Fakultas Ilmu Komputer UI

Commit f26b24a1 authored by Zamil Majdy's avatar Zamil Majdy
Browse files

[#140818877] [#39] [Refactor] Add permission and filter&ordering on viewsets

parent 319f2c62
...@@ -6,27 +6,34 @@ from core.models import Student ...@@ -6,27 +6,34 @@ from core.models import Student
from core.models import Supervisor from core.models import Supervisor
from core.models import Application from core.models import Application
def is_admin_or_student(user): def is_admin_or_student(user):
return user.is_superuser or hasattr(user, "student") return user.is_superuser or user.is_staff or hasattr(user, "student")
def is_admin_or_company(user): def is_admin_or_company(user):
return user.is_superuser or hasattr(user, "company") if user.is_superuser or user.is_staff:
return True
if not hasattr(user, "company") or user.company != Company.VERIFIED :
raise APIException("This account is not valid company account or has not been verified", 403)
return True
def is_admin_or_supervisor(user): def is_admin_or_supervisor(user):
return user.is_superuser or hasattr(user, "supervisor") return user.is_superuser or user.is_staff or hasattr(user, "supervisor")
def is_admin_or_supervisor_or_company(user): def is_admin_or_supervisor_or_company(user):
return user.is_superuser or hasattr(user, "supervisor") or hasattr(user, "company") return user.is_superuser or user.is_staff or hasattr(user, "supervisor") or hasattr(user, "company")
class IsAdminOrSelfOrReadOnly(permissions.BasePermission): class IsAdminOrSelfOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS: if request.method in permissions.SAFE_METHODS:
return True return True
if request.user.is_superuser: if request.user.is_superuser or request.user.is_staff:
return True return True
# Instance must have an attribute named `user` or be `user` # Instance must have an attribute named `user` or be `user`
if hasattr(obj, "user"): if hasattr(obj, "user"):
...@@ -40,7 +47,7 @@ class IsAdminOrStudent(permissions.BasePermission): ...@@ -40,7 +47,7 @@ class IsAdminOrStudent(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
user = request.user user = request.user
if user.is_superuser: if user.is_superuser or user.is_staff:
return True return True
student = None student = None
if isinstance(obj, Student): if isinstance(obj, Student):
...@@ -50,7 +57,7 @@ class IsAdminOrStudent(permissions.BasePermission): ...@@ -50,7 +57,7 @@ class IsAdminOrStudent(permissions.BasePermission):
else: else:
raise APIException( raise APIException(
"Checking student permission on object {} not associated with Student" "Checking student permission on object {} not associated with Student"
.format(type(obj.__name__)) .format(type(obj.__name__)), 403
) )
return hasattr(user, "student") and user.student == student return hasattr(user, "student") and user.student == student
...@@ -62,7 +69,7 @@ class IsAdminOrSupervisor(permissions.BasePermission): ...@@ -62,7 +69,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
user = request.user user = request.user
if user.is_superuser: if user.is_superuser or user.is_staff:
return True return True
supervisor = None supervisor = None
if isinstance(obj, Supervisor): if isinstance(obj, Supervisor):
...@@ -72,7 +79,7 @@ class IsAdminOrSupervisor(permissions.BasePermission): ...@@ -72,7 +79,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
else: else:
raise APIException( raise APIException(
"Checking supervisor permission on object {} not associated with Supervisor" "Checking supervisor permission on object {} not associated with Supervisor"
.format(type(obj.__name__)) .format(type(obj.__name__)), 403
) )
return hasattr(user, "supervisor") and user.supervisor == supervisor return hasattr(user, "supervisor") and user.supervisor == supervisor
...@@ -84,7 +91,7 @@ class IsAdminOrCompany(permissions.BasePermission): ...@@ -84,7 +91,7 @@ class IsAdminOrCompany(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
user = request.user user = request.user
if user.is_superuser: if user.is_superuser or user.is_staff:
return True return True
company = None company = None
if isinstance(obj, Company): if isinstance(obj, Company):
...@@ -94,7 +101,7 @@ class IsAdminOrCompany(permissions.BasePermission): ...@@ -94,7 +101,7 @@ class IsAdminOrCompany(permissions.BasePermission):
else: else:
raise APIException( raise APIException(
"Checking company permission on object {} not associated with Company" "Checking company permission on object {} not associated with Company"
.format(type(obj.__name__)) .format(type(obj.__name__)), 403
) )
return hasattr(user, "company") and user.company == company return hasattr(user, "company") and user.company == company
...@@ -108,7 +115,7 @@ class IsAdminOrSupervisorOrCompany(permissions.BasePermission): ...@@ -108,7 +115,7 @@ class IsAdminOrSupervisorOrCompany(permissions.BasePermission):
class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated): class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
user = request.user user = request.user
if user.is_superuser or hasattr(user, "company") or hasattr(user, "supervisor"): if user.is_superuser or user.is_staff or hasattr(user, "company") or hasattr(user, "supervisor"):
