From aa078a78c57ff608c284581b888c75dba5a0667e Mon Sep 17 00:00:00 2001
From: Keannu Bernasol <noehbernasol0@gmail.com>
Date: Fri, 8 Dec 2023 23:07:08 +0800
Subject: [PATCH] Allow students and teachers to view equipments and equipment
 instances but forbid them from creating, updating, or deleting

---
 equipment_tracker/equipments/serializers.py | 49 ++++++++++++++++++++-
 equipment_tracker/equipments/views.py       |  4 +-
 2 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/equipment_tracker/equipments/serializers.py b/equipment_tracker/equipments/serializers.py
index 774d140..45793a7 100644
--- a/equipment_tracker/equipments/serializers.py
+++ b/equipment_tracker/equipments/serializers.py
@@ -1,4 +1,4 @@
-from rest_framework import serializers
+from rest_framework import serializers, exceptions
 from .models import Equipment, EquipmentInstance
 from drf_spectacular.utils import extend_schema_field
 from drf_spectacular.types import OpenApiTypes
@@ -30,6 +30,30 @@ class EquipmentSerializer(serializers.HyperlinkedModelSerializer):
         read_only_fields = ('id', 'last_updated',
                             'last_updated_by', 'date_added')
 
+    def create(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to create equipments
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot create equipments")
+        return super().create(instance, validated_data)
+
+    def update(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to update equipments
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot update equipments")
+        return super().update(instance, validated_data)
+
+    # Do not allow users that are not technicians to delete equipments
+    def delete(self, instance):
+        user = self.context['request'].user
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot delete equipments")
+        instance.delete()
+
     @extend_schema_field(OpenApiTypes.STR)
     def get_history_user(self, obj):
         return obj.history_user.username if obj.history_user else None
@@ -106,12 +130,33 @@ class EquipmentInstanceSerializer(serializers.HyperlinkedModelSerializer):
     status = serializers.ChoiceField(
         choices=EquipmentInstance.EQUIPMENT_INSTANCE_STATUS_CHOICES)
 
-    # Forbid user from changing equipment field once the instance is already created
+    def create(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to create equipment instances
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot create equipments")
+        return super().create(instance, validated_data)
+
     def update(self, instance, validated_data):
+        user = self.context['request'].user
+        # Do not allow users that are not technicians to update equipment instances
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot update equipment instances")
+        # Forbid user from changing equipment field once the instance is already created
         # Ignore any changes to 'equipment'
         validated_data.pop('equipment', None)
         return super().update(instance, validated_data)
 
+    # Do not allow users that are not technicians to delete equipment instances
+    def delete(self, instance):
+        user = self.context['request'].user
+        if not user.is_technician:
+            raise exceptions.ValidationError(
+                "Non-technician users cannot delete equipment instances")
+        instance.delete()
+
     class Meta:
         model = EquipmentInstance
         fields = ('id', 'equipment', 'equipment_name', 'category', 'status', 'remarks',
diff --git a/equipment_tracker/equipments/views.py b/equipment_tracker/equipments/views.py
index 700f6b1..3888d5c 100644
--- a/equipment_tracker/equipments/views.py
+++ b/equipment_tracker/equipments/views.py
@@ -10,7 +10,7 @@ from accounts.permissions import IsTechnician
 
 class EquipmentViewSet(viewsets.ModelViewSet):
     if (not DEBUG):
-        permission_classes = [IsAuthenticated, IsTechnician]
+        permission_classes = [IsAuthenticated]
     serializer_class = serializers.EquipmentSerializer
     queryset = Equipment.objects.all().order_by('id')
 
@@ -52,7 +52,7 @@ class LastUpdatedEquipmentViewSet(generics.ListAPIView):
 
 class EquipmentInstanceViewSet(viewsets.ModelViewSet):
     if (not DEBUG):
-        permission_classes = [IsAuthenticated, IsTechnician]
+        permission_classes = [IsAuthenticated]
     serializer_class = serializers.EquipmentInstanceSerializer
     queryset = EquipmentInstance.objects.all().order_by('id')