From 706b29b345e78292bd32739967810985f0b4cf31 Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Fri, 24 Apr 2020 10:01:33 +0200
Subject: [PATCH] [common][api] Move from custom permission mixins to use
 permissions

Also add modifiable check for update/destroy end point.
---
 beat/web/common/api.py | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/beat/web/common/api.py b/beat/web/common/api.py
index 845640280..a31f8415f 100644
--- a/beat/web/common/api.py
+++ b/beat/web/common/api.py
@@ -29,13 +29,12 @@ from django.shortcuts import get_object_or_404
 
 from rest_framework import status
 from rest_framework import generics
-from rest_framework import permissions
+from rest_framework import permissions as drf_permissions
 from rest_framework import exceptions as drf_exceptions
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
 
 from .models import Contribution, Versionable
-from .permissions import IsAuthor
 from .exceptions import ShareError, BaseCreationError
 from .serializers import (
     SharingSerializer,
@@ -43,15 +42,16 @@ from .serializers import (
     CheckNameSerializer,
     DiffSerializer,
 )
-from .mixins import CommonContextMixin, SerializerFieldsMixin, IsAuthorOrReadOnlyMixin
+from .mixins import CommonContextMixin, SerializerFieldsMixin
 from .utils import py3_cmp
 
+from . import permissions as beat_permissions
 from . import is_true
 
 
 class CheckContributionNameView(CommonContextMixin, generics.CreateAPIView):
     serializer_class = CheckNameSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [drf_permissions.IsAuthenticated]
 
     def get_serializer_context(self):
         context = super(CheckContributionNameView, self).get_serializer_context()
@@ -65,7 +65,7 @@ class CheckContributionNameView(CommonContextMixin, generics.CreateAPIView):
 
 
 class ShareView(CommonContextMixin, generics.CreateAPIView):
-    permission_classes = [permissions.IsAuthenticated, IsAuthor]
+    permission_classes = [beat_permissions.IsAuthor]
     serializer_class = SharingSerializer
 
     def get_queryset(self):
@@ -106,7 +106,7 @@ class ListContributionView(
 ):
     model = Contribution
     serializer_class = ContributionSerializer
-    permission_classes = [permissions.AllowAny]
+    permission_classes = [drf_permissions.AllowAny]
 
     def get_queryset(self):
         return self.model.objects.for_user(self.request.user, True)
@@ -186,7 +186,9 @@ class ListCreateBaseView(
         return response
 
 
-class ListCreateContributionView(IsAuthorOrReadOnlyMixin, ListCreateBaseView):
+class ListCreateContributionView(ListCreateBaseView):
+    permission_classes = [beat_permissions.IsAuthorOrReadOnly]
+
     def get_queryset(self):
         user = self.request.user
         author_name = self.kwargs.get("author_name")
@@ -228,12 +230,13 @@ class DiffView(generics.RetrieveAPIView):
 
 
 class RetrieveUpdateDestroyContributionView(
-    CommonContextMixin,
-    SerializerFieldsMixin,
-    IsAuthorOrReadOnlyMixin,
-    generics.RetrieveUpdateDestroyAPIView,
+    CommonContextMixin, SerializerFieldsMixin, generics.RetrieveUpdateDestroyAPIView
 ):
     model = Contribution
+    permission_classes = [
+        beat_permissions.IsAuthorOrReadOnly,
+        beat_permissions.IsModifiableOrRead,
+    ]
 
     def get_serializer(self, *args, **kwargs):
         if self.request.method == "PUT":
@@ -257,6 +260,7 @@ class RetrieveUpdateDestroyContributionView(
 
     def get(self, request, *args, **kwargs):
         db_object = self.get_object()
+        self.check_object_permissions(request, db_object)
 
         # Process the query string
         allow_sharing = request.user == db_object.author
-- 
GitLab