[#140818877] [#39] [Refactor] Add permission and filter&ordering on viewsets

core/lib/permissions.py

@@ -6,27 +6,34 @@ from core.models import Student
 from core.models import Supervisor
 from core.models import Application
 
+
 def is_admin_or_student(user):
-    return user.is_superuser or hasattr(user, "student")
+    return user.is_superuser or user.is_staff or hasattr(user, "student")
 
 
 def is_admin_or_company(user):
-    return user.is_superuser or hasattr(user, "company")
+    if user.is_superuser or user.is_staff:
+        return True
+
+    if not hasattr(user, "company") or user.company != Company.VERIFIED :
+        raise APIException("This account is not valid company account or has not been verified", 403)
+
+    return True
 
 
 def is_admin_or_supervisor(user):
-    return user.is_superuser or hasattr(user, "supervisor")
+    return user.is_superuser or user.is_staff or hasattr(user, "supervisor")
 
 
 def is_admin_or_supervisor_or_company(user):
-    return user.is_superuser or hasattr(user, "supervisor") or hasattr(user, "company")
+    return user.is_superuser or user.is_staff or hasattr(user, "supervisor") or hasattr(user, "company")
 
 
 class IsAdminOrSelfOrReadOnly(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
         if request.method in permissions.SAFE_METHODS:
             return True
-        if request.user.is_superuser:
+        if request.user.is_superuser or request.user.is_staff:
             return True
         # Instance must have an attribute named `user` or be `user`
         if hasattr(obj, "user"):
@@ -40,7 +47,7 @@ class IsAdminOrStudent(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
         user = request.user
-        if user.is_superuser:
+        if user.is_superuser or user.is_staff:
             return True
         student = None
         if isinstance(obj, Student):
@@ -50,7 +57,7 @@ class IsAdminOrStudent(permissions.BasePermission):
         else:
             raise APIException(
                 "Checking student permission on object {} not associated with Student"
-                    .format(type(obj.__name__))
+                    .format(type(obj.__name__)), 403
             )
 
         return hasattr(user, "student") and user.student == student
@@ -62,7 +69,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
         user = request.user
-        if user.is_superuser:
+        if user.is_superuser or user.is_staff:
             return True
         supervisor = None
         if isinstance(obj, Supervisor):
@@ -72,7 +79,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
         else:
             raise APIException(
                 "Checking supervisor permission on object {} not associated with Supervisor"
-                    .format(type(obj.__name__))
+                    .format(type(obj.__name__)), 403
             )
 
         return hasattr(user, "supervisor") and user.supervisor == supervisor
@@ -84,7 +91,7 @@ class IsAdminOrCompany(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
         user = request.user
-        if user.is_superuser:
+        if user.is_superuser or user.is_staff:
             return True
         company = None
         if isinstance(obj, Company):
@@ -94,7 +101,7 @@ class IsAdminOrCompany(permissions.BasePermission):
         else:
             raise APIException(
                 "Checking company permission on object {} not associated with Company"
-                    .format(type(obj.__name__))
+                    .format(type(obj.__name__)), 403
             )
 
         return hasattr(user, "company") and user.company == company
@@ -108,7 +115,7 @@ class IsAdminOrSupervisorOrCompany(permissions.BasePermission):
 class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
     def has_object_permission(self, request, view, obj):
         user = request.user
-        if user.is_superuser or hasattr(user, "company") or hasattr(user, "supervisor"):
+        if user.is_superuser or user.is_staff or hasattr(user, "company") or hasattr(user, "supervisor"):
             return True
         if hasattr(user, "student"):
             if isinstance(obj, Student):
@@ -118,7 +125,7 @@ class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
             else:
                 raise APIException(
                     "Checking student permission on object {} not associated with Student"
-                        .format(type(obj.__name__))
+                        .format(type(obj.__name__)), 403
                 )
             return hasattr(user, "student") and user.student == student
         return False
@@ -130,11 +137,11 @@ class IsAdminOrVacancyOwner(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
         user = request.user
-        if user.is_superuser:
+        if user.is_superuser or user.is_staff:
             return True
         if isinstance(obj, Application):
             return user.company == obj.vacancy.company
         else:
             raise APIException(
-                "Checking owner permission on non-application object"
+                "Checking owner permission on non-application object", 403
             )

core/models/vacancies.py

@@ -13,6 +13,9 @@ class Vacancy(models.Model):
     updated = models.DateTimeField(auto_now=True)
     name = models.CharField(max_length=100, null=False)
 
+    class Meta:
+        ordering = ['-updated']
+
 
 class Application(models.Model):
     NEW = 0

core/views/accounts.py

@@ -2,7 +2,6 @@ import requests
 from django.contrib.auth import authenticate, login
 from django.contrib.auth.models import User
 from rest_framework import viewsets, status
-from rest_framework.generics import get_object_or_404
 from rest_framework.decorators import list_route
 from rest_framework.parsers import FormParser,MultiPartParser
 from rest_framework.permissions import AllowAny
@@ -15,6 +14,7 @@ from core.models.accounts import Student, Company, Supervisor
 from core.serializers.accounts import BasicUserSerializer, UserSerializer, StudentSerializer, CompanySerializer, \
     SupervisorSerializer, RegisterSerializer, StudentUpdateSerializer
 
+
 class UserViewSet(viewsets.ModelViewSet):
     queryset = User.objects.all()
     serializer_class = UserSerializer
@@ -56,6 +56,7 @@ class CompanyViewSet(viewsets.ModelViewSet):
     queryset = Company.objects.all()
     serializer_class = CompanySerializer
     permission_classes = [IsAdminOrSelfOrReadOnly, IsAdminOrCompany]
+    filter_fields = ('status',)
 
 
 class SupervisorViewSet(viewsets.ModelViewSet):

core/views/vacancies.py

@@ -137,6 +137,7 @@ class CompanyApplicationStatusViewSet(viewsets.GenericViewSet):
 
 class CompanyVacanciesViewSet(viewsets.GenericViewSet):
     queryset = Vacancy.objects.all()
+    permission_classes = [IsAdminOrCompany]
 
     def list(self, request, company_id):
         """

kape/settings.py

@@ -37,7 +37,8 @@ INSTALLED_APPS = [
     'rest_framework',
     'django_nose',
     'rest_framework_swagger',
-    'silk'
+    'silk',
+    'django_filters'
 ]
 
 MIDDLEWARE = [
@@ -145,7 +146,8 @@ REST_FRAMEWORK = {
     # or allow read-only access for unauthenticated users.
     'DEFAULT_PERMISSION_CLASSES': [
         'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
-    ]
+    ],
+    'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',)
 }
 
 GZIP_CONTENT_TYPES = (

requirements.txt

@@ -12,4 +12,5 @@ coverage
 django-rest-swagger
 django-silk
 requests
-requests-mock
\ No newline at end of file
+requests-mock
+django-filter
\ No newline at end of file