Fix is student permission and add viewsets for teachers and students for viewing transactions assigned to them

equipment_tracker/accounts/permissions.py

@@ -25,7 +25,7 @@ class IsStudent(BasePermission):
     message = "You must be a student to perform this action."
 
     def has_permission(self, request, view):
-        return request.user.is_authenticated and request.user.is_student
+        return request.user.is_authenticated and (not request.user.is_teacher and not request.user.is_technician)
 
     def has_object_permission(self, request, view, obj):
-        return request.user.is_authenticated and request.user.is_student
+        return request.user.is_authenticated and (not request.user.is_teacher and not request.user.is_technician)

equipment_tracker/schema.yml

@@ -1051,6 +1051,38 @@ paths:
               schema:
                 $ref: '#/components/schemas/Transaction'
           description: ''
+  /api/v1/transactions/student:
+    get:
+      operationId: api_v1_transactions_student_list
+      tags:
+      - api
+      security:
+      - jwtAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Transaction'
+          description: ''
+  /api/v1/transactions/teacher:
+    get:
+      operationId: api_v1_transactions_teacher_list
+      tags:
+      - api
+      security:
+      - jwtAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Transaction'
+          description: ''
 components:
   schemas:
     Activation:

equipment_tracker/transactions/urls.py

@@ -7,4 +7,6 @@ router.register(r'', views.TransactionViewSet)
 
 urlpatterns = [
     path('', include(router.urls)),
+    path('student', views.TransactionByStudentViewSet.as_view()),
+    path('teacher', views.TransactionByTeacherViewSet.as_view()),
 ]

equipment_tracker/transactions/views.py

@@ -1,4 +1,5 @@
 from rest_framework.permissions import IsAuthenticated
+from accounts.permissions import IsTeacher, IsStudent
 from rest_framework import viewsets, generics
 from .serializers import TransactionSerializer
 from .models import Transaction
@@ -11,3 +12,31 @@ class TransactionViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAuthenticated]
     serializer_class = TransactionSerializer
     queryset = Transaction.objects.all()
+
+
+class TransactionByStudentViewSet(generics.ListAPIView):
+    # Only allow GET, POST/CREATE
+    # Transactions cannot be deleted
+    http_method_names = ['get']
+    permission_classes = [IsAuthenticated, IsStudent]
+    serializer_class = TransactionSerializer
+    queryset = Transaction.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        transactions = Transaction.objects.filter(borrower=user)
+        return transactions
+
+
+class TransactionByTeacherViewSet(generics.ListAPIView):
+    # Only allow GET, POST/CREATE
+    # Transactions cannot be deleted
+    http_method_names = ['get']
+    permission_classes = [IsAuthenticated, IsTeacher]
+    serializer_class = TransactionSerializer
+    queryset = Transaction.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        transactions = Transaction.objects.filter(teacher=user)
+        return transactions