Fakultas Ilmu Komputer UI

Commit f26b24a1 authored by Zamil Majdy's avatar Zamil Majdy
Browse files

[#140818877] [#39] [Refactor] Add permission and filter&ordering on viewsets

parent 319f2c62
......@@ -6,27 +6,34 @@ from core.models import Student
from core.models import Supervisor
from core.models import Application
def is_admin_or_student(user):
return user.is_superuser or hasattr(user, "student")
return user.is_superuser or user.is_staff or hasattr(user, "student")
def is_admin_or_company(user):
return user.is_superuser or hasattr(user, "company")
if user.is_superuser or user.is_staff:
return True
if not hasattr(user, "company") or user.company != Company.VERIFIED :
raise APIException("This account is not valid company account or has not been verified", 403)
return True
def is_admin_or_supervisor(user):
return user.is_superuser or hasattr(user, "supervisor")
return user.is_superuser or user.is_staff or hasattr(user, "supervisor")
def is_admin_or_supervisor_or_company(user):
return user.is_superuser or hasattr(user, "supervisor") or hasattr(user, "company")
return user.is_superuser or user.is_staff or hasattr(user, "supervisor") or hasattr(user, "company")
class IsAdminOrSelfOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_superuser:
if request.user.is_superuser or request.user.is_staff:
return True
# Instance must have an attribute named `user` or be `user`
if hasattr(obj, "user"):
......@@ -40,7 +47,7 @@ class IsAdminOrStudent(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_superuser:
if user.is_superuser or user.is_staff:
return True
student = None
if isinstance(obj, Student):
......@@ -50,7 +57,7 @@ class IsAdminOrStudent(permissions.BasePermission):
else:
raise APIException(
"Checking student permission on object {} not associated with Student"
.format(type(obj.__name__))
.format(type(obj.__name__)), 403
)
return hasattr(user, "student") and user.student == student
......@@ -62,7 +69,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_superuser:
if user.is_superuser or user.is_staff:
return True
supervisor = None
if isinstance(obj, Supervisor):
......@@ -72,7 +79,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
else:
raise APIException(
"Checking supervisor permission on object {} not associated with Supervisor"
.format(type(obj.__name__))
.format(type(obj.__name__)), 403
)
return hasattr(user, "supervisor") and user.supervisor == supervisor
......@@ -84,7 +91,7 @@ class IsAdminOrCompany(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_superuser:
if user.is_superuser or user.is_staff:
return True
company = None
if isinstance(obj, Company):
......@@ -94,7 +101,7 @@ class IsAdminOrCompany(permissions.BasePermission):
else:
raise APIException(
"Checking company permission on object {} not associated with Company"
.format(type(obj.__name__))
.format(type(obj.__name__)), 403
)
return hasattr(user, "company") and user.company == company
......@@ -108,7 +115,7 @@ class IsAdminOrSupervisorOrCompany(permissions.BasePermission):
class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_superuser or hasattr(user, "company") or hasattr(user, "supervisor"):
if user.is_superuser or user.is_staff or hasattr(user, "company") or hasattr(user, "supervisor"):
return True
if hasattr(user, "student"):
if isinstance(obj, Student):
......@@ -118,7 +125,7 @@ class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
else:
raise APIException(
"Checking student permission on object {} not associated with Student"
.format(type(obj.__name__))
.format(type(obj.__name__)), 403
)
return hasattr(user, "student") and user.student == student
return False
......@@ -130,11 +137,11 @@ class IsAdminOrVacancyOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
user = request.user
if user.is_superuser:
if user.is_superuser or user.is_staff:
return True
if isinstance(obj, Application):
return user.company == obj.vacancy.company
else:
raise APIException(
"Checking owner permission on non-application object"
"Checking owner permission on non-application object", 403
)
......@@ -13,6 +13,9 @@ class Vacancy(models.Model):
updated = models.DateTimeField(auto_now=True)
name = models.CharField(max_length=100, null=False)
class Meta:
ordering = ['-updated']
class Application(models.Model):
NEW = 0
......
......@@ -2,7 +2,6 @@ import requests
from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User
from rest_framework import viewsets, status
from rest_framework.generics import get_object_or_404
from rest_framework.decorators import list_route
from rest_framework.parsers import FormParser,MultiPartParser
from rest_framework.permissions import AllowAny
......@@ -15,6 +14,7 @@ from core.models.accounts import Student, Company, Supervisor
from core.serializers.accounts import BasicUserSerializer, UserSerializer, StudentSerializer, CompanySerializer, \
SupervisorSerializer, RegisterSerializer, StudentUpdateSerializer
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
......@@ -56,6 +56,7 @@ class CompanyViewSet(viewsets.ModelViewSet):
queryset = Company.objects.all()
serializer_class = CompanySerializer
permission_classes = [IsAdminOrSelfOrReadOnly, IsAdminOrCompany]
filter_fields = ('status',)
class SupervisorViewSet(viewsets.ModelViewSet):
......
......@@ -137,6 +137,7 @@ class CompanyApplicationStatusViewSet(viewsets.GenericViewSet):
class CompanyVacanciesViewSet(viewsets.GenericViewSet):
queryset = Vacancy.objects.all()
permission_classes = [IsAdminOrCompany]
def list(self, request, company_id):
"""
......
......@@ -37,7 +37,8 @@ INSTALLED_APPS = [
'rest_framework',
'django_nose',
'rest_framework_swagger',
'silk'
'silk',
'django_filters'
]
MIDDLEWARE = [
......@@ -145,7 +146,8 @@ REST_FRAMEWORK = {
# or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
]
],
'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',)
}
GZIP_CONTENT_TYPES = (
......
......@@ -12,4 +12,5 @@ coverage
django-rest-swagger
django-silk
requests
requests-mock
\ No newline at end of file
requests-mock
django-filter
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment