feat: add IsAdministrator permission and protect admin endpoints
This commit is contained in:
mono
@@ -3,10 +3,12 @@ from rest_framework.response import Response
|
|||||||
from rest_framework.status import HTTP_400_BAD_REQUEST
|
from rest_framework.status import HTTP_400_BAD_REQUEST
|
||||||
from rest_framework.views import APIView
|
from rest_framework.views import APIView
|
||||||
from rest_framework.pagination import PageNumberPagination
|
from rest_framework.pagination import PageNumberPagination
|
||||||
|
from rest_framework.permissions import IsAuthenticated
|
||||||
|
|
||||||
from .models import Sale, SaleLine, Customer, Product, ReconciliationJar, PaymentMethods, AdminCode
|
from .models import Sale, SaleLine, Customer, Product, ReconciliationJar, PaymentMethods, AdminCode
|
||||||
from .serializers import SaleSerializer, ProductSerializer, CustomerSerializer, ReconciliationJarSerializer, PaymentMethodSerializer, SaleForRenconciliationSerializer, SaleSummarySerializer
|
from .serializers import SaleSerializer, ProductSerializer, CustomerSerializer, ReconciliationJarSerializer, PaymentMethodSerializer, SaleForRenconciliationSerializer, SaleSummarySerializer
|
||||||
from .views import sales_to_tryton_csv
|
from .views import sales_to_tryton_csv
|
||||||
|
from .permissions import IsAdministrator
|
||||||
|
|
||||||
from decimal import Decimal
|
from decimal import Decimal
|
||||||
from sabatron_tryton_rpc_client.client import Client
|
from sabatron_tryton_rpc_client.client import Client
|
||||||
@@ -74,6 +76,8 @@ class CustomerView(viewsets.ModelViewSet):
|
|||||||
|
|
||||||
|
|
||||||
class ReconciliateJarView(APIView):
|
class ReconciliateJarView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def post(self, request):
|
def post(self, request):
|
||||||
data = request.data
|
data = request.data
|
||||||
cash_purchases_id = data.get('cash_purchases')
|
cash_purchases_id = data.get('cash_purchases')
|
||||||
@@ -131,6 +135,8 @@ class PaymentMethodView(APIView):
|
|||||||
|
|
||||||
|
|
||||||
class SalesForReconciliationView(APIView):
|
class SalesForReconciliationView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def get(self, request):
|
def get(self, request):
|
||||||
sales = Sale.objects.filter(reconciliation=None)
|
sales = Sale.objects.filter(reconciliation=None)
|
||||||
grouped_sales = {}
|
grouped_sales = {}
|
||||||
@@ -152,6 +158,8 @@ class SaleSummary(APIView):
|
|||||||
|
|
||||||
|
|
||||||
class AdminCodeValidateView(APIView):
|
class AdminCodeValidateView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def get(self, request, code):
|
def get(self, request, code):
|
||||||
codes = AdminCode.objects.filter(value=code)
|
codes = AdminCode.objects.filter(value=code)
|
||||||
return Response({'validCode': bool(codes)})
|
return Response({'validCode': bool(codes)})
|
||||||
@@ -161,9 +169,12 @@ class ReconciliateJarModelView(viewsets.ModelViewSet):
|
|||||||
queryset = ReconciliationJar.objects.all().order_by('-date_time')
|
queryset = ReconciliationJar.objects.all().order_by('-date_time')
|
||||||
pagination_class = Pagination
|
pagination_class = Pagination
|
||||||
serializer_class = ReconciliationJarSerializer
|
serializer_class = ReconciliationJarSerializer
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
|
|
||||||
class SalesForTrytonView(APIView):
|
class SalesForTrytonView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def get(self, request):
|
def get(self, request):
|
||||||
sales = Sale.objects.all()
|
sales = Sale.objects.all()
|
||||||
csv = self._generate_sales_CSV(sales)
|
csv = self._generate_sales_CSV(sales)
|
||||||
@@ -180,6 +191,8 @@ class SalesForTrytonView(APIView):
|
|||||||
|
|
||||||
|
|
||||||
class SalesToTrytonView(APIView):
|
class SalesToTrytonView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def post(self, request):
|
def post(self, request):
|
||||||
tryton_client = Client(
|
tryton_client = Client(
|
||||||
hostname=TRYTON_HOST,
|
hostname=TRYTON_HOST,
|
||||||
@@ -269,6 +282,8 @@ class TrytonLineSale:
|
|||||||
|
|
||||||
|
|
||||||
class ProductsFromTrytonView(APIView):
|
class ProductsFromTrytonView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def post(self, request):
|
def post(self, request):
|
||||||
tryton_client = Client(
|
tryton_client = Client(
|
||||||
hostname=TRYTON_HOST,
|
hostname=TRYTON_HOST,
|
||||||
@@ -362,6 +377,8 @@ class ProductsFromTrytonView(APIView):
|
|||||||
|
|
||||||
|
|
||||||
class CustomersFromTrytonView(APIView):
|
class CustomersFromTrytonView(APIView):
|
||||||
|
permission_classes = [IsAuthenticated, IsAdministrator]
|
||||||
|
|
||||||
def post(self, request):
|
def post(self, request):
|
||||||
tryton_client = Client(
|
tryton_client = Client(
|
||||||
hostname=TRYTON_HOST,
|
hostname=TRYTON_HOST,
|
||||||
|
|||||||
6
tienda_ilusion/don_confiao/permissions.py
Normal file
6
tienda_ilusion/don_confiao/permissions.py
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
from rest_framework.permissions import BasePermission
|
||||||
|
|
||||||
|
|
||||||
|
class IsAdministrator(BasePermission):
|
||||||
|
def has_permission(self, request, view):
|
||||||
|
return request.user and request.user.is_staff
|
||||||
Reference in New Issue
Block a user