Merge pull request #379 from MySecondLanguage/optimized-permission

Optimized permission

Author: MySecondLanguage

nxtbn/core/api/dashboard/views.py

@@ -26,13 +26,15 @@
 from rest_framework import serializers
 
 from nxtbn.core import LanguageChoices
+from nxtbn.core.admin_permissions import GranularPermission, IsStoreAdmin, IsStoreStaff
 from nxtbn.core.api.dashboard.serializers import InvoiceSettingsSerializer, SiteSettingsSerializer
 from nxtbn.core.models import InvoiceSettings, SiteSettings
 from nxtbn.users import UserRole
 
 
 
 class SiteSettingsView(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsStoreAdmin,)
     queryset = SiteSettings.objects.all()
     serializer_class = SiteSettingsSerializer
 
@@ -49,6 +51,7 @@ def get_object(self):
 
 
 class InvoiceSettingsView(generics.RetrieveUpdateAPIView):
+    permission_classes = (IsStoreAdmin,)
     queryset = InvoiceSettings.objects.all()
     serializer_class = InvoiceSettingsSerializer
 
@@ -64,6 +67,7 @@ def get_object(self):
 
 
 class LanguageChoicesAPIView(APIView):
+    permission_classes = (IsStoreStaff,)
     def get(self, request, *args, **kwargs):
         languages = [
             {"value": lang_value, "label": lang_label}

nxtbn/core/enum_perms.py

@@ -8,4 +8,12 @@ class PermissionsEnum(models.TextChoices):
     CAN_PROCCSS_ORDER = "can_process_order"
     CAN_DELIVER_ORDER = "can_deliver_order"
     CAN_UPDATE_ORDER_PYMENT_TERM = "can_update_order_payment_term"
-    CAN_UPDATE_ORDER_PAYMENT_METHOD = "can_update_order_payment_method"
+    CAN_UPDATE_ORDER_PAYMENT_METHOD = "can_update_order_payment_method"
+
+    CAN_INITIATE_PAYMENT_REFUND = "CAN_INITIATE_PAYMENT_REFUND"
+
+    CAN_BULK_PRODUCT_STATUS_UPDATE = "can_bulk_product_status_update"
+    CAN_BULK_PRODUCT_DELETE = "can_bulk_product_delete"
+
+    CAN_READ_CUSTOMER = "can_read_customer"
+    CAN_UPDATE_CUSTOMER = "can_create_customer"

nxtbn/discount/api/dashboard/views.py

@@ -1,6 +1,7 @@
 from rest_framework import generics, viewsets
 from rest_framework.response import Response
 from rest_framework import status
+from nxtbn.core.admin_permissions import CommonPermissions
 from nxtbn.core.paginator import NxtbnPagination
 from nxtbn.discount.models import PromoCode, PromoCodeCustomer, PromoCodeProduct, PromoCodeUsage
 from nxtbn.discount.api.dashboard.serializers import AttachPromoCodeEntitiesSerializer, PromoCodeCustomerSerializer, PromoCodeProductSerializer, PromoCodeCountedSerializer, PromoCodeUsageSerializer
@@ -50,18 +51,24 @@ def get_queryset(self):
         return PromoCode.objects.all()
 
 class PromoCodeListCreateAPIView(PromocodeFilterMixin, generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCode
     pagination_class = NxtbnPagination
     queryset = PromoCode.objects.all()
     serializer_class = PromoCodeCountedSerializer
 
 
 class PromoCodeUpdateRetrieveDeleteView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCode
     queryset = PromoCode.objects.all()
     serializer_class = PromoCodeCountedSerializer
     lookup_field = 'id'
 
 
 class AttachPromoCodeEntitiesAPIView(generics.CreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCode
     serializer_class = AttachPromoCodeEntitiesSerializer
 
     def create(self, request, *args, **kwargs):
@@ -81,6 +88,8 @@ class Meta:
         model = PromoCodeProduct
         fields = ['promo_code']
 class PromoCodeProductListAPIView(generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCodeProduct
     queryset = PromoCodeProduct.objects.all()
     serializer_class = PromoCodeProductSerializer
     filter_backends = [
@@ -98,6 +107,8 @@ class Meta:
         model = PromoCodeCustomer
         fields = ['promo_code']
 class PromoCodeCustomertListAPIView(generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCodeCustomer
     queryset = PromoCodeCustomer.objects.all()
     serializer_class = PromoCodeCustomerSerializer
     filter_backends = [
@@ -111,6 +122,8 @@ class PromoCodeCustomertListAPIView(generics.ListAPIView):
 
 
 class PromoCodeUsageListAPIView(generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = PromoCodeUsage
     queryset = PromoCodeUsage.objects.all()
     serializer_class = PromoCodeUsageSerializer
     pagination_class = NxtbnPagination

nxtbn/invoice/api/dashboard/views.py

@@ -4,12 +4,14 @@
 from rest_framework.permissions  import AllowAny
 from rest_framework.exceptions import APIException
 
