Merge branch 'api-working' of https://github.com/SELab-2/UGent-1 into…

… api-working
SELab-2 · Mar 12, 2024 · f413c89 · f413c89
2 parents 2f06aee + 65c45d2
commit f413c89
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/backend/pigeonhole/apps/courses/permissions.py b/backend/pigeonhole/apps/courses/permissions.py
@@ -17,7 +17,7 @@ def has_permission(self, request, view):
                 return True
             return
 
-        if request.user.is_student or request.user.is_teacher:
+        if request.user.is_student:
             return view.action in ['list', 'retrieve']
 
         return False
diff --git a/backend/pigeonhole/apps/users/permissions.py b/backend/pigeonhole/apps/users/permissions.py
@@ -0,0 +1,18 @@
+from rest_framework import permissions
+
+from backend.pigeonhole.apps.users.models import User
+
+
+class UserPermissions(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.user.is_admin or request.user.is_superuser:
+            return True  # TODO can admins destroy each other?
+
+        if request.user.is_teacher or request.user.is_student:
+            if view.action in ['list', 'retrieve']:  # TODO: can teachers create and destroy users?
+                return True
+            elif view.action in ['update', 'partial_update', 'destroy'] and User.objects.filter(
+                    id=request.user.id).exists():
+                return True
+
+        return False
diff --git a/backend/pigeonhole/apps/users/views.py b/backend/pigeonhole/apps/users/views.py
@@ -3,12 +3,13 @@
 from rest_framework.response import Response
 
 from backend.pigeonhole.apps.users.models import User, UserSerializer
+from .permissions import UserPermissions
 
 
 class UserViewSet(viewsets.ModelViewSet):
     queryset = User.objects.all()
     serializer_class = UserSerializer
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, UserPermissions]
 
     def list(self, request, *args, **kwargs):
         serializer = UserSerializer(self.queryset, many=True)
@@ -24,3 +25,35 @@ def create(self, request, *args, **kwargs):
             return Response(serializer.data, status=status.HTTP_201_CREATED)
         else:
             return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+    def update(self, request, *args, **kwargs):
+        user_id = kwargs.get('pk')
+        user = User.objects.get(pk=user_id)
+        serializer = UserSerializer(user, data=request.data)
+        if serializer.is_valid():
+            serializer.save()
+            return Response(serializer.data, status=status.HTTP_200_OK)
+        else:
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+    def partial_update(self, request, *args, **kwargs):
+        user_id = kwargs.get('pk')
+        user = User.objects.get(pk=user_id)
+        serializer = UserSerializer(user, data=request.data, partial=True)
+        if serializer.is_valid():
+            serializer.save()
+            return Response(serializer.data, status=status.HTTP_200_OK)
+        else:
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+    def destroy(self, request, *args, **kwargs):
+        user_id = kwargs.get('pk')
+        user = User.objects.get(pk=user_id)
+        user.delete()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
+    def retrieve(self, request, *args, **kwargs):
+        user_id = kwargs.get('pk')
+        user = User.objects.get(pk=user_id)
+        serializer = UserSerializer(user, many=False)
+        return Response(serializer.data, status=status.HTTP_200_OK)