26 lines
901 B
Python
26 lines
901 B
Python
# permissions.py
|
|
from rest_framework.permissions import BasePermission
|
|
from projects.models import Project, ProjectTeamList
|
|
from portfolios.models import Portfolio
|
|
|
|
UNSAFE_REQUEST = ["POST", "PUT", "PATCH", "DELETE"]
|
|
|
|
class IsOwnerOrMemberInCreateAndUpdateAndDelete(BasePermission):
|
|
def has_permission(self, request, view):
|
|
if request.method not in UNSAFE_REQUEST:
|
|
return True
|
|
|
|
related_type = request.query_params.get("type")
|
|
related_id = request.query_params.get("id")
|
|
|
|
if not related_type or not related_id:
|
|
return False
|
|
|
|
user = request.user
|
|
|
|
if related_type == "project":
|
|
return ProjectTeamList.objects.filter(project=related_id, user=user).exists()
|
|
elif related_type == "portfolio":
|
|
return Portfolio.objects.filter(id=related_id, owner=user).exists()
|
|
else:
|
|
return False |