Merge pull request #378 from MySecondLanguage/user-query-added

User query added

Author: MySecondLanguage

nxtbn/core/admin_permissions.py

@@ -1,3 +1,30 @@
+"""
+Dashboard User Permission Hierarchy:
+
+- `is_superuser`:  
+    Grants unrestricted access to all dashboard functionalities without any limitations.  
+    Inherits all permissions of `is_store_admin` by default.  
+
+- `is_staff`:  
+    Required for all users to access the dashboard.  
+
+- `is_store_admin`:  
+    Has extensive permissions and authority within the dashboard.  
+    Can perform almost all operations except a few critical ones restricted to the superuser.  
+    Inherits all permissions assigned to other users by default.  
+
+- `is_store_staff`:  
+    Has limited access to the dashboard.  
+    Their permissions can be extended granularly by assigning specific permissions, which are managed by the store admin.  
+
+**Additional Notes:**  
+- All users have read permissions by default, except for certain critical data that require explicit authorization.  
+- The superuser automatically inherits all permissions of a store admin.  
+- A store admin inherits all permissions granted to other users by default.  
+"""
+
+
+
 from rest_framework.permissions import BasePermission
 from rest_framework.permissions import SAFE_METHODS
 
@@ -7,22 +34,50 @@
 import functools
 from graphql import GraphQLError
 
+
+class IsStoreAdmin(BasePermission):
+    def has_permission(self, request, view):
+        if not request.user.is_staff:
+            return False
+        return request.user.is_store_admin
+    
+class IsStoreStaff(BasePermission):
+    def has_permission(self, request, view):
+        if not request.user.is_staff:
+            return False
+        
+        if request.user.is_superuser:
+            return True
+        
+        if request.user.is_store_admin:
+            return True
+
+        return request.user.is_store_staff
+
 class GranularPermission(BasePermission):
     def get_permission_name(self, model_name, action):
 
         return f"{model_name}.{action}"
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_staff:
             return False
 
         if request.user.is_superuser:
             return True
 
+        if request.user.is_store_admin:
+            return True
+        
         if request.method in SAFE_METHODS and request.user.is_staff: # Every staff can view
             return True
 
-        model_cls = getattr(view, 'queryset', None) or getattr(view, 'model', None)
+        model_cls = None
+        if hasattr(view, 'get_queryset'): # Warning, Never use  hasattr(view, 'queryset') as DRF cache  this which may lead to unexpected behavior
+            model_cls = view.get_queryset().model
+        elif hasattr(view, 'model'):
+            model_cls = view.model
+
         if model_cls is None:
             return False
 
@@ -38,18 +93,26 @@ def has_permission(self, request, view):
 class CommonPermissions(BasePermission):
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_staff:
             return False
 
         if request.user.is_superuser:
             return True
 
+        if request.user.is_store_admin:
+            return True
+        
         if request.method in SAFE_METHODS and request.user.is_staff: # Every staff can view
             return True
 
 
 
-        model_cls = getattr(view, 'queryset', None) or getattr(view, 'model', None)
+        model_cls = None
+        if hasattr(view, 'get_queryset'): # Warning, Never use  hasattr(view, 'queryset') as DRF cache  this which may lead to unexpected behavior
+            model_cls = view.get_queryset().model
+        elif hasattr(view, 'model'):
+            model_cls = view.model
+            
         if model_cls is None:
             return False
 
@@ -73,6 +136,18 @@ def has_permission(self, request, view):
         return request.user.has_perm(required_permission)
 
 
+def has_required_perm(user, code: str, model_cls=None):
+    if not user.is_staff:
+        return False
+
+    if user.is_superuser:
+        return True
+    
+    if user.is_store_admin:
+        return True
+
+    perm_code  = model_cls._meta.app_label + '.' + code
+    return user.has_perm(perm_code)
 
 
 def gql_required_perm(code: str): # Used in graphql only
@@ -100,6 +175,7 @@ def wrapper(self, info, *args, **kwargs):
     return decorator
 
 
+
 def gql_staff_required(func): # Used in graphql only
     @functools.wraps(func)
     def wrapper(self, info, *args, **kwargs):

nxtbn/core/enum_perms.py

@@ -4,4 +4,8 @@
 class PermissionsEnum(models.TextChoices):
     CAN_APPROVE_ORDER = "can_approve_order"
     CAN_CANCEL_ORDER = "can_cancel_order"
-    CAN_SHIP_ORDER = "can_ship_order"
+    CAN_SHIP_ORDER = "can_ship_order"
+    CAN_PROCCSS_ORDER = "can_process_order"
+    CAN_DELIVER_ORDER = "can_deliver_order"
+    CAN_UPDATE_ORDER_PYMENT_TERM = "can_update_order_payment_term"
+    CAN_UPDATE_ORDER_PAYMENT_METHOD = "can_update_order_payment_method"

nxtbn/order/api/dashboard/views.py

@@ -21,7 +21,7 @@
 import django_filters
 from django_filters import rest_framework as filters
 
-from nxtbn.core.admin_permissions import GranularPermission, CommonPermissions
+from nxtbn.core.admin_permissions import GranularPermission, CommonPermissions, has_required_perm
 from nxtbn.core.enum_perms import PermissionsEnum
 from nxtbn.core.utils import to_currency_unit
 from nxtbn.order.proccesor.views import OrderProccessorAPIView
@@ -419,11 +419,41 @@ class OrderStatusUpdateAPIView(generics.UpdateAPIView):
     serializer_class = OrderStatusUpdateSerializer
     lookup_field = 'alias'
 
+    def check_permissions(self, request):
+        status = request.data.get('status')
+        user = request.user
+
+        print(status, 'status')
+
+        permission_map = {
+            OrderStatus.CANCELLED: PermissionsEnum.CAN_CANCEL_ORDER,
+            OrderStatus.SHIPPED: PermissionsEnum.CAN_SHIP_ORDER,
+            OrderStatus.DELIVERED: PermissionsEnum.CAN_DELIVER_ORDER,
+            OrderStatus.APPROVED: PermissionsEnum.CAN_APPROVE_ORDER,
+            OrderStatus.PROCESSING: PermissionsEnum.CAN_PROCCSS_ORDER,
+        }
+
+        required_permission = permission_map.get(status)
+        print(required_permission, 'required_permission')
+        if required_permission and not has_required_perm(user, required_permission, Order):
+            self.permission_denied(
+                request,
+                message=_("You do not have permission to perform this action."),
+                code='permission_denied'
+            )
+
 class OrderPaymentTermUpdateAPIView(generics.UpdateAPIView):
+    model = Order
+    permission_classes = (GranularPermission, )
     queryset = Order.objects.all()
     serializer_class = OrderPaymentUpdateSerializer
     lookup_field = 'alias'
+    required_perm = PermissionsEnum.CAN_UPDATE_ORDER_PYMENT_TERM
+
 class OrderPaymentMethodUpdateAPIView(generics.UpdateAPIView):
+    model = Order
+    permission_classes = (GranularPermission, )
+    required_perm = PermissionsEnum.CAN_UPDATE_ORDER_PAYMENT_METHOD
     queryset = Order.objects.all()
     serializer_class = OrderPaymentMethodSerializer
     lookup_field = 'alias'
@@ -461,43 +491,29 @@ class ReturnRequestFilterMixing:
 
 
 class ReturnRequestAPIView(ReturnRequestFilterMixing, generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ReturnRequest
     queryset = ReturnRequest.objects.all()
     serializer_class = ReturnRequestSerializer
-
-    HTTP_PERMISSIONS = {
-        UserRole.STORE_MANAGER: {"POST", 'GET'},
-        UserRole.ADMIN: {"all"},
-        UserRole.ORDER_PROCESSOR: {"POST", 'GET'},
-        UserRole.STORE_VIEWER: {"GET"},
-    }
-    
 
 class ReturnRequestDetailAPIView(generics.RetrieveUpdateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ReturnRequest
     queryset = ReturnRequest.objects.all()
     serializer_class = ReturnRequestDetailsSerializer
     lookup_field = 'id'
 
-    HTTP_PERMISSIONS = {
-        UserRole.STORE_MANAGER: {"PUT", 'PATCH', 'GET'},
-        UserRole.ADMIN: {"all"},
-        UserRole.ORDER_PROCESSOR: {"PATCH", 'GET'},
-        UserRole.STORE_VIEWER: {"GET"},
-    }
-
     def get_serializer_class(self):
         if self.request.method in ['PATCH', 'PUT']:
             return ReturnRequestStatusUpdateSerializer
         return self.serializer_class
 
 class ReturnLineItemStatusUpdateAPIView(generics.UpdateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ReturnRequest
+
     serializer_class = ReturnLineItemStatusUpdateSerializer
 