return True return True
if hasattr(user, "student"): if hasattr(user, "student"):
if isinstance(obj, Student): if isinstance(obj, Student):
...@@ -118,7 +125,7 @@ class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated): ...@@ -118,7 +125,7 @@ class IsAdminOrSupervisorOrCompanyOrSelf(permissions.IsAuthenticated):
else: else:
raise APIException( raise APIException(
"Checking student permission on object {} not associated with Student" "Checking student permission on object {} not associated with Student"
.format(type(obj.__name__)) .format(type(obj.__name__)), 403
) )
return hasattr(user, "student") and user.student == student return hasattr(user, "student") and user.student == student
return False return False
...@@ -130,11 +137,11 @@ class IsAdminOrVacancyOwner(permissions.BasePermission): ...@@ -130,11 +137,11 @@ class IsAdminOrVacancyOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
user = request.user user = request.user
if user.is_superuser: if user.is_superuser or user.is_staff:
return True return True
if isinstance(obj, Application): if isinstance(obj, Application):
return user.company == obj.vacancy.company return user.company == obj.vacancy.company
else: else:
raise APIException( raise APIException(
"Checking owner permission on non-application object" "Checking owner permission on non-application object", 403
) )
...@@ -13,6 +13,9 @@ class Vacancy(models.Model): ...@@ -13,6 +13,9 @@ class Vacancy(models.Model):
updated = models.DateTimeField(auto_now=True) updated = models.DateTimeField(auto_now=True)
name = models.CharField(max_length=100, null=False) name = models.CharField(max_length=100, null=False)
class Meta:
ordering = ['-updated']
class Application(models.Model): class Application(models.Model):
NEW = 0 NEW = 0
......
...@@ -2,7 +2,6 @@ import requests ...@@ -2,7 +2,6 @@ import requests
from django.contrib.auth import authenticate, login from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User from django.contrib.auth.models import User
from rest_framework import viewsets, status from rest_framework import viewsets, status
from rest_framework.generics import get_object_or_404
from rest_framework.decorators import list_route from rest_framework.decorators import list_route
from rest_framework.parsers import FormParser,MultiPartParser from rest_framework.parsers import FormParser,MultiPartParser
from rest_framework.permissions import AllowAny from rest_framework.permissions import AllowAny
...@@ -15,6 +14,7 @@ from core.models.accounts import Student, Company, Supervisor ...@@ -15,6 +14,7 @@ from core.models.accounts import Student, Company, Supervisor
from core.serializers.accounts import BasicUserSerializer, UserSerializer, StudentSerializer, CompanySerializer, \ from core.serializers.accounts import BasicUserSerializer, UserSerializer, StudentSerializer, CompanySerializer, \
SupervisorSerializer, RegisterSerializer, StudentUpdateSerializer SupervisorSerializer, RegisterSerializer, StudentUpdateSerializer
class UserViewSet(viewsets.ModelViewSet): class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all() queryset = User.objects.all()
serializer_class = UserSerializer serializer_class = UserSerializer
...@@ -56,6 +56,7 @@ class CompanyViewSet(viewsets.ModelViewSet): ...@@ -56,6 +56,7 @@ class CompanyViewSet(viewsets.ModelViewSet):
queryset = Company.objects.all() queryset = Company.objects.all()
serializer_class = CompanySerializer serializer_class = CompanySerializer
permission_classes = [IsAdminOrSelfOrReadOnly, IsAdminOrCompany] permission_classes = [IsAdminOrSelfOrReadOnly, IsAdminOrCompany]
filter_fields = ('status',)
class SupervisorViewSet(viewsets.ModelViewSet): class SupervisorViewSet(viewsets.ModelViewSet):
......
...@@ -137,6 +137,7 @@ class CompanyApplicationStatusViewSet(viewsets.GenericViewSet): ...@@ -137,6 +137,7 @@ class CompanyApplicationStatusViewSet(viewsets.GenericViewSet):
class CompanyVacanciesViewSet(viewsets.GenericViewSet): class CompanyVacanciesViewSet(viewsets.GenericViewSet):
queryset = Vacancy.objects.all() queryset = Vacancy.objects.all()
permission_classes = [IsAdminOrCompany]
def list(self, request, company_id): def list(self, request, company_id):
""" """
......
...@@ -37,7 +37,8 @@ INSTALLED_APPS = [ ...@@ -37,7 +37,8 @@ INSTALLED_APPS = [
'rest_framework', 'rest_framework',
'django_nose', 'django_nose',
'rest_framework_swagger', 'rest_framework_swagger',
'silk' 'silk',
'django_filters'
] ]
MIDDLEWARE = [ MIDDLEWARE = [
...@@ -145,7 +146,8 @@ REST_FRAMEWORK = { ...@@ -145,7 +146,8 @@ REST_FRAMEWORK = {
# or allow read-only access for unauthenticated users. # or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES': [ 'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly' 'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
] ],
'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',)
} }
GZIP_CONTENT_TYPES = ( GZIP_CONTENT_TYPES = (
......
...@@ -12,4 +12,5 @@ coverage ...@@ -12,4 +12,5 @@ coverage
django-rest-swagger django-rest-swagger
django-silk django-silk
requests requests
requests-mock requests-mock
\ No newline at end of file django-filter
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment