tienda_ilusion/don_confiao/api_views.py

@@ -3,10 +3,12 @@ from rest_framework.response import Response
 from rest_framework.status import HTTP_400_BAD_REQUEST
 from rest_framework.views import APIView
 from rest_framework.pagination import PageNumberPagination
+from rest_framework.permissions import IsAuthenticated
 
 from .models import Sale, SaleLine, Customer, Product, ReconciliationJar, PaymentMethods, AdminCode
 from .serializers import SaleSerializer, ProductSerializer, CustomerSerializer, ReconciliationJarSerializer, PaymentMethodSerializer, SaleForRenconciliationSerializer, SaleSummarySerializer
 from .views import sales_to_tryton_csv
+from .permissions import IsAdministrator
 
 from decimal import Decimal
 from sabatron_tryton_rpc_client.client import Client
@@ -74,6 +76,8 @@ class CustomerView(viewsets.ModelViewSet):
 
 
 class ReconciliateJarView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def post(self, request):
         data = request.data
         cash_purchases_id = data.get('cash_purchases')
@@ -131,6 +135,8 @@ class PaymentMethodView(APIView):
 
 
 class SalesForReconciliationView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def get(self, request):
         sales = Sale.objects.filter(reconciliation=None)
         grouped_sales = {}
@@ -152,6 +158,8 @@ class SaleSummary(APIView):
 
 
 class AdminCodeValidateView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def get(self, request, code):
         codes = AdminCode.objects.filter(value=code)
         return Response({'validCode': bool(codes)})
@@ -161,9 +169,12 @@ class ReconciliateJarModelView(viewsets.ModelViewSet):
     queryset = ReconciliationJar.objects.all().order_by('-date_time')
     pagination_class = Pagination
     serializer_class = ReconciliationJarSerializer
+    permission_classes = [IsAuthenticated, IsAdministrator]
 
 
 class SalesForTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def get(self, request):
         sales = Sale.objects.all()
         csv = self._generate_sales_CSV(sales)
@@ -180,6 +191,8 @@ class SalesForTrytonView(APIView):
 
 
 class SalesToTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def post(self, request):
         tryton_client = Client(
             hostname=TRYTON_HOST,
@@ -269,6 +282,8 @@ class TrytonLineSale:
 
 
 class ProductsFromTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def post(self, request):
         tryton_client = Client(
             hostname=TRYTON_HOST,
@@ -362,6 +377,8 @@ class ProductsFromTrytonView(APIView):
 
 
 class CustomersFromTrytonView(APIView):
+    permission_classes = [IsAuthenticated, IsAdministrator]
+
     def post(self, request):
         tryton_client = Client(
             hostname=TRYTON_HOST,

tienda_ilusion/don_confiao/permissions.py

@@ -0,0 +1,6 @@
+from rest_framework.permissions import BasePermission
+
+
+class IsAdministrator(BasePermission):
+    def has_permission(self, request, view):
+        return request.user and request.user.is_staff