Deleted objects are not really deleted but now appear to be via REST.

2026-02-02 01:58:09 -03:30 · 2013-03-21 14:20:59 -04:00
parent c189cfcddb
commit f8e57ddd3b
3 changed files with 76 additions and 28 deletions
--- a/lib/main/views.py
+++ b/lib/main/views.py
@@ -4,27 +4,15 @@ from lib.main.models import *
 from lib.main.serializers import *
 from lib.main.rbac import *
 from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import PermissionDenied
 from rest_framework import mixins
 from rest_framework import generics
 from rest_framework import permissions
 import exceptions
+import datetime

-class OrganizationsList(generics.ListCreateAPIView):
-
-    model = Organization
-    serializer_class = OrganizationSerializer
-    permission_classes = (CustomRbac,)
-
-    #def pre_save(self, obj):
-    #   obj.owner = self.request.user
-   
-    def get_queryset(self):
-
-        if self.request.user.is_superuser:
-            return Organization.objects.filter(active=True)
-        return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
-               Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()
-
+class BaseList(generics.ListCreateAPIView):
+  
    def list_permissions_check(self, request, obj=None):
        if request.method == 'GET':
             # everybody can call get, but it's filtered
@@ -33,9 +21,41 @@ class OrganizationsList(generics.ListCreateAPIView):
             # superusers have already been cleared, so deny regular users
             return False
        raise exceptions.NotImplementedError
+    
+    def get_queryset(self):
+        return self._get_queryset().filter(active=True)    
+
+class BaseDetail(generics.RetrieveUpdateDestroyAPIView):
+
+    def destroy(self, request, *args, **kwargs):
+        # somewhat lame that delete has to call it's own permissions check
+        obj = self.model.objects.get(pk=kwargs['pk'])
+        if not request.user.is_superuser and not self.delete_permissions_check(request, obj):
+            raise PermissionDenied()
+        obj.name   = "_deleted_%s_%s" % (str(datetime.time()), obj.name)
+        obj.active = False
+        obj.save()
+        return HttpResponse(status=204)
+
+class OrganizationsList(BaseList):
+
+    model = Organization
+    serializer_class = OrganizationSerializer
+    permission_classes = (CustomRbac,)
+   
+    def _get_queryset(self):
+
+        if self.request.user.is_superuser:
+            return Organization.objects.filter(active=True)
+
+        return Organization.objects.filter(
+            admins__in = [ self.request.user.application_user ]
+        ).distinct() | Organization.objects.filter(
+            users__in = [ self.request.user.application_user ]
+        ).distinct()
+
+class OrganizationsDetail(BaseDetail):

- 
-class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
    model = Organization
    serializer_class = OrganizationSerializer

@@ -45,12 +65,15 @@ class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
    #   obj.owner = self.request.user

    def item_permissions_check(self, request, obj):
-        admin = request.user.application_user in obj.admins.all() 
-        user  = request.user.application_user in obj.users.all()
+        is_admin = request.user.application_user in obj.admins.all() 
+        is_user  = request.user.application_user in obj.users.all()
+        
        if request.method == 'GET':
-             return admin or user
-        if request.method == 'PUT':
-             return admin
-
+            return is_admin or is_user
+        elif request.method in [ 'PUT' ]:
+            return is_admin
+        return False

+    def delete_permissions_check(self, request, obj):
+        return request.user.application_user in obj.admins.all()