From patchwork Fri Sep 11 15:55:08 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Damien Lespiau X-Patchwork-Id: 516878 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id AD64F14012C for ; Sat, 12 Sep 2015 02:01:06 +1000 (AEST) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 879431A2BCC for ; Sat, 12 Sep 2015 02:01:06 +1000 (AEST) X-Original-To: patchwork@lists.ozlabs.org Delivered-To: patchwork@lists.ozlabs.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by lists.ozlabs.org (Postfix) with ESMTP id C6E991A2BBD for ; Sat, 12 Sep 2015 01:56:09 +1000 (AEST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP; 11 Sep 2015 08:56:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.17,511,1437462000"; d="scan'208";a="559867286" Received: from jeffzhua-mobl.amr.corp.intel.com (HELO strange.amr.corp.intel.com) ([10.254.88.85]) by FMSMGA003.fm.intel.com with ESMTP; 11 Sep 2015 08:56:08 -0700 From: Damien Lespiau To: patchwork@lists.ozlabs.org Subject: [PATCH 35/51] api: Make the series only editable by maintainers Date: Fri, 11 Sep 2015 16:55:08 +0100 Message-Id: <1441986924-26689-36-git-send-email-damien.lespiau@intel.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1441986924-26689-1-git-send-email-damien.lespiau@intel.com> References: <1441986924-26689-1-git-send-email-damien.lespiau@intel.com> X-BeenThere: patchwork@lists.ozlabs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Patchwork development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" Until now, development was done with a test user that had admin privileges, so every single permissions. It's time to broaden this a bit and copy the existing behaviour: maintainers of a project have the right to edit patches and now series of that project. Signed-off-by: Damien Lespiau --- patchwork/views/api.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/patchwork/views/api.py b/patchwork/views/api.py index c3756fa..e8229ed 100644 --- a/patchwork/views/api.py +++ b/patchwork/views/api.py @@ -18,13 +18,26 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA from patchwork.models import Project, Series, SeriesRevision -from rest_framework import viewsets, mixins, generics, filters +from rest_framework import viewsets, mixins, generics, filters, permissions from rest_framework.response import Response from rest_framework.generics import get_object_or_404 from patchwork.serializers import ProjectSerializer, SeriesSerializer, \ RevisionSerializer +class MaintainerPermission(permissions.BasePermission): + def has_object_permission(self, request, view, obj): + # read only for everyone + if request.method in permissions.SAFE_METHODS: + return True + + # editable for maintainers + user = request.user + if not user.is_authenticated(): + return False + return obj.project.is_editable(user) + class ProjectViewSet(viewsets.ViewSet): + permission_classes = (MaintainerPermission, ) model = Project def list(self, request): @@ -39,6 +52,7 @@ class ProjectViewSet(viewsets.ViewSet): class SeriesListViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): + permission_classes = (MaintainerPermission, ) queryset = Series.objects.all() serializer_class = SeriesSerializer paginate_by = 20 @@ -58,10 +72,12 @@ class SeriesListViewSet(mixins.ListModelMixin, class SeriesViewSet(mixins.RetrieveModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet): + permission_classes = (MaintainerPermission, ) queryset = Series.objects.all() serializer_class = SeriesSerializer class RevisionViewSet(viewsets.ViewSet): + permission_classes = (MaintainerPermission, ) model = SeriesRevision def retrieve(self, request, series_pk=None, pk=None):