vontor-cz/backend/account/permissions.py

from urllib import request
from rest_framework.permissions import BasePermission, SAFE_METHODS
from rest_framework.permissions import IsAuthenticated
from rest_framework_api_key.permissions import HasAPIKey


#TOHLE POUŽÍT!!!
#Prostě stačí vložit: RoleAllowed('seller','cityClerk')
def RoleAllowed(*roles):
    """
    Allows safe methods for any authenticated user.
    Allows unsafe methods only for users with specific roles.
    Allows access if a valid API key is provided.

    Args:
        RoleAllowed('admin', 'user')
    """
    class SafeOrRolePermission(BasePermission):
        def has_permission(self, request, view):
            # Má API klíč?
            has_api_key = HasAPIKey().has_permission(request, view)

            # Allow safe methods for any authenticated user
            if request.method in SAFE_METHODS:
                return IsAuthenticated().has_permission(request, view)

            # Otherwise, check the user's role
            user = request.user
            return user and user.is_authenticated and getattr(user, "role", None) in roles

    return SafeOrRolePermission


def OnlyRolesAllowed(*roles):
    class SafeOrRolePermission(BasePermission):
        """
        Allows all methods only for users with specific roles.
        """

        def has_permission(self, request, view):
            # Otherwise, check the user's role
            user = request.user
            return user and user.is_authenticated and getattr(user, "role", None) in roles

    return SafeOrRolePermission

  
# For Settings.py
class AdminOnly(BasePermission):
    """ Allows access only to users with the 'admin' role.

    Args:
        BasePermission (rest_framework.permissions.BasePermission): Base class for permission classes.
    """
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and getattr(request.user, 'role', None) == 'admin'


# Commerce-specific permissions
class AdminWriteOnlyOrReadOnly(BasePermission):
    """Allow read for anyone, write only for admins"""
    def has_permission(self, request, view):
        if request.method in SAFE_METHODS:
            return True
        return request.user and request.user.is_authenticated and getattr(request.user, 'role', None) == 'admin'


class AdminOnlyForPatchOtherwisePublic(BasePermission):
    """Allow GET/POST for anyone, PATCH/PUT/DELETE only for admins"""
    def has_permission(self, request, view):
        if request.method in SAFE_METHODS or request.method == "POST":
            return True
        if request.method in ["PATCH", "PUT", "DELETE"]:
            return request.user and request.user.is_authenticated and getattr(request.user, 'role', None) == 'admin'
        # Default to admin for other unsafe methods
        return request.user and request.user.is_authenticated and getattr(request.user, 'role', None) == 'admin'