From 0d5a34d366a80024687fd9b116cba8a1d4adb36e Mon Sep 17 00:00:00 2001 From: mono Date: Sat, 14 Mar 2026 16:37:44 -0500 Subject: [PATCH] feat: add IsAdministrator permission and protect admin endpoints --- tienda_ilusion/don_confiao/api_views.py | 17 +++++++++++++++++ tienda_ilusion/don_confiao/permissions.py | 6 ++++++ 2 files changed, 23 insertions(+) create mode 100644 tienda_ilusion/don_confiao/permissions.py diff --git a/tienda_ilusion/don_confiao/api_views.py b/tienda_ilusion/don_confiao/api_views.py index f033e1c..5b7509f 100644 --- a/tienda_ilusion/don_confiao/api_views.py +++ b/tienda_ilusion/don_confiao/api_views.py @@ -3,10 +3,12 @@ from rest_framework.response import Response from rest_framework.status import HTTP_400_BAD_REQUEST from rest_framework.views import APIView from rest_framework.pagination import PageNumberPagination +from rest_framework.permissions import IsAuthenticated from .models import Sale, SaleLine, Customer, Product, ReconciliationJar, PaymentMethods, AdminCode from .serializers import SaleSerializer, ProductSerializer, CustomerSerializer, ReconciliationJarSerializer, PaymentMethodSerializer, SaleForRenconciliationSerializer, SaleSummarySerializer from .views import sales_to_tryton_csv +from .permissions import IsAdministrator from decimal import Decimal from sabatron_tryton_rpc_client.client import Client @@ -74,6 +76,8 @@ class CustomerView(viewsets.ModelViewSet): class ReconciliateJarView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def post(self, request): data = request.data cash_purchases_id = data.get('cash_purchases') @@ -131,6 +135,8 @@ class PaymentMethodView(APIView): class SalesForReconciliationView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def get(self, request): sales = Sale.objects.filter(reconciliation=None) grouped_sales = {} @@ -152,6 +158,8 @@ class SaleSummary(APIView): class AdminCodeValidateView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def get(self, request, code): codes = AdminCode.objects.filter(value=code) return Response({'validCode': bool(codes)}) @@ -161,9 +169,12 @@ class ReconciliateJarModelView(viewsets.ModelViewSet): queryset = ReconciliationJar.objects.all().order_by('-date_time') pagination_class = Pagination serializer_class = ReconciliationJarSerializer + permission_classes = [IsAuthenticated, IsAdministrator] class SalesForTrytonView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def get(self, request): sales = Sale.objects.all() csv = self._generate_sales_CSV(sales) @@ -180,6 +191,8 @@ class SalesForTrytonView(APIView): class SalesToTrytonView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def post(self, request): tryton_client = Client( hostname=TRYTON_HOST, @@ -269,6 +282,8 @@ class TrytonLineSale: class ProductsFromTrytonView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def post(self, request): tryton_client = Client( hostname=TRYTON_HOST, @@ -362,6 +377,8 @@ class ProductsFromTrytonView(APIView): class CustomersFromTrytonView(APIView): + permission_classes = [IsAuthenticated, IsAdministrator] + def post(self, request): tryton_client = Client( hostname=TRYTON_HOST, diff --git a/tienda_ilusion/don_confiao/permissions.py b/tienda_ilusion/don_confiao/permissions.py new file mode 100644 index 0000000..d36562a --- /dev/null +++ b/tienda_ilusion/don_confiao/permissions.py @@ -0,0 +1,6 @@ +from rest_framework.permissions import BasePermission + + +class IsAdministrator(BasePermission): + def has_permission(self, request, view): + return request.user and request.user.is_staff