+from nxtbn.core.admin_permissions import IsStoreStaff
 from nxtbn.invoice.api.dashboard.serializers import OrderInvoiceSerializer
 from nxtbn.order.models import Order
 from nxtbn.users import UserRole
 
 
 class OrderInvoiceAPIView(generics.RetrieveAPIView):
+    permission_classes = (IsStoreStaff,)
     queryset = Order.objects.all()
     serializer_class = OrderInvoiceSerializer
     lookup_field = 'alias'

nxtbn/payment/api/dashboard/views.py

@@ -5,11 +5,17 @@
 from rest_framework.permissions  import AllowAny
 from rest_framework.exceptions import APIException
 
+from nxtbn.core.admin_permissions import CommonPermissions, GranularPermission
+from nxtbn.core.enum_perms import PermissionsEnum
 from nxtbn.payment.models import Payment
 from nxtbn.payment.api.dashboard.serializers import PaymentCreateSerializer, RefundSerializer
 from nxtbn.users import UserRole
 
 class RefundAPIView(generics.UpdateAPIView):
+    permission_classes = (GranularPermission, )
+    model = Payment
+    required_perm = PermissionsEnum.CAN_INITIATE_PAYMENT_REFUND
+    
     queryset = Payment.objects.all()
     serializer_class = RefundSerializer
 
@@ -19,5 +25,6 @@ def get_object(self):
         return get_object_or_404(Payment, order__alias=order_alias)
 
 class PaymentCreateAPIView(generics.CreateAPIView):
+    permission_classes = (CommonPermissions, )
     queryset = Payment.objects.all()
     serializer_class = PaymentCreateSerializer

nxtbn/payment/models.py

@@ -2,6 +2,7 @@
 from django. utils import timezone
 
 from nxtbn.core import CurrencyTypes, MoneyFieldTypes
+from nxtbn.core.enum_perms import PermissionsEnum
 from nxtbn.core.mixin import MonetaryMixin
 from nxtbn.core.models import  AbstractBaseUUIDModel
 from nxtbn.order import OrderStatus
@@ -60,6 +61,11 @@ class Payment(MonetaryMixin, AbstractBaseUUIDModel):
     payment_plugin_id = models.CharField(max_length=100, blank=True, null=True)
     gateway_name = models.CharField(max_length=100, blank=True, null=True)
 
+    class Meta:
+        permissions = [
+            (PermissionsEnum.CAN_INITIATE_PAYMENT_REFUND, "Can initiate refunds"),
+        ]
+
     def save(self, *args, **kwargs):
         self.validate_amount()
         super(Payment, self).save(*args, **kwargs)

nxtbn/plugins/api/dashboard/views.py

@@ -11,6 +11,7 @@
 
 from django.forms import ValidationError
 import requests
+from nxtbn.core.admin_permissions import IsStoreAdmin
 from nxtbn.plugins.utils import PluginHandler
 from rest_framework import generics, status
 from rest_framework.response import Response
@@ -39,6 +40,7 @@
 
 
 class PluginListView(APIView):
+    permission_classes = (IsStoreAdmin,)
     serializer_class = PluginSerializer
     HTTP_PERMISSIONS = {
         UserRole.STORE_MANAGER: {"get"},

nxtbn/product/api/dashboard/views.py

@@ -14,6 +14,8 @@
 from django_filters import rest_framework as filters
 
 from nxtbn.core import PublishableStatus
+from nxtbn.core.admin_permissions import CommonPermissions, GranularPermission
+from nxtbn.core.enum_perms import PermissionsEnum
 from nxtbn.core.paginator import NxtbnPagination
 from nxtbn.product.models import CategoryTranslation, CollectionTranslation, Color, Product, Category, Collection, ProductTag, ProductTagTranslation, ProductTranslation, ProductType, ProductVariant, Supplier, SupplierTranslation
 from nxtbn.product.api.dashboard.serializers import (
@@ -111,6 +113,8 @@ def get_queryset(self):
         return Product.objects.all().order_by('-created_at')
 
 class ProductListView(ProductFilterMixin, generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Product
     serializer_class = ProductSerializer
     pagination_class = NxtbnPagination
 
@@ -120,6 +124,8 @@ def get_serializer_class(self):
         return ProductSerializer
 
 class ProductMinimalListView(ProductFilterMixin, generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Product
     serializer_class = ProductMinimalSerializer
     pagination_class = None
 
@@ -136,6 +142,8 @@ def get(self, request, *args, **kwargs):
 
 
 class ProductListDetailVariantView(ProductFilterMixin, generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Product
     serializer_class = ProductWithVariantSerializer
     pagination_class = NxtbnPagination
 
@@ -146,28 +154,38 @@ def get_queryset(self):
 
 
 class ProductDetailView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Product
     queryset = Product.objects.all()
     serializer_class = ProductMutationSerializer
     lookup_field = 'id'
 
 
 class ProductWithVariantView(generics.RetrieveAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Product
     queryset = Product.objects.all()
     serializer_class = ProductWithVariantSerializer
     lookup_field = 'id'
 
 
 class CategoryListView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Category
     queryset = Category.objects.filter()
     serializer_class = CategorySerializer
 
 
 class RecursiveCategoryListView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Category
     queryset = Category.objects.filter(parent=None) # Get only top-level categories
     serializer_class = RecursiveCategorySerializer
     pagination_class = None
 
 class CategoryByParentView(generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Category
     pagination_class = None
     queryset = Category.objects.all()
     serializer_class = BasicCategorySerializer
@@ -176,13 +194,17 @@ def get_queryset(self):
         return super().get_queryset().filter(parent=self.kwargs.get('id'))
 
 class CategoryDetailView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Category
     queryset = Category.objects.all()
     serializer_class = CategorySerializer
     lookup_field = 'id'
 
 
 
 class CollectionViewSet(viewsets.ModelViewSet):
+    permission_classes = (CommonPermissions, )
+    model = Collection
     pagination_class = None
     queryset = Collection.objects.all()
     serializer_class = CollectionSerializer
@@ -193,6 +215,8 @@ def get_queryset(self):
         return Collection.objects.all()
 
 class ColorViewSet(viewsets.ModelViewSet):
+    permission_classes = (CommonPermissions, )
+    model = Color
     pagination_class = None
     queryset = Color.objects.all()
     serializer_class = ColorSerializer
@@ -204,6 +228,8 @@ def get_queryset(self):
 
 
 class ProductTypeViewSet(viewsets.ModelViewSet):
+    permission_classes = (CommonPermissions, )
+    model = ProductType
     pagination_class = None
     queryset = ProductType.objects.all()
     serializer_class = ProductTypeSerializer
@@ -214,6 +240,8 @@ def get_queryset(self):
 
 
 class ProductTagViewSet(viewsets.ModelViewSet):
+    permission_classes = (CommonPermissions, )
+    model = ProductTag
     pagination_class = None
     queryset = ProductTag.objects.all()
     serializer_class = ProductTagSerializer
@@ -230,6 +258,8 @@ def list(self, request, *args, **kwargs):
 
 
 class ProductVariantDeleteAPIView(generics.DestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ProductVariant
     queryset = ProductVariant.objects.all()
 
     def destroy(self, request, *args, **kwargs):
@@ -243,13 +273,18 @@ def destroy(self, request, *args, **kwargs):
 
 
 class TaxClassView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     queryset = TaxClass.objects.all()
     serializer_class = TaxClassSerializer
     pagination_class = None
 
 
 
 class BulkProductStatusUpdateAPIView(generics.UpdateAPIView):
+    permission_classes = (GranularPermission, )
+    model = Product
+    required_perm = PermissionsEnum.CAN_BULK_PRODUCT_STATUS_UPDATE
     serializer_class = ProductStatusUpdateBulkSerializer
 
     def update(self, request, *args, **kwargs):
@@ -264,6 +299,9 @@ def update(self, request, *args, **kwargs):
 
 
 class BulkProductDeleteAPIView(generics.DestroyAPIView):
+    permission_classes = (GranularPermission, )
+    model = Product
+    required_perm = PermissionsEnum.CAN_BULK_PRODUCT_DELETE
     queryset = Product.objects.all()
 
 
@@ -311,6 +349,8 @@ class ProductVariantFilterMixin:
     filterset_class = ProductVariantFilter
 
 class ProductVariants(ProductVariantFilterMixin, generics.ListAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ProductVariant
     serializer_class = ProductVariantShortSerializer
     queryset = ProductVariant.objects.all()
     pagination_class = NxtbnPagination
@@ -331,12 +371,16 @@ class ProductVariants(ProductVariantFilterMixin, generics.ListAPIView):
 
 
 class InventoryListView(ProductFilterMixin, generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = ProductVariant
     serializer_class = InventorySerializer
     pagination_class = NxtbnPagination
 
 
 
 class SupplierModelViewSet(viewsets.ModelViewSet):
+    permission_classes = (CommonPermissions, )
+    model = Supplier
     serializer_class = SupplierSerializer
     queryset = Supplier.objects.all()
     pagination_class = NxtbnPagination