penn-marketplace/backend/market/permissions.py at 075c60b2e4fc6ee2c0437a490c722cec359ba0de · pennlabs/penn-marketplace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from rest_framework import permissions


class IsSuperUser(permissions.BasePermission):
    """
    Grants permission if the current user is a superuser.
    """

    def has_object_permission(self, request, view, obj):
        return request.user.is_superuser

    def has_permission(self, request, view):
        return request.user.is_superuser


class ListingOwnerPermission(permissions.BasePermission):
    """
    Custom permission to allow the owner of a Listing to edit or delete it.
    """

    def has_permission(self, request, view):
        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        # Check if the user is the owner of the Listing.
        return request.method in permissions.SAFE_METHODS or obj.seller == request.user


class ListingImageOwnerPermission(permissions.BasePermission):
    """
    Custom permission to allow the owner of a ListingImage to edit or delete it.

    """

    def has_permission(self, request, view):
        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        # Check if the user is the owner of the Listing.
        return (
            request.method in permissions.SAFE_METHODS
            or obj.listing.seller == request.user
        )


class ListingOwnerOffersPermission(permissions.BasePermission):
    """
    The listing seller may act on an Offer for their listing.
    Use only on views/actions where that is intended (e.g. list offers, PATCH status).
    """

    def has_permission(self, request, view):
        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        return obj.listing.seller == request.user


class OfferOwnerPermission(permissions.BasePermission):
    """
    The user who created the offer may act on that Offer.
    Use only on buyer-facing views (e.g. withdraw offer, PATCH details).
    """

    def has_permission(self, request, view):
        return request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        return obj.user_id == request.user.id