| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 |
- from django.contrib.auth import get_user_model
- from django.core.exceptions import PermissionDenied
- from django.utils.translation import ugettext as _
- from rest_framework import viewsets
- from rest_framework.decorators import detail_route
- from rest_framework.parsers import JSONParser, MultiPartParser
- from misago.users.rest_permissions import (BasePermission,
- IsAuthenticatedOrReadOnly, UnbannedAnonOnly)
- from misago.users.api.userendpoints.avatar import avatar_endpoint
- from misago.users.api.userendpoints.create import create_endpoint
- class UserViewSetPermission(BasePermission):
- def has_permission(self, request, view):
- if view.action == 'create':
- policy = UnbannedAnonOnly()
- else:
- policy = IsAuthenticatedOrReadOnly()
- return policy.has_permission(request, view)
- def allow_self_only(user, pk, message):
- if user.is_anonymous():
- raise PermissionDenied(
- _("You have to sign in to perform this action."))
- if user.pk != int(pk):
- raise PermissionDenied(message)
- class UserViewSet(viewsets.ViewSet):
- permission_classes = (UserViewSetPermission,)
- parser_classes=(JSONParser, MultiPartParser)
- queryset = get_user_model().objects.all()
- def list(self, request):
- pass
- def create(self, request):
- return create_endpoint(request)
- @detail_route(methods=['get', 'post'])
- def avatar(self, request, pk=None):
- allow_self_only(
- request.user, pk, _("You can't change other users avatars."))
- return avatar_endpoint(request)
|
