Simplify Card views and allow editing courses

2020-01-15 02:02:16 +00:00 · 2020-01-15 02:02:16 +00:00 · a0489be82d
commit a0489be82d
parent a178516811
2 changed files with 22 additions and 30 deletions
--- a/apiserver/apiserver/api/serializers.py
+++ b/apiserver/apiserver/api/serializers.py
@ -146,29 +146,13 @@ class AdminSearchSerializer(serializers.Serializer):
            queryset = obj.user.cards
        else:
            queryset = models.Card.objects.filter(member_id=obj.id)
-        serializer = AdminCardSerializer(data=queryset, many=True)
+        serializer = CardSerializer(data=queryset, many=True)
        serializer.is_valid()
        return serializer.data



-# member viewing his own cards
 class CardSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = models.Card
-        fields = '__all__'
-        read_only_fields = [
-            'id',
-            'card_number',
-            'member_id',
-            'notes',
-            'last_seen_at',
-            'active_status',
-            'user',
-        ]
-
-# admin viewing member details
-class AdminCardSerializer(CardSerializer):
    card_number = serializers.CharField(validators=[UniqueValidator(
        queryset=models.Card.objects.all(),
        message='Card number already exists.'
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@ -1,7 +1,7 @@
 from django.contrib.auth.models import User, Group
 from django.db.models import Max
 from rest_framework import viewsets, views, mixins, generics, exceptions
-from rest_framework.permissions import BasePermission, IsAuthenticated
+from rest_framework.permissions import BasePermission, IsAuthenticated, SAFE_METHODS
 from rest_framework.response import Response
 from rest_auth.views import PasswordChangeView
 from rest_auth.registration.views import RegisterView
@ -19,11 +19,24 @@ def is_admin_director(user):

 class IsOwnerOrAdmin(BasePermission):
    def has_object_permission(self, request, view, obj):
-        return obj.user == request.user or is_admin_director(request.user)
+        return request.user and (obj.user == request.user or is_admin_director(request.user))
+
+class IsAdminOrReadOnly(BasePermission):
+    def has_permission(self, request, view):
+        return bool(
+            request.method in SAFE_METHODS or
+            request.user and
+            is_admin_director(request.user)
+        )
+
+class IsInstructorOrReadOnly(BasePermission):
+    def has_permission(self, request, view):
+        return bool(
+            request.method in SAFE_METHODS or
+            request.user and
+            request.user.member.is_instructor
+        )

-class IsInstructor(BasePermission):
-    def has_object_permission(self, request, view, obj):
-        return user.member.is_instructor


 class RetrieveUpdateViewSet(
@ -116,18 +129,13 @@ class MemberViewSet(RetrieveUpdateViewSet):


 class CardViewSet(CreateRetrieveUpdateDeleteViewSet):
-    permission_classes = [AllowMetadata | IsAuthenticated, IsOwnerOrAdmin]
+    permission_classes = [AllowMetadata | IsAuthenticated, IsOwnerOrAdmin, IsAdminOrReadOnly]
    queryset = models.Card.objects.all()
-
-    def get_serializer_class(self):
-        if is_admin_director(self.request.user):
-            return serializers.AdminCardSerializer
-        else:
-            return serializers.CardSerializer
+    serializer_class = serializers.CardSerializer


 class CourseViewSet(viewsets.ModelViewSet):
-    permission_classes = [AllowMetadata | IsAuthenticated]
+    permission_classes = [AllowMetadata | IsAuthenticated, IsAdminOrReadOnly | IsInstructorOrReadOnly]
    queryset = models.Course.objects.annotate(date=Max('sessions__datetime')).order_by('-date')

    def get_serializer_class(self):