gault-millau/apps/comment/permissions.py

from rest_framework import permissions
from account.models import UserRole, Role, User


class IsCommentModerator(permissions.BasePermission):
    """
    Object-level permission to only allow owners of an object to edit it.
    Assumes the model instance has an `owner` attribute.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Instance must have an attribute named `user`.
        role = Role.objects.get(role=2)  # 'Comments moderator'
        is_access = UserRole.objects.filter(user=request.user, role=role).exists()
        if obj.user == request.user and is_access:
            return True

        # User is super-user?
        if User.objects.filter(pk=request.user.pk).exists():
            return True

        return False