-    HTTP_PERMISSIONS = {
-        UserRole.STORE_MANAGER: {"PUT", 'PATCH', 'GET'},
-        UserRole.ADMIN: {"all"},
-        UserRole.ORDER_PROCESSOR: {"PATCH", 'GET'},
-        UserRole.STORE_VIEWER: {"GET"},
-    }
 
     def update(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
@@ -526,14 +542,10 @@ def update(self, request, *args, **kwargs):
 
 
 class ReturnRequestBulkUpdateAPIView(generics.UpdateAPIView):
-    serializer_class = ReturnRequestBulkUpdateSerializer
+    permission_classes = (CommonPermissions, )
+    model = ReturnRequest
 
-    HTTP_PERMISSIONS = {
-        UserRole.STORE_MANAGER: {'all'},
-        UserRole.ADMIN: {"all"},
-        UserRole.ORDER_PROCESSOR: {'all'},
-        UserRole.STORE_VIEWER: {"GET"},
-    }
+    serializer_class = ReturnRequestBulkUpdateSerializer
 
     def update(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)

nxtbn/order/migrations/0033_alter_order_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.2.11 on 2025-01-31 13:04
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('order', '0032_alter_order_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='order',
+            options={'ordering': ('-created_at',), 'permissions': [('can_approve_order', 'Can approve order'), ('can_cancel_order', 'Can cancel order'), ('can_ship_order', 'Can ship order'), ('can_process_order', 'Can process order'), ('can_deliver_order', 'Can deliver order')]},
+        ),
+    ]

nxtbn/order/migrations/0034_alter_order_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.2.11 on 2025-01-31 14:20
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('order', '0033_alter_order_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='order',
+            options={'ordering': ('-created_at',), 'permissions': [('can_approve_order', 'Can approve order'), ('can_cancel_order', 'Can cancel order'), ('can_ship_order', 'Can ship order'), ('can_process_order', 'Can process order'), ('can_deliver_order', 'Can deliver order'), ('can_update_order_payment_term', 'Can update order payment term')]},
+        ),
+    ]

nxtbn/order/migrations/0035_alter_order_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.2.11 on 2025-01-31 15:16
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('order', '0034_alter_order_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='order',
+            options={'ordering': ('-created_at',), 'permissions': [('can_approve_order', 'Can approve order'), ('can_cancel_order', 'Can cancel order'), ('can_ship_order', 'Can ship order'), ('can_process_order', 'Can process order'), ('can_deliver_order', 'Can deliver order'), ('can_update_order_payment_term', 'Can update order payment term'), ('can_update_order_payment_method', 'Can update order payment method')]},
+        ),
+    ]

nxtbn/order/models.py

@@ -254,6 +254,10 @@ class Meta:
             (PermissionsEnum.CAN_APPROVE_ORDER, 'Can approve order'),
             (PermissionsEnum.CAN_CANCEL_ORDER, 'Can cancel order'),
             (PermissionsEnum.CAN_SHIP_ORDER, 'Can ship order'),
+            (PermissionsEnum.CAN_PROCCSS_ORDER, 'Can process order'),
+            (PermissionsEnum.CAN_DELIVER_ORDER, 'Can deliver order'),
+            (PermissionsEnum.CAN_UPDATE_ORDER_PYMENT_TERM, 'Can update order payment term'),
+            (PermissionsEnum.CAN_UPDATE_ORDER_PAYMENT_METHOD, 'Can update order payment method'),
         ]
 
     def save(self, *args, **kwargs):

nxtbn/tax/api/dashboard/views.py

@@ -4,6 +4,7 @@
 from rest_framework.permissions  import AllowAny
 from rest_framework.exceptions import APIException
 
+from nxtbn.core.admin_permissions import CommonPermissions
 from nxtbn.core.paginator import NxtbnPagination
 
 from nxtbn.tax.models import TaxClass, TaxClassTranslation, TaxRate
@@ -20,17 +21,23 @@
 from nxtbn.users import UserRole
 
 class TaxClassView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     queryset = TaxClass.objects.all()
     serializer_class = TaxClassSerializer
     pagination_class = NxtbnPagination
 
 
 class TaxClassDetailsView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     queryset = TaxClass.objects.all()
     serializer_class = TaxClassDetailSerializer
     lookup_field = 'id'
 
 class TaxRateListCreateAPIView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     serializer_class = TaxRateSerializer
     queryset = TaxRate.objects.all()
     filter_backends = [
@@ -43,6 +50,8 @@ class TaxRateListCreateAPIView(generics.ListCreateAPIView):
 
 
 class TaxRateRetrieveUpdateDelete(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     serializer_class = TaxRateSerializer
     queryset = TaxRate.objects.all()
     lookup_field = 'id'