Allow students and teachers to view equipments and equipment instances but forbid them from creating, updating, or deleting

2024-11-16 22:09:27 +08:00 · 2023-12-08 23:07:08 +08:00 · 2023-12-08 23:07:08 +08:00 · aa078a78c5
commit aa078a78c5
parent 2c8cc87cbe
2 changed files with 49 additions and 4 deletions
--- a/equipment_tracker/equipments/serializers.py
+++ b/equipment_tracker/equipments/serializers.py
@ -1,4 +1,4 @@
-from rest_framework import serializers
+from rest_framework import serializers, exceptions
 from .models import Equipment, EquipmentInstance
 from drf_spectacular.utils import extend_schema_field
 from drf_spectacular.types import OpenApiTypes
@ -30,6 +30,30 @@ class EquipmentSerializer(serializers.HyperlinkedModelSerializer):
        read_only_fields = ('id', 'last_updated',
                            'last_updated_by', 'date_added')

+    def create(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to create equipments
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot create equipments")
+        return super().create(instance, validated_data)
+
+    def update(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to update equipments
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot update equipments")
+        return super().update(instance, validated_data)
+
+    # Do not allow users that are not technicians to delete equipments
+    def delete(self, instance):
+        user = self.context['request'].user
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot delete equipments")
+        instance.delete()
+
    @extend_schema_field(OpenApiTypes.STR)
    def get_history_user(self, obj):
        return obj.history_user.username if obj.history_user else None
@ -106,12 +130,33 @@ class EquipmentInstanceSerializer(serializers.HyperlinkedModelSerializer):
    status = serializers.ChoiceField(
        choices=EquipmentInstance.EQUIPMENT_INSTANCE_STATUS_CHOICES)

-    # Forbid user from changing equipment field once the instance is already created
+    def create(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to create equipment instances
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot create equipments")
+        return super().create(instance, validated_data)
+
    def update(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to update equipment instances
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot update equipment instances")
+        # Forbid user from changing equipment field once the instance is already created
        # Ignore any changes to 'equipment'
        validated_data.pop('equipment', None)
        return super().update(instance, validated_data)

+    # Do not allow users that are not technicians to delete equipment instances
+    def delete(self, instance):
+        user = self.context['request'].user
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot delete equipment instances")
+        instance.delete()
+
    class Meta:
        model = EquipmentInstance
        fields = ('id', 'equipment', 'equipment_name', 'category', 'status', 'remarks',
--- a/equipment_tracker/equipments/views.py
+++ b/equipment_tracker/equipments/views.py
@ -10,7 +10,7 @@ from accounts.permissions import IsTechnician

 class EquipmentViewSet(viewsets.ModelViewSet):
    if (not DEBUG):
-        permission_classes = [IsAuthenticated, IsTechnician]
+        permission_classes = [IsAuthenticated]
    serializer_class = serializers.EquipmentSerializer
    queryset = Equipment.objects.all().order_by('id')

@ -52,7 +52,7 @@ class LastUpdatedEquipmentViewSet(generics.ListAPIView):

 class EquipmentInstanceViewSet(viewsets.ModelViewSet):
    if (not DEBUG):
-        permission_classes = [IsAuthenticated, IsTechnician]
+        permission_classes = [IsAuthenticated]
    serializer_class = serializers.EquipmentInstanceSerializer
    queryset = EquipmentInstance.objects.all().order_by('id')