From d5dbe2b876955004757f151532080baadd256ea4 Mon Sep 17 00:00:00 2001
From: Keannu Bernasol <noehbernasol0@gmail.com>
Date: Thu, 21 Dec 2023 14:57:42 +0800
Subject: [PATCH] Fix is student permission and add viewsets for teachers and
 students for viewing transactions assigned to them

---
 equipment_tracker/accounts/permissions.py |  4 +--
 equipment_tracker/schema.yml              | 32 +++++++++++++++++++++++
 equipment_tracker/transactions/urls.py    |  2 ++
 equipment_tracker/transactions/views.py   | 29 ++++++++++++++++++++
 4 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/equipment_tracker/accounts/permissions.py b/equipment_tracker/accounts/permissions.py
index 0d4ed90..d7148f8 100644
--- a/equipment_tracker/accounts/permissions.py
+++ b/equipment_tracker/accounts/permissions.py
@@ -25,7 +25,7 @@ class IsStudent(BasePermission):
     message = "You must be a student to perform this action."
 
     def has_permission(self, request, view):
-        return request.user.is_authenticated and request.user.is_student
+        return request.user.is_authenticated and (not request.user.is_teacher and not request.user.is_technician)
 
     def has_object_permission(self, request, view, obj):
-        return request.user.is_authenticated and request.user.is_student
+        return request.user.is_authenticated and (not request.user.is_teacher and not request.user.is_technician)
diff --git a/equipment_tracker/schema.yml b/equipment_tracker/schema.yml
index 6d8166a..84cc793 100644
--- a/equipment_tracker/schema.yml
+++ b/equipment_tracker/schema.yml
@@ -1051,6 +1051,38 @@ paths:
               schema:
                 $ref: '#/components/schemas/Transaction'
           description: ''
+  /api/v1/transactions/student:
+    get:
+      operationId: api_v1_transactions_student_list
+      tags:
+      - api
+      security:
+      - jwtAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Transaction'
+          description: ''
+  /api/v1/transactions/teacher:
+    get:
+      operationId: api_v1_transactions_teacher_list
+      tags:
+      - api
+      security:
+      - jwtAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Transaction'
+          description: ''
 components:
   schemas:
     Activation:
diff --git a/equipment_tracker/transactions/urls.py b/equipment_tracker/transactions/urls.py
index 101e758..339bda7 100644
--- a/equipment_tracker/transactions/urls.py
+++ b/equipment_tracker/transactions/urls.py
@@ -7,4 +7,6 @@ router.register(r'', views.TransactionViewSet)
 
 urlpatterns = [
     path('', include(router.urls)),
+    path('student', views.TransactionByStudentViewSet.as_view()),
+    path('teacher', views.TransactionByTeacherViewSet.as_view()),
 ]
diff --git a/equipment_tracker/transactions/views.py b/equipment_tracker/transactions/views.py
index bcdf86d..bade244 100644
--- a/equipment_tracker/transactions/views.py
+++ b/equipment_tracker/transactions/views.py
@@ -1,4 +1,5 @@
 from rest_framework.permissions import IsAuthenticated
+from accounts.permissions import IsTeacher, IsStudent
 from rest_framework import viewsets, generics
 from .serializers import TransactionSerializer
 from .models import Transaction
@@ -11,3 +12,31 @@ class TransactionViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAuthenticated]
     serializer_class = TransactionSerializer
     queryset = Transaction.objects.all()
+
+
+class TransactionByStudentViewSet(generics.ListAPIView):
+    # Only allow GET, POST/CREATE
+    # Transactions cannot be deleted
+    http_method_names = ['get']
+    permission_classes = [IsAuthenticated, IsStudent]
+    serializer_class = TransactionSerializer
+    queryset = Transaction.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        transactions = Transaction.objects.filter(borrower=user)
+        return transactions
+
+
+class TransactionByTeacherViewSet(generics.ListAPIView):
+    # Only allow GET, POST/CREATE
+    # Transactions cannot be deleted
+    http_method_names = ['get']
+    permission_classes = [IsAuthenticated, IsTeacher]
+    serializer_class = TransactionSerializer
+    queryset = Transaction.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        transactions = Transaction.objects.filter(teacher=user)
+        return transactions