From af5307b9a2cd15be14a304a4d5cdc196e172dc92 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Wed, 1 Nov 2023 19:38:36 -0400
Subject: [PATCH] feat: remove checks if is_superuser

---
 program/views.py | 77 ------------------------------------------------
 1 file changed, 77 deletions(-)

diff --git a/program/views.py b/program/views.py
index c0869cf1..b6555185 100644
--- a/program/views.py
+++ b/program/views.py
@@ -276,13 +276,6 @@ class APIUserViewSet(
         return queryset
 
     def create(self, request, *args, **kwargs):
-        """
-        Only admins may create users.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
         serializer = UserSerializer(
             context={"request": request},  # the serializer needs the request in the context
             data=request.data,
@@ -390,13 +383,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
         return obj
 
     def create(self, request, *args, **kwargs):
-        """
-        Only admins may create a show.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
         serializer = ShowSerializer(
             context={"request": request},  # the serializer needs the request in the context
             data=request.data,
@@ -409,17 +395,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
     def update(self, request, *args, **kwargs):
-        """
-        Non-admin users may only update shows they own.
-        """
-
-        pk = get_values(self.kwargs, "pk")
-
-        if not request.user.is_superuser and pk not in request.user.shows.values_list(
-            "id", flat=True
-        ):
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
         partial = kwargs.get("partial", False)
         show = self.get_object()
         serializer = ShowSerializer(
@@ -430,9 +405,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
         )
 
         if serializer.is_valid():
-            # Common users mustn't edit the show's name
-            if not request.user.is_superuser:
-                serializer.validated_data["name"] = show.name
             serializer.save()
             return Response(serializer.data)
 
@@ -442,18 +414,6 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
         kwargs["partial"] = True
         return self.update(request, *args, **kwargs)
 
-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete shows.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-
 
 @extend_schema_view(
     retrieve=extend_schema(summary="Retrieve a single rrule."),
@@ -571,8 +531,6 @@ class APIScheduleViewSet(
 
         Note that creating or updating a schedule is the only way to create timeslots.
 
-        Only admins may add schedules.
-
         The projected timeslots defined by the schedule are matched against existing
         timeslots. The API will return an object that contains
 
@@ -596,9 +554,6 @@ class APIScheduleViewSet(
         are currently supported as solutions.
         """
 
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
         pk, show_pk = get_values(self.kwargs, "pk", "show_pk")
 
         # Only allow creating when calling /shows/{show_pk}/schedules/ and with ehe `schedule` JSON
@@ -621,8 +576,6 @@ class APIScheduleViewSet(
         """
         Update a schedule, generate timeslots, test for collisions and resolve
         them including notes.
-
-        Only admins may update schedules.
         """
 
         if not request.user.is_superuser:
@@ -656,18 +609,6 @@ class APIScheduleViewSet(
 
         return Response(resolution)
 
-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete schedules.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-
 
 # TODO: Create is currently not implemented because timeslots are supposed to be inserted
 #       by creating or updating a schedule.
@@ -708,12 +649,6 @@ class APITimeSlotViewSet(
 
     def update(self, request, *args, **kwargs):
         show_pk = get_values(self.kwargs, "show_pk")
-
-        if not request.user.is_superuser and show_pk not in request.user.shows.values_list(
-            "id", flat=True
-        ):
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
         timeslot = self.get_object()
         serializer = TimeSlotSerializer(timeslot, data=request.data)
         if serializer.is_valid():
@@ -733,18 +668,6 @@ class APITimeSlotViewSet(
 
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-    def destroy(self, request, *args, **kwargs):
-        """
-        Only admins may delete timeslots.
-        """
-
-        if not request.user.is_superuser:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        self.get_object().delete()
-
-        return Response(status=status.HTTP_204_NO_CONTENT)
-
 
 @extend_schema_view(
     create=extend_schema(summary="Create a new note."),
-- 
GitLab