Added possibility for non staff users to upload new files. See #1856.
This commit is contained in:
parent
440a38b387
commit
ae6875aa93
@ -19,11 +19,12 @@ class MediafileViewSet(ModelViewSet):
|
||||
"""
|
||||
Returns True if the user has required permissions.
|
||||
"""
|
||||
# TODO: Use mediafiles.can_upload permission to create and update some
|
||||
# objects but restricted concerning the uploader.
|
||||
if self.action in ('metadata', 'list', 'retrieve'):
|
||||
result = self.request.user.has_perm('mediafiles.can_see')
|
||||
elif self.action in ('create', 'partial_update', 'update'):
|
||||
elif self.action == 'create':
|
||||
result = (self.request.user.has_perm('mediafiles.can_see') and
|
||||
self.request.user.has_perm('mediafiles.can_upload'))
|
||||
elif self.action in ('partial_update', 'update'):
|
||||
result = (self.request.user.has_perm('mediafiles.can_see') and
|
||||
self.request.user.has_perm('mediafiles.can_upload') and
|
||||
self.request.user.has_perm('mediafiles.can_manage'))
|
||||
@ -33,3 +34,15 @@ class MediafileViewSet(ModelViewSet):
|
||||
else:
|
||||
result = False
|
||||
return result
|
||||
|
||||
def create(self, request, *args, **kwargs):
|
||||
"""
|
||||
Customized view endpoint to upload a new file.
|
||||
"""
|
||||
# Check permission to check if the uploader has to be changed.
|
||||
uploader_id = self.request.data.get('uploader_id')
|
||||
if (uploader_id and
|
||||
not request.user.has_perm('mediafiles.can_manage') and
|
||||
str(self.request.user.pk) != str(uploader_id)):
|
||||
self.permission_denied(request)
|
||||
return super().create(request, *args, **kwargs)
|
||||
|
Loading…
Reference in New Issue
Block a user