phzhik/kwork-poizonstore
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Show non-managers only their own orders

Browse Source 
* Payment methods are editable only by admin
* Allow customers to edit some set of order fields
This commit is contained in:
Phil Zhitnikov 2024-05-26 16:24:04 +04:00
parent d07537cca3
commit afc07037f6
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
store/views.py
View File

@ -63,7 +63,7 @@ class ChecklistAPI(viewsets.ModelViewSet):
super().permission_denied(request, **kwargs) super().permission_denied(request, **kwargs)
def get_serializer_class(self): def get_serializer_class(self):
# Managers have a full set of fields # Managers have a full set of fields for editing
if getattr(self.request.user, 'is_manager', False) or self.action == 'retrieve': if getattr(self.request.user, 'is_manager', False) or self.action == 'retrieve':
return ChecklistSerializer return ChecklistSerializer
@ -83,11 +83,9 @@ class ChecklistAPI(viewsets.ModelViewSet):
self.permission_denied(self.request, **self.kwargs) self.permission_denied(self.request, **self.kwargs)
def get_permissions(self): def get_permissions(self):
if self.action in ['list', 'update', 'partial_update']: if self.action == 'retrieve':
self.permission_classes = [IsManager]
elif self.action == 'retrieve':
self.permission_classes = [AllowAny] self.permission_classes = [AllowAny]
elif self.action in ['create', 'destroy']: elif self.action in ['create', 'list', 'update', 'partial_update', 'destroy']:
self.permission_classes = [IsAuthenticated] self.permission_classes = [IsAuthenticated]
return super().get_permissions() return super().get_permissions()
@ -101,10 +99,16 @@ class ChecklistAPI(viewsets.ModelViewSet):
obj.cancel() obj.cancel()
def get_queryset(self): def get_queryset(self):
return Checklist.objects.with_base_related() \ qs = Checklist.objects.with_base_related() \
.annotate_bonus_used() \ .annotate_bonus_used() \
.default_ordering() .default_ordering()
# Non-managers can list only their own orders
if not getattr(self.request.user, 'is_manager', False):
qs = qs.filter(customer_id=self.request.user.id)
return qs
def get_object(self): def get_object(self):
obj: Checklist = super().get_object() obj: Checklist = super().get_object()
@ -130,9 +134,10 @@ class CategoryAPI(mixins.ListModelMixin, mixins.RetrieveModelMixin, mixins.Updat
class PaymentMethodsAPI(mixins.ListModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet): class PaymentMethodsAPI(mixins.ListModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet):
serializer_class = PaymentMethodSerializer serializer_class = PaymentMethodSerializer
permission_classes = [IsManager | ReadOnly] permission_classes = [IsAdmin | ReadOnly]
lookup_field = 'slug' lookup_field = 'slug'
queryset = PaymentMethod.objects.all() queryset = PaymentMethod.objects.all()
pagination_class = None
class PromoCodeAPI(viewsets.ModelViewSet): class PromoCodeAPI(viewsets.ModelViewSet):