60 lines
2.0 KiB
Python
60 lines
2.0 KiB
Python
from rest_framework import permissions
|
|
|
|
from apps.projects.models import ProjectMembership
|
|
from apps.workspaces.services import (
|
|
PROJECTS_EDIT,
|
|
PROJECTS_VIEW,
|
|
PROJECT_MEMBERS_CHANGE_ROLE,
|
|
has_project_capability,
|
|
)
|
|
|
|
|
|
def get_project_from_obj(obj):
|
|
"""Helper to extract the project from different model types."""
|
|
# If the object is a Project, it will have a 'workspace' attribute.
|
|
# Otherwise, it's a related model (Membership, Rate) and has a 'project' attribute.
|
|
return obj if hasattr(obj, "workspace") else obj.project
|
|
|
|
|
|
class IsProjectMember(permissions.BasePermission):
|
|
"""
|
|
Allows access only to users who have an active membership in the project.
|
|
"""
|
|
message = "شما عضو این پروژه نیستید."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
project = get_project_from_obj(obj)
|
|
return has_project_capability(request.user, project, PROJECTS_VIEW)
|
|
|
|
|
|
class IsProjectManager(permissions.BasePermission):
|
|
"""
|
|
Allows access only to users who are active MANAGERs of the project.
|
|
"""
|
|
message = "فقط مدیران پروژه مجاز به انجام این عملیات هستند."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
project = get_project_from_obj(obj)
|
|
return has_project_capability(request.user, project, PROJECTS_EDIT)
|
|
|
|
|
|
class CanManageProjectMembers(permissions.BasePermission):
|
|
message = "Only authorized users can manage project memberships."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
project = get_project_from_obj(obj)
|
|
return has_project_capability(
|
|
request.user,
|
|
project,
|
|
PROJECT_MEMBERS_CHANGE_ROLE,
|
|
)
|