feat: add IsAdministrator permission and protect admin endpoints

2026-03-14 16:37:44 -05:00
parent 7e2c03c81b
commit 0d5a34d366
2 changed files with 23 additions and 0 deletions
--- a/tienda_ilusion/don_confiao/api_views.py
+++ b/tienda_ilusion/don_confiao/api_views.py
@@ -3,10 +3,12 @@ from rest_framework.response import Response
 from rest_framework.status import HTTP_400_BAD_REQUEST
 from rest_framework.views import APIView
 from rest_framework.pagination import PageNumberPagination
+from rest_framework.permissions import IsAuthenticated

 from .models import Sale, SaleLine, Customer, Product, ReconciliationJar, PaymentMethods, AdminCode
 from .serializers import SaleSerializer, ProductSerializer, CustomerSerializer, ReconciliationJarSerializer, PaymentMethodSerializer, SaleForRenconciliationSerializer, SaleSummarySerializer
 from .views import sales_to_tryton_csv
+from .permissions import IsAdministrator

 from decimal import Decimal
 from sabatron_tryton_rpc_client.client import Client
@@ -74,6 +76,8 @@ class CustomerView(viewsets.ModelViewSet):


 class ReconciliateJarView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def post(self, request):
        data = request.data
        cash_purchases_id = data.get('cash_purchases')
@@ -131,6 +135,8 @@ class PaymentMethodView(APIView):


 class SalesForReconciliationView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def get(self, request):
        sales = Sale.objects.filter(reconciliation=None)
        grouped_sales = {}
@@ -152,6 +158,8 @@ class SaleSummary(APIView):


 class AdminCodeValidateView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def get(self, request, code):
        codes = AdminCode.objects.filter(value=code)
        return Response({'validCode': bool(codes)})
@@ -161,9 +169,12 @@ class ReconciliateJarModelView(viewsets.ModelViewSet):
    queryset = ReconciliationJar.objects.all().order_by('-date_time')
    pagination_class = Pagination
    serializer_class = ReconciliationJarSerializer
+    permission_classes = [IsAuthenticated, IsAdministrator]


 class SalesForTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def get(self, request):
        sales = Sale.objects.all()
        csv = self._generate_sales_CSV(sales)
@@ -180,6 +191,8 @@ class SalesForTrytonView(APIView):


 class SalesToTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def post(self, request):
        tryton_client = Client(
            hostname=TRYTON_HOST,
@@ -269,6 +282,8 @@ class TrytonLineSale:


 class ProductsFromTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def post(self, request):
        tryton_client = Client(
            hostname=TRYTON_HOST,
@@ -362,6 +377,8 @@ class ProductsFromTrytonView(APIView):


 class CustomersFromTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
    def post(self, request):
        tryton_client = Client(
            hostname=TRYTON_HOST,
--- a/tienda_ilusion/don_confiao/permissions.py
+++ b/tienda_ilusion/don_confiao/permissions.py
@@ -0,0 +1,6 @@
+from rest_framework.permissions import BasePermission
+
+
+class IsAdministrator(BasePermission):
+    def has_permission(self, request, view):
+        return request.user and request.user.is_staff