From afc07037f664d2105855a4ae3a0120a6e2b4c609 Mon Sep 17 00:00:00 2001
From: phzhik <phzhitnikov@gmail.com>
Date: Sun, 26 May 2024 16:24:04 +0400
Subject: [PATCH] * Show non-managers only their own orders * Payment methods
 are editable only by admin * Allow customers to edit some set of order fields

---
 store/views.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/store/views.py b/store/views.py
index e3888a2..05c3176 100644
--- a/store/views.py
+++ b/store/views.py
@@ -63,7 +63,7 @@ class ChecklistAPI(viewsets.ModelViewSet):
         super().permission_denied(request, **kwargs)
 
     def get_serializer_class(self):
-        # Managers have a full set of fields
+        # Managers have a full set of fields for editing
         if getattr(self.request.user, 'is_manager', False) or self.action == 'retrieve':
             return ChecklistSerializer
 
@@ -83,11 +83,9 @@ class ChecklistAPI(viewsets.ModelViewSet):
         self.permission_denied(self.request, **self.kwargs)
 
     def get_permissions(self):
-        if self.action in ['list', 'update', 'partial_update']:
-            self.permission_classes = [IsManager]
-        elif self.action == 'retrieve':
+        if self.action == 'retrieve':
             self.permission_classes = [AllowAny]
-        elif self.action in ['create', 'destroy']:
+        elif self.action in ['create', 'list', 'update', 'partial_update', 'destroy']:
             self.permission_classes = [IsAuthenticated]
 
         return super().get_permissions()
@@ -101,10 +99,16 @@ class ChecklistAPI(viewsets.ModelViewSet):
         obj.cancel()
 
     def get_queryset(self):
-        return Checklist.objects.with_base_related() \
+        qs = Checklist.objects.with_base_related() \
             .annotate_bonus_used() \
             .default_ordering()
 
+        # Non-managers can list only their own orders
+        if not getattr(self.request.user, 'is_manager', False):
+            qs = qs.filter(customer_id=self.request.user.id)
+
+        return qs
+
     def get_object(self):
         obj: Checklist = super().get_object()
 
@@ -130,9 +134,10 @@ class CategoryAPI(mixins.ListModelMixin, mixins.RetrieveModelMixin, mixins.Updat
 
 class PaymentMethodsAPI(mixins.ListModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet):
     serializer_class = PaymentMethodSerializer
-    permission_classes = [IsManager | ReadOnly]
+    permission_classes = [IsAdmin | ReadOnly]
     lookup_field = 'slug'
     queryset = PaymentMethod.objects.all()
+    pagination_class = None
 
 
 class PromoCodeAPI(viewsets.ModelViewSet):