Merge pull request #1865 from normanjaeckel/MediafileFix

Added possibility for non staff users to upload new files. See #1856.
This commit is contained in:
Oskar Hahn 2016-01-15 09:33:06 +01:00
commit bac4e2c21f

View File

@ -19,11 +19,12 @@ class MediafileViewSet(ModelViewSet):
""" """
Returns True if the user has required permissions. Returns True if the user has required permissions.
""" """
# TODO: Use mediafiles.can_upload permission to create and update some
# objects but restricted concerning the uploader.
if self.action in ('metadata', 'list', 'retrieve'): if self.action in ('metadata', 'list', 'retrieve'):
result = self.request.user.has_perm('mediafiles.can_see') result = self.request.user.has_perm('mediafiles.can_see')
elif self.action in ('create', 'partial_update', 'update'): elif self.action == 'create':
result = (self.request.user.has_perm('mediafiles.can_see') and
self.request.user.has_perm('mediafiles.can_upload'))
elif self.action in ('partial_update', 'update'):
result = (self.request.user.has_perm('mediafiles.can_see') and result = (self.request.user.has_perm('mediafiles.can_see') and
self.request.user.has_perm('mediafiles.can_upload') and self.request.user.has_perm('mediafiles.can_upload') and
self.request.user.has_perm('mediafiles.can_manage')) self.request.user.has_perm('mediafiles.can_manage'))
@ -33,3 +34,15 @@ class MediafileViewSet(ModelViewSet):
else: else:
result = False result = False
return result return result
def create(self, request, *args, **kwargs):
"""
Customized view endpoint to upload a new file.
"""
# Check permission to check if the uploader has to be changed.
uploader_id = self.request.data.get('uploader_id')
if (uploader_id and
not request.user.has_perm('mediafiles.can_manage') and
str(self.request.user.pk) != str(uploader_id)):
self.permission_denied(request)
return super().create(request, *args, **kwargs)