From ac0c037e64fd8413598b4415318ab0a11db5757b Mon Sep 17 00:00:00 2001 From: Jesse Zong Date: Tue, 24 Oct 2023 17:45:36 -0400 Subject: [PATCH] Add permissions --- backend/sublet/permissions.py | 21 +++++++++++++++++++++ backend/sublet/serializers.py | 2 +- backend/sublet/views.py | 28 +++++++++++++++------------- 3 files changed, 37 insertions(+), 14 deletions(-) diff --git a/backend/sublet/permissions.py b/backend/sublet/permissions.py index 6abbb850..5b64d05d 100644 --- a/backend/sublet/permissions.py +++ b/backend/sublet/permissions.py @@ -18,6 +18,27 @@ class SubletOwnerPermission(permissions.BasePermission): Custom permission to allow the owner of a Sublet to edit or delete it. """ + def has_permission(self, request, view): + return request.user.is_authenticated + def has_object_permission(self, request, view, obj): # Check if the user is the owner of the Sublet. + if request.method in permissions.SAFE_METHODS: + return True return obj.subletter == request.user + + +class OfferOwnerPermission(permissions.BasePermission): + """ + Custom permission to allow owner of an offer to delete it. + """ + + def has_permission(self, request, view): + return request.user.is_authenticated + + def has_object_permission(self, request, view, obj): + # Check if the user is the owner of the Sublet. + if request.method in permissions.SAFE_METHODS: + # Check if the user owns the sublet + return obj.sublet.subletter == request.user + return obj.user == request.user diff --git a/backend/sublet/serializers.py b/backend/sublet/serializers.py index e1ecb0f2..343e8109 100644 --- a/backend/sublet/serializers.py +++ b/backend/sublet/serializers.py @@ -87,7 +87,7 @@ class Meta: class FavoritesListSerializer(serializers.ModelSerializer): - sublet = SubletSerializer() + sublet = SimpleSubletSerializer() class Meta: model = Favorite diff --git a/backend/sublet/views.py b/backend/sublet/views.py index 3a09b415..2e404320 100644 --- a/backend/sublet/views.py +++ b/backend/sublet/views.py @@ -11,7 +11,7 @@ from rest_framework.views import APIView from sublet.models import Amenity, Favorite, Offer, Sublet, SubletImage -from sublet.permissions import IsSuperUser, SubletOwnerPermission +from sublet.permissions import IsSuperUser, SubletOwnerPermission, OfferOwnerPermission from sublet.serializers import ( AmenitySerializer, FavoriteSerializer, @@ -34,6 +34,7 @@ class Amenities(generics.ListAPIView): class UserFavorites(generics.ListAPIView): serializer_class = FavoritesListSerializer + permission_classes = IsAuthenticated def get_queryset(self): user = self.request.user @@ -42,6 +43,17 @@ def get_queryset(self): return Favorite.objects.filter(user=user) +class UserOffers(generics.ListAPIView): + serializer_class = OfferSerializer + permission_classes = IsAuthenticated + + def get_queryset(self): + user = self.request.user + # print(type(user.favorite_set)) + # return user.favorite_set + return Offer.objects.filter(user=user) + + class Properties(viewsets.ModelViewSet): """ list: @@ -134,12 +146,12 @@ class Favorites(viewsets.ModelViewSet): serializer_class = FavoriteSerializer queryset = Favorite.objects.all() http_method_names = ["post", "delete"] + permission_classes = [IsAuthenticated | IsSuperUser] def create(self, request, *args, **kwargs): data = self.request.data data["sublet"] = int(self.kwargs["sublet_id"]) data["user"] = self.request.user.id - print(data) serializer = self.get_serializer(data=data) serializer.is_valid(raise_exception=True) serializer.save() @@ -166,7 +178,7 @@ class Offers(viewsets.ModelViewSet): Delete the offer between the user and the sublet matching the ID. """ - # TODO: implement permissions + permission_classes = [OfferOwnerPermission | IsSuperUser] serializer_class = OfferSerializer def get_queryset(self): @@ -188,13 +200,3 @@ def destroy(self, request, *args, **kwargs): self.check_object_permissions(self.request, obj) self.perform_destroy(obj) return Response(status=status.HTTP_204_NO_CONTENT) - - -class UserOffers(generics.ListAPIView): - serializer_class = OfferSerializer - - def get_queryset(self): - user = self.request.user - # print(type(user.favorite_set)) - # return user.favorite_set - return Offer.objects.filter(user=user)