feat: remove checks if is_superuser

af5307b9 · Ernesto Rico Schmidt · e9a2d7f1 · af5307b9
Verified Commit af5307b9 authored 1 year ago by Ernesto Rico Schmidt
--- a/program/views.py
+++ b/program/views.py
@@ -276,13 +276,6 @@ class APIUserViewSet(
        return queryset

    def create(self, request, *args, **kwargs):
-        """
-        Only admins may create users.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
        serializer = UserSerializer(
            context={"request": request},  # the serializer needs the request in the context
            data=request.data,
@@ -390,13 +383,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
        return obj

    def create(self, request, *args, **kwargs):
-        """
-        Only admins may create a show.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
        serializer = ShowSerializer(
            context={"request": request},  # the serializer needs the request in the context
            data=request.data,
@@ -409,17 +395,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    def update(self, request, *args, **kwargs):
-        """
-        Non-admin users may only update shows they own.
-        """
-
-        pk = get_values(self.kwargs, "pk")
-
-        if not request.user.is_superuser and pk not in request.user.shows.values_list(
-            "id", flat=True
-        ):
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
        partial = kwargs.get("partial", False)
        show = self.get_object()
        serializer = ShowSerializer(
@@ -430,9 +405,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
        )

        if serializer.is_valid():
-            # Common users mustn't edit the show's name
-            if not request.user.is_superuser:
-                serializer.validated_data["name"] = show.name
            serializer.save()
            return Response(serializer.data)

@@ -442,18 +414,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
        kwargs["partial"] = True
        return self.update(request, *args, **kwargs)

-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete shows.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-

 @extend_schema_view(
    retrieve=extend_schema(summary="Retrieve a single rrule."),
@@ -571,8 +531,6 @@ class APIScheduleViewSet(

        Note that creating or updating a schedule is the only way to create timeslots.

-        Only admins may add schedules.
-
        The projected timeslots defined by the schedule are matched against existing
        timeslots. The API will return an object that contains

@@ -596,9 +554,6 @@ class APIScheduleViewSet(
        are currently supported as solutions.
        """

-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
        pk, show_pk = get_values(self.kwargs, "pk", "show_pk")

        # Only allow creating when calling /shows/{show_pk}/schedules/ and with ehe `schedule` JSON
@@ -621,8 +576,6 @@ class APIScheduleViewSet(
        """
        Update a schedule, generate timeslots, test for collisions and resolve
        them including notes.
-
-        Only admins may update schedules.
        """

        if not request.user.is_superuser:
@@ -656,18 +609,6 @@ class APIScheduleViewSet(

        return Response(resolution)

-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete schedules.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-

 # TODO: Create is currently not implemented because timeslots are supposed to be inserted
 #       by creating or updating a schedule.
@@ -708,12 +649,6 @@ class APITimeSlotViewSet(

    def update(self, request, *args, **kwargs):
        show_pk = get_values(self.kwargs, "show_pk")
-
-        if not request.user.is_superuser and show_pk not in request.user.shows.values_list(
-            "id", flat=True
-        ):
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
        timeslot = self.get_object()
        serializer = TimeSlotSerializer(timeslot, data=request.data)
        if serializer.is_valid():
@@ -733,18 +668,6 @@ class APITimeSlotViewSet(

        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete timeslots.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-

 @extend_schema_view(
    create=extend_schema(summary="Create a new note."),