Skip to content

Commit 797fc7b

Browse files
MySecondLanguageMySecondLanguage
committed
Improved permision with additional checking
1 parent 913dde8 commit 797fc7b

File tree

2 files changed

+19
-30
lines changed

2 files changed

+19
-30
lines changed

nxtbn/core/admin_permissions.py

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ def has_permission(self, request, view):
2727
return True
2828

2929
model_cls = None
30-
if hasattr(view, 'get_queryset'): # Warning, Never use hasattr(view, 'queryset') as DRF cache this which may lead to unexpected behavior
30+
if hasattr(view, 'get_queryset'): # Warning, Never use hasattr(view, 'queryset') as DRF cache this which may lead to unexpected behavior
3131
model_cls = view.get_queryset().model
3232
elif hasattr(view, 'model'):
3333
model_cls = view.model
@@ -58,7 +58,12 @@ def has_permission(self, request, view):
5858

5959

6060

61-
model_cls = getattr(view, 'queryset', None) or getattr(view, 'model', None)
61+
model_cls = None
62+
if hasattr(view, 'get_queryset'): # Warning, Never use hasattr(view, 'queryset') as DRF cache this which may lead to unexpected behavior
63+
model_cls = view.get_queryset().model
64+
elif hasattr(view, 'model'):
65+
model_cls = view.model
66+
6267
if model_cls is None:
6368
return False
6469

nxtbn/order/api/dashboard/views.py

Lines changed: 12 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -443,13 +443,15 @@ def check_permissions(self, request):
443443
)
444444

445445
class OrderPaymentTermUpdateAPIView(generics.UpdateAPIView):
446+
model = Order
446447
permission_classes = (GranularPermission, )
447448
queryset = Order.objects.all()
448449
serializer_class = OrderPaymentUpdateSerializer
449450
lookup_field = 'alias'
450451
required_perm = PermissionsEnum.CAN_UPDATE_ORDER_PYMENT_TERM
451452

452453
class OrderPaymentMethodUpdateAPIView(generics.UpdateAPIView):
454+
model = Order
453455
permission_classes = (GranularPermission, )
454456
required_perm = PermissionsEnum.CAN_UPDATE_ORDER_PAYMENT_METHOD
455457
queryset = Order.objects.all()
@@ -489,43 +491,29 @@ class ReturnRequestFilterMixing:
489491

490492

491493
class ReturnRequestAPIView(ReturnRequestFilterMixing, generics.ListCreateAPIView):
494+
permission_classes = (CommonPermissions, )
495+
model = ReturnRequest
492496
queryset = ReturnRequest.objects.all()
493497
serializer_class = ReturnRequestSerializer
494-
495-
HTTP_PERMISSIONS = {
496-
UserRole.STORE_MANAGER: {"POST", 'GET'},
497-
UserRole.ADMIN: {"all"},
498-
UserRole.ORDER_PROCESSOR: {"POST", 'GET'},
499-
UserRole.STORE_VIEWER: {"GET"},
500-
}
501-
502498

503499
class ReturnRequestDetailAPIView(generics.RetrieveUpdateAPIView):
500+
permission_classes = (CommonPermissions, )
501+
model = ReturnRequest
504502
queryset = ReturnRequest.objects.all()
505503
serializer_class = ReturnRequestDetailsSerializer
506504
lookup_field = 'id'
507505

508-
HTTP_PERMISSIONS = {
509-
UserRole.STORE_MANAGER: {"PUT", 'PATCH', 'GET'},
510-
UserRole.ADMIN: {"all"},
511-
UserRole.ORDER_PROCESSOR: {"PATCH", 'GET'},
512-
UserRole.STORE_VIEWER: {"GET"},
513-
}
514-
515506
def get_serializer_class(self):
516507
if self.request.method in ['PATCH', 'PUT']:
517508
return ReturnRequestStatusUpdateSerializer
518509
return self.serializer_class
519510

520511
class ReturnLineItemStatusUpdateAPIView(generics.UpdateAPIView):
512+
permission_classes = (CommonPermissions, )
513+
model = ReturnRequest
514+
521515
serializer_class = ReturnLineItemStatusUpdateSerializer
522516

523-
HTTP_PERMISSIONS = {
524-
UserRole.STORE_MANAGER: {"PUT", 'PATCH', 'GET'},
525-
UserRole.ADMIN: {"all"},
526-
UserRole.ORDER_PROCESSOR: {"PATCH", 'GET'},
527-
UserRole.STORE_VIEWER: {"GET"},
528-
}
529517

530518
def update(self, request, *args, **kwargs):
531519
serializer = self.get_serializer(data=request.data)
@@ -554,14 +542,10 @@ def update(self, request, *args, **kwargs):
554542

555543

556544
class ReturnRequestBulkUpdateAPIView(generics.UpdateAPIView):
557-
serializer_class = ReturnRequestBulkUpdateSerializer
545+
permission_classes = (CommonPermissions, )
546+
model = ReturnRequest
558547

559-
HTTP_PERMISSIONS = {
560-
UserRole.STORE_MANAGER: {'all'},
561-
UserRole.ADMIN: {"all"},
562-
UserRole.ORDER_PROCESSOR: {'all'},
563-
UserRole.STORE_VIEWER: {"GET"},
564-
}
548+
serializer_class = ReturnRequestBulkUpdateSerializer
565549

566550
def update(self, request, *args, **kwargs):
567551
serializer = self.get_serializer(data=request.data)

0 commit comments

Comments
 (0)