54 lines
1.6 KiB
Python
54 lines
1.6 KiB
Python
from rest_framework.permissions import IsAuthenticated, SAFE_METHODS
|
|
|
|
|
|
class CanEditHub(IsAuthenticated):
|
|
"""
|
|
Hub object-level permission.
|
|
- View-level: must be authenticated (inherited).
|
|
- Object-level unsafe: hub owner, superuser, or any moderator
|
|
(field-level restrictions enforced in HubSerializer).
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if request.method in SAFE_METHODS:
|
|
return True
|
|
|
|
user = request.user
|
|
if obj.owner == user or user.is_superuser:
|
|
return True
|
|
|
|
return obj.moderators.filter(user=user).exists()
|
|
|
|
|
|
class IsHubOwnerOrSuperuser(IsAuthenticated):
|
|
"""
|
|
For objects with a .hub FK (e.g. HubPermission).
|
|
- View-level: must be authenticated (inherited).
|
|
- Object-level unsafe: hub owner or superuser only.
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if request.method in SAFE_METHODS:
|
|
return True
|
|
|
|
return request.user.is_superuser or obj.hub.owner == request.user
|
|
|
|
|
|
class CanManageHubTags(IsAuthenticated):
|
|
"""
|
|
For Tags (navigates via obj.hub).
|
|
- View-level: must be authenticated (inherited).
|
|
- Object-level unsafe: hub owner, superuser, or moderator with managing_posts=True.
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if request.method in SAFE_METHODS:
|
|
return True
|
|
|
|
user = request.user
|
|
hub = obj.hub
|
|
if user.is_superuser or hub.owner == user:
|
|
return True
|
|
|
|
return hub.moderators.filter(user=user, managing_posts=True).exists()
|