refactor permission

rockstarr-programmerr · rockstarr-programmerr · commit e839aeb03f6d · 2021-10-05T21:09:59.000+07:00
diff --git a/classroom/filters/classroom.py b/classroom/filters/classroom.py
@@ -15,9 +15,24 @@ class Meta:
     @property
     def qs(self):
         parent = super().qs
-        teacher = self.request.user
-        classrooms_pks = teacher.classrooms_teaching.all().values_list('pk', flat=True)
-        qs = parent.filter(pk__in=list(classrooms_pks))\
+
+        if self.request.user.is_teacher():
+            classrooms = self.teacher_classrooms
+        else:
+            classrooms = self.student_classrooms
+        classrooms_pks = list(classrooms.values_list('pk', flat=True))
+
+        qs = parent.filter(pk__in=classrooms_pks)\
                    .select_related('teacher')\
                    .prefetch_related('students')
         return qs
+
+    @property
+    def teacher_classrooms(self):
+        teacher = self.request.user
+        return teacher.classrooms_teaching.all()
+
+    @property
+    def student_classrooms(self):
+        student = self.request.user
+        return student.classrooms_studying.all()
diff --git a/classroom/filters/exercise.py b/classroom/filters/exercise.py
@@ -15,8 +15,12 @@ class Meta:
     @property
     def qs(self):
         parent = super().qs
-        teacher = self.request.user
-        exercises_pks = teacher.reading_exercises_created.all().values_list('pk', flat=True)
-        qs = parent.filter(pk__in=list(exercises_pks))\
-                   .select_related('creator')
+        user = self.request.user
+
+        if user.is_teacher():
+            qs = parent.filter(creator=user)
+        else:
+            qs = parent.filter(classrooms__in=user.classrooms_studying.all())  # TODO: test
+        qs = qs.select_related('creator')
+
         return qs
diff --git a/classroom/filters/question.py b/classroom/filters/question.py
@@ -14,8 +14,11 @@ class Meta:
     def qs(self):
         parent = super().qs
         user = self.request.user
-        exercises = user.reading_exercises_created.all()
-        questions_pks = ReadingQuestion.objects.filter(exercise__in=exercises).values_list('pk', flat=True)
-        qs = parent.filter(pk__in=list(questions_pks))\
-                   .select_related('exercise__creator')
+
+        if user.is_teacher():
+            qs = parent.filter(exercise__creator=user)
+        else:
+            qs = parent.filter(exercise__classrooms__in=user.classrooms_studying.all())  # TODO: test
+        qs = qs.select_related('exercise__creator')
+
         return qs
diff --git a/classroom/permissions.py b/classroom/permissions.py
@@ -1,62 +1,15 @@
 from django.utils.translation import gettext_lazy as _
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import SAFE_METHODS, IsAuthenticated
 
 
-class IsTeacher(IsAuthenticated):
-    message = _('Only teacher has permission for this.')
+class IsTeacherOrReadOnly(IsAuthenticated):
+    message = _('Only teacher can edit this resource, student can only read.')
 
     def has_permission(self, request, view):
+        is_authenticated = super().has_permission(request, view)
+        is_teacher = request.user.is_teacher()
         return (
-            super().has_permission(request, view) and
-            request.user.is_teacher()
-        )
-
-
-class IsClassroomTeacher(IsTeacher):
-    message = _('Only teacher of this class room has permission for this.')
-
-    def has_object_permission(self, request, view, classroom):
-        return (
-            super().has_object_permission(request, view, classroom) and
-            request.user == classroom.teacher
-        )
-
-
-class IsTeacherOwnsExercise(IsTeacher):
-    message = _('Only teacher who owns this exercise has permission for this.')
-
-    def has_object_permission(self, request, view, exercise):
-        return (
-            super().has_object_permission(request, view, exercise) and
-            request.user == exercise.creator
-        )
-
-
-class IsTeacherOwnsQuestion(IsTeacher):
-    message = _('Only teacher who owns this question has permission for this.')
-
-    def has_object_permission(self, request, view, question):
-        return (
-            super().has_object_permission(request, view, question) and
-            request.user == question.exercise.creator
-        )
-
-
-class IsStudent(IsAuthenticated):
-    message = _('Only student has permission for this.')
-
-    def has_permission(self, request, view):
-        return (
-            super().has_permission(request, view) and
-            request.user.is_student()
-        )
-
-
-class IsClassroomStudent(IsStudent):
-    message = _('Only student of this class room has permission for this.')
-
-    def has_object_permission(self, request, view, classroom):
-        return (
-            super().has_object_permission(request, view, classroom) and
-            request.user in classroom.students.all()
+            is_authenticated and (
+                request.method in SAFE_METHODS or is_teacher
+            )
         )
diff --git a/classroom/views/classroom.py b/classroom/views/classroom.py
@@ -6,7 +6,7 @@
 from classroom.business.teacher import classroom as teacher_business
 from classroom.filters import ClassroomFilter
 from classroom.models import Classroom
-from classroom.permissions import IsClassroomTeacher
+from classroom.permissions import IsTeacherOrReadOnly
 from classroom.serializers import (AddReadingExerciseSerializer,
                                    AddStudentSerializer, ClassroomSerializer,
                                    RemoveReadingExerciseSerializer,
@@ -17,7 +17,7 @@ class ClassroomViewSet(ModelViewSet):
     queryset = Classroom.objects.all()
     serializer_class = ClassroomSerializer
     filterset_class = ClassroomFilter
-    permission_classes = [IsClassroomTeacher]
+    permission_classes = [IsTeacherOrReadOnly]
     ordering_fields = ['create_datetime', 'name']
     ordering = ['-create_datetime']
 
@@ -64,7 +64,7 @@ def remove_students(self, request, pk):
 
     @action(
         methods=['POST'], detail=True, url_path='add-reading-exercises',
-        serializer_class=AddReadingExerciseSerializer
+        serializer_class=AddReadingExerciseSerializer,
     )
     def add_reading_exercises(self, request, pk):
         serializer = self.get_serializer(data=request.data, many=True)
diff --git a/classroom/views/exercise.py b/classroom/views/exercise.py
@@ -2,14 +2,14 @@
 
 from classroom.filters import ReadingExerciseFilter
 from classroom.models import ReadingExercise
-from classroom.permissions import IsTeacherOwnsExercise
+from classroom.permissions import IsTeacherOrReadOnly
 from classroom.serializers import ReadingExerciseSerializer
 
 
 class ReadingExerciseViewSet(ModelViewSet):
     queryset = ReadingExercise.objects.all()
     serializer_class = ReadingExerciseSerializer
     filterset_class = ReadingExerciseFilter
-    permission_classes = [IsTeacherOwnsExercise]
+    permission_classes = [IsTeacherOrReadOnly]
     ordering_fields = ['identifier']
     ordering = ['identifier']
diff --git a/classroom/views/question.py b/classroom/views/question.py
@@ -2,14 +2,14 @@
 
 from classroom.filters import ReadingQuestionFilter
 from classroom.models import ReadingQuestion
-from classroom.permissions import IsTeacherOwnsQuestion
+from classroom.permissions import IsTeacherOrReadOnly
 from classroom.serializers import ReadingQuestionSerializer
 
 
 class ReadingQuestionViewSet(ModelViewSet):
     queryset = ReadingQuestion.objects.all()
     serializer_class = ReadingQuestionSerializer
     filterset_class = ReadingQuestionFilter
-    permission_classes = [IsTeacherOwnsQuestion]
+    permission_classes = [IsTeacherOrReadOnly]
     ordering_fields = ['from_number']
     ordering = ['from_number']
