From 47cc43f63411599d8f3644daad89361b434f1cdf Mon Sep 17 00:00:00 2001
From: Shrikrishna Singh <krishnasingh.ss30@gmail.com>
Date: Wed, 9 Feb 2022 12:36:38 +0530
Subject: [PATCH] Fix api permissions
---
hypha/apply/api/v1/permissions.py | 23 +++++++++++++++--------
hypha/apply/api/v1/projects/views.py | 14 ++++++++------
2 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/hypha/apply/api/v1/permissions.py b/hypha/apply/api/v1/permissions.py
index 188a6ada9..14fc918bf 100644
--- a/hypha/apply/api/v1/permissions.py
+++ b/hypha/apply/api/v1/permissions.py
@@ -20,19 +20,26 @@ class IsApplyStaffUser(permissions.BasePermission):
class IsFinance1User(permissions.BasePermission):
def has_permission(self, request, view):
- invoice = view.get_invoice_object()
- return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)
+ return request.user.is_finance_level_1
def has_object_permission(self, request, view, obj):
- invoice = view.get_invoice_object()
- return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)
-
+ return request.user.is_finance_level_1
class IsFinance2User(permissions.BasePermission):
def has_permission(self, request, view):
- invoice = view.get_invoice_object()
- return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
+ return request.user.is_finance_level_2
def has_object_permission(self, request, view, obj):
+ return request.user.is_finance_level_2
+
+
+class HasDeliverableEditPermission(permissions.BasePermission):
+ def has_permission(self, request, view):
invoice = view.get_invoice_object()
- return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
+ return invoice.can_user_edit_deliverables(request.user)
+
+
+class HasRequiredChecksPermission(permissions.BasePermission):
+ def has_permission(self, request, view):
+ invoice = view.get_object()
+ return invoice.can_user_complete_required_checks(request.user)
diff --git a/hypha/apply/api/v1/projects/views.py b/hypha/apply/api/v1/projects/views.py
index c45814530..f011ca790 100644
--- a/hypha/apply/api/v1/projects/views.py
+++ b/hypha/apply/api/v1/projects/views.py
@@ -9,7 +9,11 @@ from hypha.apply.projects.models.payment import Invoice, InvoiceDeliverable
from hypha.apply.projects.models.project import Deliverable
from ..mixin import InvoiceNestedMixin, ProjectNestedMixin
-from ..permissions import IsApplyStaffUser, IsFinance1User, IsFinance2User
+from ..permissions import (
+ IsApplyStaffUser, IsFinance1User, IsFinance2User,
+ HasDeliverableEditPermission, HasRequiredChecksPermission
+)
+
from .serializers import (
DeliverableSerializer,
InvoiceDeliverableListSerializer,
@@ -25,7 +29,8 @@ class DeliverableViewSet(
viewsets.GenericViewSet
):
permission_classes = (
- permissions.IsAuthenticated, IsApplyStaffUser | IsFinance1User | IsFinance2User
+ permissions.IsAuthenticated, HasDeliverableEditPermission,
+ IsApplyStaffUser | IsFinance1User | IsFinance2User
)
serializer_class = InvoiceDeliverableListSerializer
pagination_class = None
@@ -81,12 +86,9 @@ class InvoiceRequiredChecksViewSet(
viewsets.GenericViewSet,
):
serializer_class = InvoiceRequiredChecksSerializer
- permission_classes = [IsFinance1User]
+ permission_classes = [IsFinance1User, HasRequiredChecksPermission]
queryset = Invoice.objects.all()
- def get_invoice_object(self):
- return self.get_object()
-
@action(detail=True, methods=['post'])
def set_required_checks(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
--
GitLab