chore: updating teacher_view

SELab-2 · Mar 18, 2024 · 8cb3bcc · 8cb3bcc · DeLany123 · Mar 18, 2024
1 parent f30ef17
commit 8cb3bcc
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 12 deletions.
diff --git a/backend/api/permissions/student_permissions.py b/backend/api/permissions/student_permissions.py
@@ -1,13 +1,9 @@
-from rest_framework.permissions import BasePermission, SAFE_METHODS
+from rest_framework.permissions import IsAuthenticated, SAFE_METHODS
 from api.permissions.role_permissions import is_teacher
 from authentication.models import User
 
-class StudentPermission(BasePermission):
+class StudentPermission(IsAuthenticated):
 
-    # Dit is garbage omdat altijd de has_permission eerst moet slagen.
-
-    # IsAdminUser is already defined but because of DRF has_permissions must be present
-    # https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
     def has_permission(self, request, view):
         """Check if user has permission to view a general student endpoint."""
         user: User = request.user

diff --git a/backend/api/permissions/teacher_permissions.py b/backend/api/permissions/teacher_permissions.py
@@ -0,0 +1,17 @@
+from rest_framework.permissions import IsAuthenticated, SAFE_METHODS
+from authentication.models import User
+
+# (Almost) same as StudentPermission
+class TeacherPermission(IsAuthenticated):
+
+    def has_permission(self, request, view):
+        """Check if user has permission to view a general Teacher endpoint."""
+        user: User = request.user
+        if view.action in ['list', 'create', 'update', 'partial_update', 'destroy']:
+            return False
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        """Check if user has permission to view a detailed group endpoint"""
+        user: User = request.user
+        return request.method in SAFE_METHODS and user.id == request.user.id
diff --git a/backend/api/views/teacher_view.py b/backend/api/views/teacher_view.py
@@ -1,22 +1,22 @@
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework.viewsets import ModelViewSet
 from rest_framework.permissions import IsAdminUser
 
 from api.models.course import Course
 from api.models.teacher import Teacher
 from api.serializers.teacher_serializer import TeacherSerializer
 from api.serializers.course_serializer import CourseSerializer
-from api.permissions.role_permissions import IsSameUser
+from api.permissions.teacher_permissions import TeacherPermission
+from rest_framework.permissions import IsAuthenticated
 
-
-class TeacherViewSet(ReadOnlyModelViewSet):
+class TeacherViewSet(ModelViewSet):
     queryset = Teacher.objects.all()
     serializer_class = TeacherSerializer
-    permission_classes = [IsAdminUser | IsSameUser]
+    permission_classes = [IsAdminUser | TeacherPermission]
 
-    @action(detail=True, methods=["get"])
+    @action(detail=True, methods=["get"], permission_classes=[IsAuthenticated])
     def courses(self, request, pk=None):
         """Returns a list of courses for the given teacher"""
         teacher = self.get_object()