|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
from django.db.models import Q
|
|
|
|
|
|
|
|
|
|
from common.api.generic import JMSBulkModelViewSet
|
|
|
|
|
from common.utils.http import is_true
|
|
|
|
|
from rbac.permissions import RBACPermission
|
|
|
|
|
from ..const import Scope
|
|
|
|
|
from ..models import AdHoc
|
|
|
|
|
from ..serializers import AdHocSerializer
|
|
|
|
|
|
|
|
|
|
__all__ = [
|
|
|
|
|
'AdHocViewSet'
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class AdHocViewSet(JMSBulkModelViewSet):
|
|
|
|
|
queryset = AdHoc.objects.all()
|
|
|
|
|
serializer_class = AdHocSerializer
|
|
|
|
|
permission_classes = (RBACPermission,)
|
|
|
|
|
search_fields = ('name', 'comment')
|
|
|
|
|
filterset_fields = ['scope', 'creator']
|
|
|
|
|
|
|
|
|
|
def allow_bulk_destroy(self, qs, filtered):
|
|
|
|
|
for obj in filtered:
|
|
|
|
|
self.check_object_permissions(self.request, obj)
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def check_object_permissions(self, request, obj):
|
|
|
|
|
if request.method != 'GET' and obj.creator != request.user:
|
|
|
|
|
self.permission_denied(
|
|
|
|
|
request, message={"detail": "Deleting other people's script is not allowed"}
|
|
|
|
|
)
|
|
|
|
|
return super().check_object_permissions(request, obj)
|
|
|
|
|
|
|
|
|
|
def get_queryset(self):
|
|
|
|
|
queryset = super().get_queryset()
|
|
|
|
|
user = self.request.user
|
|
|
|
|
if is_true(self.request.query_params.get('only_mine')):
|
|
|
|
|
queryset = queryset.filter(creator=user)
|
|
|
|
|
else:
|
|
|
|
|
queryset = queryset.filter(Q(creator=user) | Q(scope=Scope.public))
|
|
|
|
|
return queryset
|
