103 lines
3.2 KiB
Python
103 lines
3.2 KiB
Python
from rest_framework import permissions
|
|
|
|
from apps.workspaces.models import Workspace, WorkspaceMembership
|
|
from apps.workspaces.services import (
|
|
WORKSPACE_EDIT,
|
|
WORKSPACE_MEMBERS_CHANGE_ROLE,
|
|
WORKSPACE_VIEW,
|
|
has_workspace_capability,
|
|
)
|
|
|
|
|
|
class IsWorkspaceOwner(permissions.BasePermission):
|
|
"""
|
|
Permission check:
|
|
- User must be the explicit 'owner' on the Workspace model.
|
|
- OR User must have a WorkspaceMembership with the 'OWNER' role.
|
|
"""
|
|
message = "Access denied. You must be the Workspace Owner to perform this action."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
if isinstance(obj, Workspace):
|
|
workspace = obj
|
|
elif isinstance(obj, WorkspaceMembership):
|
|
workspace = obj.workspace
|
|
elif hasattr(obj, "workspace"):
|
|
workspace = obj.workspace
|
|
else:
|
|
return False
|
|
|
|
return workspace.owner_id == request.user.id
|
|
|
|
|
|
class IsWorkspaceAdmin(permissions.BasePermission):
|
|
"""
|
|
Permission check:
|
|
- User's role in the workspace is either 'ADMIN' or 'OWNER'.
|
|
"""
|
|
message = "Access denied. You must be a Workspace Admin or Owner to perform this action."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
if isinstance(obj, Workspace):
|
|
workspace = obj
|
|
elif isinstance(obj, WorkspaceMembership):
|
|
workspace = obj.workspace
|
|
elif hasattr(obj, "workspace"):
|
|
workspace = obj.workspace
|
|
else:
|
|
return False
|
|
|
|
return has_workspace_capability(request.user, workspace, WORKSPACE_EDIT)
|
|
|
|
|
|
class IsWorkspaceMember(permissions.BasePermission):
|
|
"""
|
|
Permission check:
|
|
- User's role in the workspace is 'OWNER', 'ADMIN', or 'MEMBER'.
|
|
"""
|
|
message = "Access denied. You must be an active member of this workspace."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
if isinstance(obj, Workspace):
|
|
workspace = obj
|
|
elif isinstance(obj, WorkspaceMembership):
|
|
workspace = obj.workspace
|
|
elif hasattr(obj, "workspace"):
|
|
workspace = obj.workspace
|
|
else:
|
|
return False
|
|
|
|
return has_workspace_capability(request.user, workspace, WORKSPACE_VIEW)
|
|
|
|
|
|
class CanWorkspaceManageMembers(permissions.BasePermission):
|
|
message = "Access denied. You do not have permission to manage workspace members."
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
|
|
if isinstance(obj, Workspace):
|
|
workspace = obj
|
|
elif isinstance(obj, WorkspaceMembership):
|
|
workspace = obj.workspace
|
|
elif hasattr(obj, "workspace"):
|
|
workspace = obj.workspace
|
|
else:
|
|
return False
|
|
|
|
return has_workspace_capability(
|
|
request.user,
|
|
workspace,
|
|
WORKSPACE_MEMBERS_CHANGE_ROLE,
|
|
)
|