_confirmed, if hasattr(request.data, 'user') and hasattr(request.data, 'country_id'): # Read permissions are allowed to any request. @@ -153,9 +160,20 @@ class IsCountryAdmin(IsStandardUser): .first() # 'Comments moderator' rules = [ - UserRole.objects.filter(user=request.user, role=role).exists(), - super().has_object_permission(request, view, obj), - ] + super().has_object_permission(request, view, obj) + ] + # and request.user.email_confirmed, + if hasattr(request, 'user') and request.user.is_authenticated: + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists(), + super().has_object_permission(request, view, obj), + ] + + if hasattr(request.data, 'user'): + rules = [ + UserRole.objects.filter(user=request.data.user, role=role).exists(), + super().has_object_permission(request, view, obj), + ] return any(rules) From b7831b97393f3ace0a5b4375e593af11b3941a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Fri, 25 Oct 2019 15:25:35 +0300 Subject: [PATCH 5/6] Fix IsContentPageManager --- apps/location/views/back.py | 19 ++++++++++++------- apps/news/tests.py | 16 ++++++++++++++++ apps/utils/permissions.py | 26 ++++++++++++++++++++------ 3 files changed, 48 insertions(+), 13 deletions(-) diff --git a/apps/location/views/back.py b/apps/location/views/back.py index 1cdd91da..bb64ff72 100644 --- a/apps/location/views/back.py +++ b/apps/location/views/back.py @@ -6,42 +6,46 @@ from location.views import common from utils.permissions import IsCountryAdmin from rest_framework.permissions import IsAuthenticatedOrReadOnly # Address + + class AddressListCreateView(common.AddressViewMixin, generics.ListCreateAPIView): """Create view for model Address.""" serializer_class = serializers.AddressDetailSerializer queryset = models.Address.objects.all() - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] class AddressRUDView(common.AddressViewMixin, generics.RetrieveUpdateDestroyAPIView): """RUD view for model Address.""" serializer_class = serializers.AddressDetailSerializer queryset = models.Address.objects.all() - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] # City class CityListCreateView(common.CityViewMixin, generics.ListCreateAPIView): """Create view for model City.""" serializer_class = serializers.CitySerializer - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] + class CityRUDView(common.CityViewMixin, generics.RetrieveUpdateDestroyAPIView): """RUD view for model City.""" serializer_class = serializers.CitySerializer - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] # Region class RegionListCreateView(common.RegionViewMixin, generics.ListCreateAPIView): """Create view for model Region""" serializer_class = serializers.RegionSerializer - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] + class RegionRUDView(common.RegionViewMixin, generics.RetrieveUpdateDestroyAPIView): """Retrieve view for model Region""" serializer_class = serializers.RegionSerializer - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] # Country @@ -52,8 +56,9 @@ class CountryListCreateView(generics.ListCreateAPIView): pagination_class = None permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] + class CountryRUDView(generics.RetrieveUpdateDestroyAPIView): """RUD view for model Country.""" serializer_class = serializers.CountryBackSerializer - permission_classes = [IsCountryAdmin] + permission_classes = [IsAuthenticatedOrReadOnly|IsCountryAdmin] queryset = models.Country.objects.all() \ No newline at end of file diff --git a/apps/news/tests.py b/apps/news/tests.py index 115763e5..77dbca8e 100644 --- a/apps/news/tests.py +++ b/apps/news/tests.py @@ -66,6 +66,22 @@ class NewsTestCase(BaseTestCase): def setUp(self): super().setUp() + def test_news_post(self): + test_news ={ + "title": {"en-GB": "Test news POST"}, + "news_type_id": self.test_news_type.id, + "description": {"en-GB": "Description test news"}, + "start": datetime.now() + timedelta(hours=-2), + "end": datetime.now() + timedelta(hours=2), + "state": News.PUBLISHED, + "slug": 'test-news-slug_post', + "country_id": self.country_ru.id, + } + + url = reverse("back:news:list-create") + response = self.client.post(url, data=test_news, format='json') + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + def test_web_news(self): response = self.client.get(reverse('web:news:list')) self.assertEqual(response.status_code, status.HTTP_200_OK) diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 2a10200c..7ee7811b 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -57,13 +57,9 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly): """ def has_permission(self, request, view): rules = [ + request.user.is_superuser, request.method in permissions.SAFE_METHODS ] - # if hasattr(request, 'user.is_superuser'): - # rules = [ - # request.user.is_superuser, - # request.method in permissions.SAFE_METHODS - # ] return any(rules) def has_object_permission(self, request, view, obj): @@ -114,6 +110,24 @@ class IsContentPageManager(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + # and request.user.email_confirmed, + if hasattr(request, 'user'): + role = Role.objects.filter(role=Role.CONTENT_PAGE_MANAGER, + country_id=request.country_id)\ + .first() # 'Comments moderator' + + rules = [ + UserRole.objects.filter(user=request.user, role=role).exists(), + # and obj.user != request.user, + super().has_permission(request, view) + ] + return any(rules) + def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. @@ -134,8 +148,8 @@ class IsCountryAdmin(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ - def has_permission(self, request, view): + rules = [ super().has_permission(request, view) ] From a38fed847a0f7601e320046629e2184f97689a61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80=20=D0=93=D0=BB=D0=B0?= =?UTF-8?q?=D0=B4=D0=BA=D0=B8=D1=85?= Date: Fri, 25 Oct 2019 15:51:07 +0300 Subject: [PATCH 6/6] Fix roles --- apps/utils/permissions.py | 87 ++++++++++++++++++++++++++++++++------- 1 file changed, 71 insertions(+), 16 deletions(-) diff --git a/apps/utils/permissions.py b/apps/utils/permissions.py index 7ee7811b..86a4be6f 100644 --- a/apps/utils/permissions.py +++ b/apps/utils/permissions.py @@ -20,8 +20,8 @@ class IsAuthenticatedAndTokenIsValid(permissions.BasePermission): access_token = request.COOKIES.get('access_token') if user.is_authenticated and access_token: access_token = AccessToken(access_token) - valid_tokens = user.access_tokens.valid()\ - .by_jti(jti=access_token.payload.get('jti')) + valid_tokens = user.access_tokens.valid() \ + .by_jti(jti=access_token.payload.get('jti')) return valid_tokens.exists() else: return False @@ -31,13 +31,14 @@ class IsRefreshTokenValid(permissions.BasePermission): """ Check if user has a valid refresh token and authenticated """ + def has_permission(self, request, view): """Check permissions by refresh token and default REST permission IsAuthenticated""" refresh_token = request.COOKIES.get('refresh_token') if refresh_token: refresh_token = GMRefreshToken(refresh_token) - refresh_token_qs = JWTRefreshToken.objects.valid()\ - .by_jti(jti=refresh_token.payload.get('jti')) + refresh_token_qs = JWTRefreshToken.objects.valid() \ + .by_jti(jti=refresh_token.payload.get('jti')) return refresh_token_qs.exists() else: return False @@ -55,6 +56,7 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly): """ Object-level permission to only allow owners of an object to edit it. """ + def has_permission(self, request, view): rules = [ request.user.is_superuser, @@ -63,7 +65,6 @@ class IsGuest(permissions.IsAuthenticatedOrReadOnly): return any(rules) def has_object_permission(self, request, view, obj): - rules = [ request.user.is_superuser, request.method in permissions.SAFE_METHODS @@ -76,6 +77,7 @@ class IsStandardUser(IsGuest): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + def has_permission(self, request, view): rules = [ super().has_permission(request, view) @@ -118,7 +120,7 @@ class IsContentPageManager(IsStandardUser): # and