* Show non-managers only their own orders

* Payment methods are editable only by admin * Allow customers to edit some set of order fields
2024-05-26 16:24:04 +04:00 · 2024-05-26 16:24:04 +04:00 · afc07037f6
commit afc07037f6
parent d07537cca3
1 changed files with 12 additions and 7 deletions
--- a/store/views.py
+++ b/store/views.py
@ -63,7 +63,7 @@ class ChecklistAPI(viewsets.ModelViewSet):
        super().permission_denied(request, **kwargs)

    def get_serializer_class(self):
-        # Managers have a full set of fields
+        # Managers have a full set of fields for editing
        if getattr(self.request.user, 'is_manager', False) or self.action == 'retrieve':
            return ChecklistSerializer

@ -83,11 +83,9 @@ class ChecklistAPI(viewsets.ModelViewSet):
        self.permission_denied(self.request, **self.kwargs)

    def get_permissions(self):
-        if self.action in ['list', 'update', 'partial_update']:
-            self.permission_classes = [IsManager]
-        elif self.action == 'retrieve':
+        if self.action == 'retrieve':
            self.permission_classes = [AllowAny]
-        elif self.action in ['create', 'destroy']:
+        elif self.action in ['create', 'list', 'update', 'partial_update', 'destroy']:
            self.permission_classes = [IsAuthenticated]

        return super().get_permissions()
@ -101,10 +99,16 @@ class ChecklistAPI(viewsets.ModelViewSet):
        obj.cancel()

    def get_queryset(self):
-        return Checklist.objects.with_base_related() \
+        qs = Checklist.objects.with_base_related() \
            .annotate_bonus_used() \
            .default_ordering()

+        # Non-managers can list only their own orders
+        if not getattr(self.request.user, 'is_manager', False):
+            qs = qs.filter(customer_id=self.request.user.id)
+
+        return qs
+
    def get_object(self):
        obj: Checklist = super().get_object()

@ -130,9 +134,10 @@ class CategoryAPI(mixins.ListModelMixin, mixins.RetrieveModelMixin, mixins.Updat

 class PaymentMethodsAPI(mixins.ListModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet):
    serializer_class = PaymentMethodSerializer
-    permission_classes = [IsManager | ReadOnly]
+    permission_classes = [IsAdmin | ReadOnly]
    lookup_field = 'slug'
    queryset = PaymentMethod.objects.all()
+    pagination_class = None


 class PromoCodeAPI(viewsets.ModelViewSet):