refactor: custom permission for quiblet object

quibble-dev · Dec 6, 2024 · 45f43ac · 45f43ac
1 parent 5d41473
commit 45f43ac
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/backend/apps/quiblet/api/permissions.py b/backend/apps/quiblet/api/permissions.py
@@ -0,0 +1,16 @@
+from rest_framework.permissions import SAFE_METHODS, BasePermission
+
+
+class IsRangerOrReadOnly(BasePermission):
+    """
+    Custom permission to allow only rangers of a Quiblet to edit it.
+    """
+
+    def has_object_permission(self, request, view, obj):  # type: ignore
+        if request.method in SAFE_METHODS:
+            return True
+
+        if request.user and request.user.is_authenticated:
+            return obj.rangers.filter(id=request.user_profile.id).exists()
+        else:
+            return False
diff --git a/backend/apps/quiblet/api/viewsets.py b/backend/apps/quiblet/api/viewsets.py
@@ -2,13 +2,15 @@
 
 from apps.quiblet.models import Quiblet
 
+from .permissions import IsRangerOrReadOnly
 from .serializers import QuibletSerializer
 
 
 class QuibletViewSet(ModelViewSet):
     queryset = Quiblet.objects.all()
     serializer_class = QuibletSerializer
+    permission_classes = (IsRangerOrReadOnly,)
 
     def perform_create(self, serializer):
-        quibber = self.request.user_profile
+        quibber = self.request.user_profile  # type: ignore
         serializer.save(quibber=quibber)
diff --git a/backend/shared/permissions.py b/backend/shared/permissions.py
@@ -0,0 +1,13 @@
+from rest_framework.permissions import SAFE_METHODS, BasePermission
+
+
+class IsQuibblerOrReadOnly(BasePermission):
+    """
+    Custom permission to allow only quibbler of a feature to edit it.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        if request.method in SAFE_METHODS:
+            return True
+
+        return obj.quibbler == request.user_profile