CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

API: Require can_change_items for more endpoints

Browse Source
This commit is contained in:
Raphael Michel
2017-10-10 22:54:36 +02:00
parent d3a287dcdf
commit f342e46f53
5 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/pretix/api/auth/permission.py
View File

@@ -13,6 +13,13 @@ class EventPermission(BasePermission):
return True
return False
if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
required_permission = getattr(view, 'write_permission')
elif hasattr(view, 'permission'):
required_permission = getattr(view, 'permission')
else:
required_permission = None
perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
else request.user)
if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
@@ -25,9 +32,8 @@ class EventPermission(BasePermission):
request.organizer = request.event.organizer
request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
if hasattr(view, 'permission'):
if view.permission and view.permission not in request.eventpermset:
return False
if required_permission and required_permission not in request.eventpermset:
return False
elif 'organizer' in request.resolver_match.kwargs:
request.organizer = Organizer.objects.filter(
@@ -37,7 +43,6 @@ class EventPermission(BasePermission):
return False
request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
if hasattr(view, 'permission'):
if view.permission and view.permission not in request.orgapermset:
return False
if required_permission and required_permission not in request.orgapermset:
return False
return True

1
src/pretix/api/views/event.py
View File

@@ -39,6 +39,7 @@ class SubEventViewSet(viewsets.ReadOnlyModelViewSet):
class TaxRuleViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = TaxRuleSerializer
queryset = TaxRule.objects.none()
write_permission = 'can_change_event_settings'
def get_queryset(self):
return self.request.event.tax_rules.all()

4
src/pretix/api/views/item.py
View File

@@ -34,6 +34,7 @@ class ItemViewSet(viewsets.ReadOnlyModelViewSet):
ordering_fields = ('id', 'position')
ordering = ('position', 'id')
filter_class = ItemFilter
permission = 'can_change_items'
def get_queryset(self):
return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
@@ -52,6 +53,7 @@ class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
filter_class = ItemCategoryFilter
ordering_fields = ('id', 'position')
ordering = ('position', 'id')
permission = 'can_change_items'
def get_queryset(self):
return self.request.event.categories.all()
@@ -63,6 +65,7 @@ class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
filter_backends = (OrderingFilter,)
ordering_fields = ('id', 'position')
ordering = ('position', 'id')
permission = 'can_change_items'
def get_queryset(self):
return self.request.event.questions.prefetch_related('options').all()
@@ -81,6 +84,7 @@ class QuotaViewSet(viewsets.ReadOnlyModelViewSet):
filter_class = QuotaFilter
ordering_fields = ('id', 'size')
ordering = ('id',)
permission = 'can_change_items'
def get_queryset(self):
return self.request.event.quotas.all()