feat: ApplicationFileAttachmentViewSet

Author: emsoraffa

backend/samfundet/models/recruitment.py

@@ -12,7 +12,7 @@
 from django.contrib.auth.models import UserManager
 
 from root.utils.mixins import CustomBaseModel, FullCleanSaveMixin
-from samfundet.utils import upload_to_app
+from samfundet.utils import upload_to_application_filepath
 
 from .general import Gang, User, Campus, GangSection, Organization
 from .model_choices import RecruitmentStatusChoices, RecruitmentApplicantStates, RecruitmentPriorityChoices
@@ -516,10 +516,11 @@ class ApplicationFileAttachment(CustomBaseModel):
     application = models.ForeignKey(
         RecruitmentApplication, on_delete=models.CASCADE, related_name='attachments', help_text='The recruitment application this file is attached to'
     )
-    application_file = models.FileField(upload_to='recruitment/application_attachments/')
+    application_file = models.FileField(upload_to=upload_to_application_filepath)
     application_file_type = models.CharField(max_length=50, blank=True)
 
     def clean(self) -> None:
+        # FIX: this should probably be set by the recruitment position
         super().clean()
         if self.application_file:
             file_type = self.application_file.content_type
@@ -532,11 +533,16 @@ def clean(self) -> None:
             ]
             if file_type not in allowed_types:
                 raise ValidationError('Wrong filetype')
-            if self.file.size > 10 * 1024 * 1024:  # 10MB limit
+            if self.application_file.size > 10 * 1024 * 1024:  # 10MB limit
                 raise ValidationError('File size must be less than 10MB.')
 
     def __str__(self):
-        return f'Attachment for {self.application} - {self.file.name}'
+        return f'Attachment for {self.application} - {self.application_file.name}'
+
+    def delete(self, *args, **kwargs) -> None:
+        storage, path = self.application_file.storage, self.application_file.path
+        super().delete(*args, **kwargs)
+        storage.delete(path)
 
 
 class RecruitmentInterviewAvailability(CustomBaseModel):

backend/samfundet/serializers.py

@@ -14,6 +14,7 @@
 from django.contrib.auth import authenticate
 from django.core.exceptions import ValidationError
 from django.core.files.images import ImageFile
+from django.core.files.uploadedfile import UploadedFile
 from django.contrib.auth.models import Group, Permission
 from django.contrib.auth.password_validation import validate_password
 
@@ -77,15 +78,20 @@
 class ApplicationFileAttachmentSerializer(CustomBaseSerializer):
     class Meta:
         model = ApplicationFileAttachment
-        fields = (
-            'id',
-            'application',
-            'application_file',
-            'application_file_type',
-        )
+        fields = ['id', 'application', 'application_file', 'application_file_type', 'created_at']
+        read_only_fields = ['id', 'application_file_type', 'created_at']
 
-    def validate(self, attrs: dict) -> dict:
-        return attrs
+    def validate_application_file(self, value: UploadedFile) -> UploadedFile:
+        if not value:
+            raise serializers.ValidationError('A file must be provided.')
+        return value
+
+    def create(self, validated_data: dict[str, Any]) -> ApplicationFileAttachment:
+        application = validated_data.get('application') or self.context.get('application')
+        if not application:
+            raise serializers.ValidationError('Application is required to attach a file.')
+        validated_data['application'] = application
+        return super().create(validated_data)
 
 
 class TagSerializer(CustomBaseSerializer):

backend/samfundet/views.py

@@ -38,6 +38,7 @@
 
 from .utils import generate_timeslots, get_occupied_timeslots_from_request
 from .serializers import (
+    ApplicationFileAttachmentSerializer,
     InterviewSerializer,
     RecruitmentSerializer,
     InterviewRoomSerializer,
@@ -121,13 +122,38 @@ def verify_signature(*, payload_body: Any, secret_token: str, signature_header:
 
 
 class ApplicationFileAttachmentViewSet(ModelViewSet):
-    serializer_class = ApplicationFileAttachmentSerializer
     queryset = ApplicationFileAttachment.objects.all()
+    serializer_class = ApplicationFileAttachmentSerializer
+    permission_classes = [IsAuthenticated]
+    parser_classes = (MultiPartParser, FormParser)
 
-    # Typically, you might want extra permission logic here:
-    #   - Only the applicant or a recruiter with certain perms can read attachments
-    #   - Only the applicant can create attachments for *their own* application
-    # etc.
+    def get_queryset(self) -> Response | None:
+        # Restrict to the user's applications or recruiter permissions
+        # FIX: Consider permissions
+        user = self.request.user
+        if user.is_staff:
+            return self.queryset
+        return self.queryset.filter(application__user=user)
+
+    def create(self, request: Request) -> Response | None:
+        application_id = request.data.get('application_id')
+        try:
+            application = RecruitmentApplication.objects.get(id=application_id, user=request.user)
+        except RecruitmentApplication.DoesNotExist:
+            return Response({'error': 'Application not found or not authorized'}, status=status.HTTP_404_NOT_FOUND)
+
+        serializer = self.get_serializer(data=request.data, context={'application': application})
+        serializer.is_valid(raise_exception=True)
+        self.perform_create(serializer)
+        return Response(serializer.data, status=status.HTTP_201_CREATED)
+
+    def destroy(self, request: Request) -> Response | None:
+        instance = self.get_object()
+        # FIX: Consider permissions
+        if instance.application.user != request.user and not request.user.is_staff:
+            return Response({'error': 'Not authorized'}, status=status.HTTP_403_FORBIDDEN)
+        self.perform_destroy(instance)
+        return Response(status=status.HTTP_204_NO_CONTENT)
 
 
 @method_decorator(ensure_csrf_cookie, 'dispatch')