Fix api permissions

47cc43f6 · Shrikrishna Singh · 2a0f33ba · 47cc43f6 · 47cc43f6
Commit 47cc43f6 authored 3 years ago by Shrikrishna Singh
--- a/hypha/apply/api/v1/permissions.py
+++ b/hypha/apply/api/v1/permissions.py
@@ -20,19 +20,26 @@ class IsApplyStaffUser(permissions.BasePermission):

 class IsFinance1User(permissions.BasePermission):
    def has_permission(self, request, view):
-        invoice = view.get_invoice_object()
-        return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)
+        return request.user.is_finance_level_1

    def has_object_permission(self, request, view, obj):
-        invoice = view.get_invoice_object()
-        return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)
-
+        return request.user.is_finance_level_1

 class IsFinance2User(permissions.BasePermission):
    def has_permission(self, request, view):
-        invoice = view.get_invoice_object()
-        return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
+        return request.user.is_finance_level_2

    def has_object_permission(self, request, view, obj):
+        return request.user.is_finance_level_2
+
+
+class HasDeliverableEditPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
        invoice = view.get_invoice_object()
-        return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
+        return invoice.can_user_edit_deliverables(request.user)
+
+
+class HasRequiredChecksPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        invoice = view.get_object()
+        return invoice.can_user_complete_required_checks(request.user)
--- a/hypha/apply/api/v1/projects/views.py
+++ b/hypha/apply/api/v1/projects/views.py
@@ -9,7 +9,11 @@ from hypha.apply.projects.models.payment import Invoice, InvoiceDeliverable
 from hypha.apply.projects.models.project import Deliverable

 from ..mixin import InvoiceNestedMixin, ProjectNestedMixin
-from ..permissions import IsApplyStaffUser, IsFinance1User, IsFinance2User
+from ..permissions import (
+    IsApplyStaffUser, IsFinance1User, IsFinance2User,
+    HasDeliverableEditPermission, HasRequiredChecksPermission
+)
+
 from .serializers import (
    DeliverableSerializer,
    InvoiceDeliverableListSerializer,
@@ -25,7 +29,8 @@ class DeliverableViewSet(
    viewsets.GenericViewSet
 ):
    permission_classes = (
-        permissions.IsAuthenticated, IsApplyStaffUser | IsFinance1User | IsFinance2User
+        permissions.IsAuthenticated, HasDeliverableEditPermission,
+        IsApplyStaffUser | IsFinance1User | IsFinance2User
    )
    serializer_class = InvoiceDeliverableListSerializer
    pagination_class = None
@@ -81,12 +86,9 @@ class InvoiceRequiredChecksViewSet(
    viewsets.GenericViewSet,
 ):
    serializer_class = InvoiceRequiredChecksSerializer
-    permission_classes = [IsFinance1User]
+    permission_classes = [IsFinance1User, HasRequiredChecksPermission]
    queryset = Invoice.objects.all()

-    def get_invoice_object(self):
-        return self.get_object()
-
    @action(detail=True, methods=['post'])
    def set_required_checks(self, request, *args, **kwargs):
        serializer = self.get_serializer(data=request.data)