b48a99f21b
Only users with the 'mediafiles.can_see_private' permission can create and view these private mediafiles.
60 lines
2.4 KiB
Python
60 lines
2.4 KiB
Python
from ..utils.rest_api import ModelViewSet, ValidationError
|
|
from .access_permissions import MediafileAccessPermissions
|
|
from .models import Mediafile
|
|
|
|
|
|
# Viewsets for the REST API
|
|
|
|
class MediafileViewSet(ModelViewSet):
|
|
"""
|
|
API endpoint for mediafile objects.
|
|
|
|
There are the following views: metadata, list, retrieve, create,
|
|
partial_update, update and destroy.
|
|
"""
|
|
access_permissions = MediafileAccessPermissions()
|
|
queryset = Mediafile.objects.all()
|
|
|
|
def get_queryset(self):
|
|
queryset = super().get_queryset()
|
|
user = self.request.user
|
|
if not user.has_perm('mediafiles.can_see_private'):
|
|
queryset = queryset.filter(private=False)
|
|
return queryset
|
|
|
|
def check_view_permissions(self):
|
|
"""
|
|
Returns True if the user has required permissions.
|
|
"""
|
|
if self.action in ('list', 'retrieve'):
|
|
result = self.get_access_permissions().check_permissions(self.request.user)
|
|
elif self.action == 'metadata':
|
|
result = self.request.user.has_perm('mediafiles.can_see')
|
|
elif self.action == 'create':
|
|
result = (self.request.user.has_perm('mediafiles.can_see') and
|
|
self.request.user.has_perm('mediafiles.can_upload'))
|
|
elif self.action in ('partial_update', 'update'):
|
|
result = (self.request.user.has_perm('mediafiles.can_see') and
|
|
self.request.user.has_perm('mediafiles.can_upload') and
|
|
self.request.user.has_perm('mediafiles.can_manage'))
|
|
elif self.action == 'destroy':
|
|
result = (self.request.user.has_perm('mediafiles.can_see') and
|
|
self.request.user.has_perm('mediafiles.can_manage'))
|
|
else:
|
|
result = False
|
|
return result
|
|
|
|
def create(self, request, *args, **kwargs):
|
|
"""
|
|
Customized view endpoint to upload a new file.
|
|
"""
|
|
# Check permission to check if the uploader has to be changed.
|
|
uploader_id = self.request.data.get('uploader_id')
|
|
if (uploader_id and
|
|
not request.user.has_perm('mediafiles.can_manage') and
|
|
str(self.request.user.pk) != str(uploader_id)):
|
|
self.permission_denied(request)
|
|
if not self.request.data.get('mediafile'):
|
|
raise ValidationError({'detail': 'You forgot to provide a file.'})
|
|
return super().create(request, *args, **kwargs)
|