diff mbox

[35/51] api: Make the series only editable by maintainers

Message ID 1441986924-26689-36-git-send-email-damien.lespiau@intel.com
State Superseded
Headers show

Commit Message

Damien Lespiau Sept. 11, 2015, 3:55 p.m. UTC 
Until now, development was done with a test user that had admin
privileges, so every single permissions.

It's time to broaden this a bit and copy the existing behaviour:
maintainers of a project have the right to edit patches and now series
of that project.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
---
 patchwork/views/api.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/patchwork/views/api.py b/patchwork/views/api.py
index c3756fa..e8229ed 100644
--- a/patchwork/views/api.py
+++ b/patchwork/views/api.py
@@ -18,13 +18,26 @@ 
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 from patchwork.models import Project, Series, SeriesRevision
-from rest_framework import viewsets, mixins, generics, filters
+from rest_framework import viewsets, mixins, generics, filters, permissions
 from rest_framework.response import Response
 from rest_framework.generics import get_object_or_404
 from patchwork.serializers import ProjectSerializer, SeriesSerializer, \
                                   RevisionSerializer
 
+class MaintainerPermission(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        # read only for everyone
+        if request.method in permissions.SAFE_METHODS:
+            return True
+
+        # editable for maintainers
+        user = request.user
+        if not user.is_authenticated():
+            return False
+        return obj.project.is_editable(user)
+
 class ProjectViewSet(viewsets.ViewSet):
+    permission_classes = (MaintainerPermission, )
     model = Project
 
     def list(self, request):
@@ -39,6 +52,7 @@  class ProjectViewSet(viewsets.ViewSet):
 
 class SeriesListViewSet(mixins.ListModelMixin,
                         viewsets.GenericViewSet):
+    permission_classes = (MaintainerPermission, )
     queryset = Series.objects.all()
     serializer_class = SeriesSerializer
     paginate_by = 20
@@ -58,10 +72,12 @@  class SeriesListViewSet(mixins.ListModelMixin,
 class SeriesViewSet(mixins.RetrieveModelMixin,
                     mixins.UpdateModelMixin,
                     viewsets.GenericViewSet):
+    permission_classes = (MaintainerPermission, )
     queryset = Series.objects.all()
     serializer_class = SeriesSerializer
 
 class RevisionViewSet(viewsets.ViewSet):
+    permission_classes = (MaintainerPermission, )
     model = SeriesRevision
 
     def retrieve(self, request, series_pk=None, pk=None):