* Allow anonymous users to edit a set of fields of Checklist

store/serializers.py

@@ -187,6 +187,17 @@ class ChecklistSerializer(serializers.ModelSerializer):
                   )
 
 
+class AnonymousUserChecklistSerializer(ChecklistSerializer):
+    class Meta:
+        model = ChecklistSerializer.Meta.model
+        fields = ChecklistSerializer.Meta.fields
+        read_only_fields = tuple(set(ChecklistSerializer.Meta.fields) -
+                                 {'paymentprovement', 'paymenttype',
+                                  'buyername', 'buyerphone',
+                                  'delivery',
+                                  'recievername', 'recieverphone', 'tg'})
+
+
 class GlobalSettingsYuanRateSerializer(serializers.ModelSerializer):
     currency = serializers.DecimalField(source='yuan_rate', max_digits=10, decimal_places=2)
 

store/views.py

@@ -16,10 +16,18 @@ from store.exceptions import CRMException
 from store.models import User, Checklist, GlobalSettings, Category, PaymentMethod, Promocode
 from store.serializers import (UserSerializer, LoginSerializer, ChecklistSerializer, GlobalSettingsYuanRateSerializer,
                                CategorySerializer, GlobalSettingsPriceSerializer, PaymentMethodSerializer,
-                               PromocodeSerializer, GlobalSettingsPickupSerializer)
+                               PromocodeSerializer, GlobalSettingsPickupSerializer, AnonymousUserChecklistSerializer)
 from utils.permissions import ReadOnly
 
 
+class DisablePermissionsMixin(generics.GenericAPIView):
+    def get_permissions(self):
+        if settings.DISABLE_PERMISSIONS:
+            return [permissions.AllowAny()]
+
+        return super().get_permissions()
+
+
 class UserAPI(mixins.ListModelMixin, mixins.RetrieveModelMixin, generics.GenericAPIView):
     serializer_class = UserSerializer
 
@@ -56,15 +64,26 @@ class LoginAPI(generics.GenericAPIView):
         return Response(UserSerializer(user).data)
 
 
-class ChecklistAPI(mixins.ListModelMixin, mixins.CreateModelMixin, mixins.RetrieveModelMixin, generics.GenericAPIView):
+class ChecklistAPI(mixins.ListModelMixin, mixins.CreateModelMixin, mixins.RetrieveModelMixin, DisablePermissionsMixin):
     serializer_class = ChecklistSerializer
-    permission_classes = [IsAuthenticated | ReadOnly] if not settings.DISABLE_PERMISSIONS else [permissions.AllowAny]
     lookup_field = 'id'
     filterset_fields = ['status', ]
     filter_backends = [filters.SearchFilter]
     search_fields = ['id', 'poizon_tracking', 'buyer_phone']
     # TODO: search by full_price
 
+    def get_serializer_class(self):
+        if self.request.user.is_authenticated:
+            return ChecklistSerializer
+
+        return AnonymousUserChecklistSerializer
+
+    def get_permissions(self):
+        if self.request.method in ('GET', 'PATCH'):
+            return [permissions.AllowAny()]
+
+        return super().get_permissions()
+
     def get_queryset(self):
         return Checklist.objects.all().with_base_related() \
             .annotate_price_rub().annotate_commission_rub() \
@@ -163,9 +182,9 @@ class PricesAPI(generics.GenericAPIView):
         return Response(serializer.data)
 
 
-class PickupAPI(generics.GenericAPIView):
+class PickupAPI(DisablePermissionsMixin):
     serializer_class = GlobalSettingsPickupSerializer
-    permission_classes = [IsAuthenticated | ReadOnly] if not settings.DISABLE_PERMISSIONS else [permissions.AllowAny]
+    permission_classes = [IsAuthenticated | ReadOnly]
 
     def get_object(self):
         return GlobalSettings.load()