request.user.email_confirmed, if hasattr(request, 'user'): role = Role.objects.filter(role=Role.CONTENT_PAGE_MANAGER, - country_id=request.country_id)\ + country_id=request.country_id) \ .first() # 'Comments moderator' rules = [ @@ -132,7 +134,7 @@ class IsContentPageManager(IsStandardUser): # Read permissions are allowed to any request. role = Role.objects.filter(role=Role.CONTENT_PAGE_MANAGER, - country_id=obj.country_id)\ + country_id=obj.country_id) \ .first() # 'Comments moderator' rules = [ @@ -148,6 +150,7 @@ class IsCountryAdmin(IsStandardUser): Object-level permission to only allow owners of an object to edit it. Assumes the model instance has an `owner` attribute. """ + def has_permission(self, request, view): rules = [ @@ -174,8 +177,8 @@ class IsCountryAdmin(IsStandardUser): .first() # 'Comments moderator' rules = [ - super().has_object_permission(request, view, obj) - ] + super().has_object_permission(request, view, obj) + ] # and request.user.email_confirmed, if hasattr(request, 'user') and request.user.is_authenticated: rules = [ @@ -221,7 +224,7 @@ class IsCommentModerator(IsStandardUser): def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request. role = Role.objects.filter(role=Role.COMMENTS_MODERATOR, - country_id=obj.country_id)\ + country_id=obj.country_id) \ .first() # 'Comments moderator' rules = [ @@ -234,10 +237,28 @@ class IsCommentModerator(IsStandardUser): class IsEstablishmentManager(IsStandardUser): - def has_object_permission(self, request, view, obj): - role = Role.objects.filter(role=Role.ESTABLISHMENT_MANAGER)\ + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + + # and request.user.email_confirmed, + if hasattr(request.data, 'user') and hasattr(request.data, 'establishment_id'): + role = Role.objects.filter(role=Role.ESTABLISHMENT_MANAGER) \ .first() # 'Comments moderator' + rules = [ + UserRole.objects.filter(user=request.user, role=role, + establishment_id=request.data.establishment_id + ).exists(), + super().has_permission(request, view) + ] + return any(rules) + + def has_object_permission(self, request, view, obj): + role = Role.objects.filter(role=Role.ESTABLISHMENT_MANAGER) \ + .first() # 'Comments moderator' + rules = [ UserRole.objects.filter(user=request.user, role=role, establishment_id=obj.establishment_id @@ -250,11 +271,28 @@ class IsEstablishmentManager(IsStandardUser): class IsReviewerManager(IsStandardUser): - def has_object_permission(self, request, view, obj): + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + # and request.user.email_confirmed, + if hasattr(request.data, 'user') and hasattr(request.data, 'country_id'): + role = Role.objects.filter(role=Role.REVIEWER_MANGER) \ + .first() # 'Comments moderator' + + rules = [ + UserRole.objects.filter(user=request.user, role=role, + establishment_id=request.data.country_id + ).exists(), + super().has_permission(request, view) + ] + return any(rules) + + def has_object_permission(self, request, view, obj): role = Role.objects.filter(role=Role.REVIEWER_MANGER, - country_id=obj.country_id)\ - .first() + country_id=obj.country_id) \ + .first() rules = [ UserRole.objects.filter(user=request.user, role=role).exists(), @@ -266,8 +304,25 @@ class IsReviewerManager(IsStandardUser): class IsRestaurantReviewer(IsStandardUser): - def has_object_permission(self, request, view, obj): + def has_permission(self, request, view): + rules = [ + super().has_permission(request, view) + ] + # and request.user.email_confirmed, + if hasattr(request.data, 'user') and hasattr(request.data, 'object_id'): + role = Role.objects.filter(role=Role.RESTAURANT_REVIEWER) \ + .first() # 'Comments moderator' + + rules = [ + UserRole.objects.filter(user=request.user, role=role, + establishment_id=request.data.object_id + ).exists(), + super().has_permission(request, view) + ] + return any(rules) + + def has_object_permission(self, request, view, obj): content_type = ContentType.objects.get(app_lable='establishment', model='establishment')