Verified Commit 0f6db32a authored by Gijs Hendriksen's avatar Gijs Hendriksen Committed by Sébastiaan Versteeg
Browse files

Restrict updates to pizza orders to organisers of the pizza event

parent bb84dc09
......@@ -3,6 +3,7 @@ from rest_framework import serializers
from rest_framework.exceptions import ValidationError
from pizzas.models import Product, PizzaEvent, Order
from pizzas.services import can_change_order
class PizzaSerializer(serializers.ModelSerializer):
......@@ -12,12 +13,16 @@ class PizzaSerializer(serializers.ModelSerializer):
class PizzaEventSerializer(serializers.ModelSerializer):
class Meta:
model = PizzaEvent
fields = ('start', 'end', 'event', 'title', 'is_admin')
event = serializers.PrimaryKeyRelatedField(read_only=True)
is_admin = serializers.SerializerMethodField('_is_admin')
class Meta:
model = PizzaEvent
fields = ('start', 'end', 'event', 'title')
def _is_admin(self, instance):
member = self.context['request'].member
return can_change_order(member, instance)
class OrderSerializer(serializers.ModelSerializer):
......
......@@ -10,6 +10,7 @@ from rest_framework.viewsets import GenericViewSet, ModelViewSet
from pizzas.api import serializers
from pizzas.models import Product, PizzaEvent, Order
from pizzas.services import can_change_order
class PizzaViewset(GenericViewSet, ListModelMixin):
......@@ -32,7 +33,9 @@ class PizzaViewset(GenericViewSet, ListModelMixin):
event = PizzaEvent.current()
if event:
serializer = serializers.PizzaEventSerializer(event)
context = {'request': request}
serializer = serializers.PizzaEventSerializer(event,
context=context)
return Response(serializer.data)
raise NotFound
......@@ -44,7 +47,7 @@ class OrderViewset(ModelViewSet):
def get_queryset(self):
event = PizzaEvent.current()
if self.request.user.has_perm('pizzas.change_order'):
if can_change_order(self.request.user, event):
return Order.objects.filter(pizza_event=event)
if self.action == 'update' or self.action == 'destroy':
if not event or event.has_ended:
......@@ -57,7 +60,9 @@ class OrderViewset(ModelViewSet):
pizza_event=event)
def get_serializer_class(self):
if self.request.member.has_perm('pizzas.change_order'):
if (can_change_order(self.request.member,
self.get_object().pizza_event) and
self.action.endswith('update')):
return serializers.AdminOrderSerializer
return serializers.OrderSerializer
......
......@@ -34,3 +34,25 @@ def gen_stats_current_pizza_orders():
total.sort(key=lambda prod: prod['total'], reverse=True)
return total
def is_organiser(member, pizza_event):
if member and member.is_authenticated:
if member.is_superuser or member.has_perm('events.override_organiser'):
return True
if pizza_event:
return member.get_member_groups().filter(
pk=pizza_event.event.organiser.pk).count() != 0
return False
def can_change_order(member, pizza_event):
if member and member.is_authenticated:
if member.is_superuser:
return True
return (member.has_perm('pizzas.change_order') and
is_organiser(member, pizza_event))
return False
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment