47 lines
1.4 KiB
Python
47 lines
1.4 KiB
Python
from rest_framework import permissions
|
|
|
|
from apps.workspaces.models import Workspace
|
|
from apps.workspaces.services import (
|
|
CLIENTS_CREATE,
|
|
CLIENTS_DELETE,
|
|
CLIENTS_EDIT,
|
|
CLIENTS_VIEW,
|
|
has_workspace_capability,
|
|
)
|
|
|
|
|
|
class IsClientWorkspaceMember(permissions.BasePermission):
|
|
"""
|
|
Applies capability-based access checks for client resources.
|
|
"""
|
|
|
|
message = "You do not have permission to access this client."
|
|
|
|
def has_permission(self, request, view):
|
|
if not request.user.is_authenticated:
|
|
return False
|
|
|
|
if view.action == "create":
|
|
workspace_id = request.data.get("workspace_id")
|
|
if not workspace_id:
|
|
return False
|
|
workspace = Workspace.objects.filter(id=workspace_id, is_deleted=False).first()
|
|
return bool(
|
|
workspace and has_workspace_capability(request.user, workspace, CLIENTS_CREATE)
|
|
)
|
|
|
|
return True
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if not request.user.is_authenticated:
|
|
return False
|
|
|
|
capability = {
|
|
"retrieve": CLIENTS_VIEW,
|
|
"list": CLIENTS_VIEW,
|
|
"update": CLIENTS_EDIT,
|
|
"partial_update": CLIENTS_EDIT,
|
|
"destroy": CLIENTS_DELETE,
|
|
}.get(view.action, CLIENTS_VIEW)
|
|
return has_workspace_capability(request.user, obj.workspace, capability)
|