Skip to content

Instantly share code, notes, and snippets.

@Damephena

Damephena/custom_permissions.py Secret

Last active August 21, 2022 16:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Damephena/e341215f9297dfbd28c1838d82601aad to your computer and use it in GitHub Desktop.
Save Damephena/e341215f9297dfbd28c1838d82601aad to your computer and use it in GitHub Desktop.
Download ZIP
Resume Builder API: Views, Custom Permissions
Raw
custom_permissions.py
from rest_framework import permissions
class IsOwnerOrAdmin(permissions.BasePermission):
"""
Custom permission to only allow authenticated owners of an object or Admin.
"""
def has_object_permission(self, request, view, obj):
try:
if not request.user.is_authenticated:
return False
if hasattr(obj, "user"):
return obj.user == request.user
elif hasattr(obj, "user_id"):
return obj.user_id == request.user
elif hasattr(obj, "created_by"):
return obj.created_by == request.user
return request.user.is_superuser
except Exception:
return False
Raw
urls.py
from rest_framework.routers import SimpleRouter
from cv import views
router = SimpleRouter()
router.register("templates", views.ResumeTemplateViewset, basename="templates")
urlpatterns = router.urls
Raw
views.py
from rest_framework import permissions, viewsets
from .custom_permissions import IsOwnerOrAdmin
from .models import Resume, ResumeTemplate
from .serializers import ResumeSerializer, ResumeTemplateSerializer
class ResumeTemplateViewset(viewsets.ModelViewSet):
"""
list: List all resume templates,
retrieve: Get a single resume template by ID.
"""
queryset = ResumeTemplate.objects.all()
serializer_class = ResumeTemplateSerializer
http_method_names = ["get"]
class ResumeViewset(viewsets.ModelViewSet):
"""
list: List all resumes belonging to this authenticated user.
create: Create a new resume as an authenticated user.
retrieve: Retrieve resume (by ID) belonging to this authenticated user.
partial_update: Update resume (by ID) belonging to this authenticated user.
destroy: Delete resume (by ID) belonging to this authenticated user.
"""
queryset = Resume.objects.all()
serializer_class = ResumeSerializer
http_method_names = ["get", "post", "patch", "delete"]
permission_classes = [permissions.IsAuthenticated]
def get_permissions(self):
if self.action != "create":
return [IsOwnerOrAdmin()]
return super().get_permissions()
def get_queryset(self):
try:
if not self.request.user.is_staff or not self.request.user.is_superuser:
return Resume.objects.filter(user_id=self.request.user)
except Exception:
return Resume.objects.none()
return super().get_queryset()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment