diff --git a/equipment_tracker/equipments/serializers.py b/equipment_tracker/equipments/serializers.py index 774d140..45793a7 100644 --- a/equipment_tracker/equipments/serializers.py +++ b/equipment_tracker/equipments/serializers.py @@ -1,4 +1,4 @@ -from rest_framework import serializers +from rest_framework import serializers, exceptions from .models import Equipment, EquipmentInstance from drf_spectacular.utils import extend_schema_field from drf_spectacular.types import OpenApiTypes @@ -30,6 +30,30 @@ class EquipmentSerializer(serializers.HyperlinkedModelSerializer): read_only_fields = ('id', 'last_updated', 'last_updated_by', 'date_added') + def create(self, instance, validated_data): + user = self.context['request'].user + # Do not allow users that are not technicians to create equipments + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot create equipments") + return super().create(instance, validated_data) + + def update(self, instance, validated_data): + user = self.context['request'].user + # Do not allow users that are not technicians to update equipments + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot update equipments") + return super().update(instance, validated_data) + + # Do not allow users that are not technicians to delete equipments + def delete(self, instance): + user = self.context['request'].user + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot delete equipments") + instance.delete() + @extend_schema_field(OpenApiTypes.STR) def get_history_user(self, obj): return obj.history_user.username if obj.history_user else None @@ -106,12 +130,33 @@ class EquipmentInstanceSerializer(serializers.HyperlinkedModelSerializer): status = serializers.ChoiceField( choices=EquipmentInstance.EQUIPMENT_INSTANCE_STATUS_CHOICES) - # Forbid user from changing equipment field once the instance is already created + def create(self, instance, validated_data): + user = self.context['request'].user + # Do not allow users that are not technicians to create equipment instances + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot create equipments") + return super().create(instance, validated_data) + def update(self, instance, validated_data): + user = self.context['request'].user + # Do not allow users that are not technicians to update equipment instances + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot update equipment instances") + # Forbid user from changing equipment field once the instance is already created # Ignore any changes to 'equipment' validated_data.pop('equipment', None) return super().update(instance, validated_data) + # Do not allow users that are not technicians to delete equipment instances + def delete(self, instance): + user = self.context['request'].user + if not user.is_technician: + raise exceptions.ValidationError( + "Non-technician users cannot delete equipment instances") + instance.delete() + class Meta: model = EquipmentInstance fields = ('id', 'equipment', 'equipment_name', 'category', 'status', 'remarks', diff --git a/equipment_tracker/equipments/views.py b/equipment_tracker/equipments/views.py index 700f6b1..3888d5c 100644 --- a/equipment_tracker/equipments/views.py +++ b/equipment_tracker/equipments/views.py @@ -10,7 +10,7 @@ from accounts.permissions import IsTechnician class EquipmentViewSet(viewsets.ModelViewSet): if (not DEBUG): - permission_classes = [IsAuthenticated, IsTechnician] + permission_classes = [IsAuthenticated] serializer_class = serializers.EquipmentSerializer queryset = Equipment.objects.all().order_by('id') @@ -52,7 +52,7 @@ class LastUpdatedEquipmentViewSet(generics.ListAPIView): class EquipmentInstanceViewSet(viewsets.ModelViewSet): if (not DEBUG): - permission_classes = [IsAuthenticated, IsTechnician] + permission_classes = [IsAuthenticated] serializer_class = serializers.EquipmentInstanceSerializer queryset = EquipmentInstance.objects.all().order_by('id')