pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2026-03-25 02:39:32 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
8069589b8a7fabd10aec52ef342bde0d966bd426
thrillwiki_django_no_react/backend/apps/api/v1/permissions.py
pacnpal 8069589b8a feat: Complete Phase 5 of Django Unicorn refactoring for park detail templates 
- Refactored park detail template from HTMX/Alpine.js to Django Unicorn component
- Achieved ~97% reduction in template complexity
- Created ParkDetailView component with optimized data loading and reactive features
- Developed a responsive reactive template for park details
- Implemented server-side state management and reactive event handlers
- Enhanced performance with optimized database queries and loading states
- Comprehensive error handling and user experience improvements

docs: Update Django Unicorn refactoring plan with completed components and phases

- Documented installation and configuration of Django Unicorn
- Detailed completed work on park search component and refactoring strategy
- Outlined planned refactoring phases for future components
- Provided examples of component structure and usage

feat: Implement parks rides endpoint with comprehensive features

- Developed API endpoint GET /api/v1/parks/{park_slug}/rides/ for paginated ride listings
- Included filtering capabilities for categories and statuses
- Optimized database queries with select_related and prefetch_related
- Implemented serializer for comprehensive ride data output
- Added complete API documentation for frontend integration
2025-09-02 22:58:11 -04:00

76 lines
2.9 KiB
Python
Raw Blame History

"""
API v1 Custom Permissions
This module contains custom permission classes for the API v1 endpoints,
providing flexible access control for different operations.
"""
from rest_framework import permissions
class ReadOnlyOrAuthenticated(permissions.BasePermission):
"""
Permission that allows read-only access to anyone but requires authentication for write operations.
- GET, HEAD, OPTIONS requests are allowed for anyone (no authentication required)
- POST, PUT, PATCH, DELETE requests require authentication
"""
def has_permission(self, request, view):
"""Check if user has permission to access the view."""
# Allow read-only access for safe methods
if request.method in permissions.SAFE_METHODS:
return True
# Require authentication for write operations
return request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
"""Check object-level permissions."""
# Allow read-only access for safe methods
if request.method in permissions.SAFE_METHODS:
return True
# Require authentication for write operations
return bool(request.user and request.user.is_authenticated)
class ReadOnlyOrOwnerOrStaff(permissions.BasePermission):
"""
Permission that allows read-only access to anyone but requires ownership or staff privileges for write operations.
- GET, HEAD, OPTIONS requests are allowed for anyone (no authentication required)
- POST requests require authentication
- PUT, PATCH, DELETE requests require ownership or staff privileges
"""
def has_permission(self, request, view):
"""Check if user has permission to access the view."""
# Allow read-only access for safe methods
if request.method in permissions.SAFE_METHODS:
return True
# Require authentication for write operations
return request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
"""Check object-level permissions."""
# Allow read-only access for safe methods
if request.method in permissions.SAFE_METHODS:
return True
# Require authentication for write operations
if not (request.user and request.user.is_authenticated):
return False
# For write operations, check ownership or staff status
if request.method in ['PUT', 'PATCH', 'DELETE']:
# Check if user is the owner (uploaded_by field) or staff
if hasattr(obj, 'uploaded_by'):
return bool(obj.uploaded_by == request.user or getattr(request.user, 'is_staff', False))
# Fallback to staff check if no ownership field
return bool(getattr(request.user, 'is_staff', False))
# For POST operations, just require authentication (already checked above)
return True
Reference in New Issue View Git Blame Copy Permalink