update: nested fields should use the nested model permissions

1c76dfa2 · Jean-Baptiste · d2ef845a · 1c76dfa2 · 1c76dfa2 · 1c76dfa2
Commit 1c76dfa2 authored 6 years ago by Jean-Baptiste
--- a/djangoldp/models.py
+++ b/djangoldp/models.py
@@ -86,6 +86,14 @@ class Model(models.Model):
            path = "{}/".format(path)
        return path
+    @classmethod
+    def get_permission_classes(cls, related_model, default_permissions_classes):
+        try:
+            return getattr(related_model._meta, 'permission_classes',
+                           getattr(related_model.Meta, 'permission_classes', default_permissions_classes))
+        except AttributeError:
+            return default_permissions_classes
 class LDPSource(models.Model):
    container = models.URLField()

--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
-from rest_framework import permissions
-from rest_framework import filters
 from guardian.shortcuts import get_objects_for_user
+from rest_framework import filters
+from rest_framework import permissions
 """
 Liste des actions passées dans views selon le protocole REST :
@@ -16,6 +16,7 @@ Pour chacune de ces actions, on va définir si on accepte la requête (True) ou
    checks have already passed
 """
 class WACPermissions(permissions.DjangoObjectPermissions):
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
@@ -43,9 +44,11 @@ class ObjectFilter(filters.BaseFilterBackend):
        objects = get_objects_for_user(request.user, perm, klass=queryset)
        return objects
 class ObjectPermission(WACPermissions):
    filter_class = ObjectFilter
 class InboxPermissions(WACPermissions):
    """
        Anonymous users: can create notifications but can't read
@@ -53,6 +56,7 @@ class InboxPermissions(WACPermissions):
        Inbox owners: can read + update all notifications
    """
    filter_class = ObjectFilter
    def has_permission(self, request, view):
        if view.action in ['create', 'retrieve', 'update', 'partial_update', 'destroy']:
            return True
@@ -67,6 +71,7 @@ class InboxPermissions(WACPermissions):
                return True
        return super().has_object_permission(request, view)
 class AnonymousReadOnly(WACPermissions):
    """
        Anonymous users: can read all posts
@@ -97,4 +102,4 @@ class AnonymousReadOnly(WACPermissions):
                if author == request.user:
                    return True
        else:
            return super().has_object_permission(request, view, obj)
\ No newline at end of file
--- a/djangoldp/views.py
+++ b/djangoldp/views.py
@@ -6,7 +6,6 @@ from django.core.urlresolvers import get_resolver
 from django.db.utils import OperationalError
 from django.shortcuts import get_object_or_404
 from django.utils.decorators import classonlymethod
-from djangoldp.models import LDPSource
 from guardian.shortcuts import get_objects_for_user
 from pyld import jsonld
 from rest_framework.authentication import SessionAuthentication
@@ -14,6 +13,7 @@ from rest_framework.parsers import JSONParser
 from rest_framework.renderers import JSONRenderer
 from rest_framework.viewsets import ModelViewSet
+from djangoldp.models import LDPSource, Model
 from .serializers import LDPSerializer
@@ -194,7 +194,8 @@ class LDPNestedViewSet(LDPViewSet):
            related_field=related_field,
            parent_lookup_field=cls.get_lookup_arg(**kwargs),
            model_prefix=cls.get_model(**kwargs)._meta.object_name.lower(),
-            permission_classes=kwargs.get('permission_classes', ()),
+            permission_classes=Model.get_permission_classes(related_field.related_model,
+                                                            kwargs.get('permission_classes', ())),
            lookup_url_kwarg=related_field.related_model._meta.object_name.lower() + '_id')