From 9cfd0bc3c305ef17a91f4c7f55e5a9e700f29634 Mon Sep 17 00:00:00 2001
From: Konrad Mohrfeldt <konrad.mohrfeldt@farbdev.org>
Date: Thu, 23 Jan 2025 15:49:49 +0100
Subject: [PATCH] refactor: move media endpoint access control to permission

---
 program/views.py | 62 +++++++++---------------------------------------
 1 file changed, 11 insertions(+), 51 deletions(-)

diff --git a/program/views.py b/program/views.py
index 9270654..4ed646a 100644
--- a/program/views.py
+++ b/program/views.py
@@ -39,7 +39,6 @@ from rest_framework.permissions import (
     SAFE_METHODS,
     BasePermission,
     DjangoModelPermissionsOrAnonReadOnly,
-    exceptions,
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -1643,6 +1642,11 @@ class APIApplicationStateView(TestOperationViewMixin, views.APIView):
         return Response(status=status.HTTP_200_OK, data=deleted)
 
 
+class MediaOwnershipPermission(ShowOwnershipPermission):
+    def _has_permission_from_show(self, request, view, obj: Media):
+        return request.user.id in obj.show.owners.values_list("id", flat=True)
+
+
 @extend_schema_view(
     create=extend_schema(summary="Create a new media."),
     retrieve=extend_schema(summary="Retrieve a single media."),
@@ -1654,53 +1658,9 @@ class APIApplicationStateView(TestOperationViewMixin, views.APIView):
 class APIMediaViewSet(viewsets.ModelViewSet):
     filterset_class = filters.MediaFilter
     serializer_class = MediaSerializer
-
-    def get_queryset(self):
-        """The queryset is empty if the request is not authenticated. Otherwise, it contains all
-        the media."""
-
-        if not self.request.user.is_authenticated:
-            return Media.objects.none()
-
-        return Media.objects.all()
-
-    def create(self, request, *args, **kwargs):
-        serializer = MediaSerializer(
-            context={"request": request},
-            data=request.data,
-        )
-
-        if serializer.is_valid(raise_exception=True):
-            serializer.save()
-
-            return Response(serializer.data, status=status.HTTP_201_CREATED)
-
-    def update(self, request, *args, **kwargs):
-        media = self.get_object()
-
-        data = request.data
-        data.update({"show_id": media.show_id})  # we already know it at this point
-
-        serializer = MediaSerializer(
-            context={"request": request},
-            data=data,
-            instance=media,
-        )
-
-        if serializer.is_valid(raise_exception=True):
-            serializer.save()
-
-            return Response(serializer.data, status=status.HTTP_200_OK)
-
-    def destroy(self, request, *args, **kwargs):
-        media = self.get_object()
-
-        user = request.user
-        user_is_owner = user in media.show.owners.all()
-
-        if not (user.has_perm("program.destroy_media") or user_is_owner):
-            raise exceptions.PermissionDenied("You are not allowed to delete this media.")
-
-        media.delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
+    pagination_class = LimitOffsetPagination
+    queryset = Media.objects.all()
+    permission_classes = [
+        DjangoModelPermissionsOrAnonReadOnly,
+        MediaOwnershipPermission,
+    ]
-- 
GitLab