Skip to content
Snippets Groups Projects
Commit cf82526d authored by Konrad Mohrfeldt's avatar Konrad Mohrfeldt :koala:
Browse files

refactor: tidy up APIUserViewSet 

* normalized queryset handling
* consistent formatting of method descriptions.
parent 60a791ae
No related branches found
No related tags found
1 merge request!20refactor collection filters with django_filters
Hide whitespace changes
Inline Side-by-side
Showing
with 19 additions and 12 deletions
program/views.py
+ 19
12
View file @ cf82526d
...@@ -195,26 +195,26 @@ class APIUserViewSet( ...@@ -195,26 +195,26 @@ class APIUserViewSet(
viewsets.GenericViewSet, viewsets.GenericViewSet,
): ):
""" """
/users returns oneself. Superusers see all users. Only superusers may create a user (GET, POST) Returns a list of users.
/users/{pk} retrieves or updates a single user. Non-superusers may only update certain fields
(GET, PUT)
Superusers may access and update all users. Only returns the user that is currently authenticated unless the user is a superuser.
""" """
permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly] permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly]
serializer_class = UserSerializer serializer_class = UserSerializer
queryset = User.objects.none() queryset = User.objects.all()
def get_queryset(self): def get_queryset(self):
"""Constrain access to oneself except for superusers""" queryset = super().get_queryset()
if self.request.user.is_superuser:
return User.objects.all() # Constrain access to oneself except for superusers.
if not self.request.user.is_superuser:
queryset = queryset.filter(pk=self.request.user.id)
return User.objects.filter(pk=self.request.user.id) return queryset
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
"""Returns a single user""" """Returns a single user."""
pk = get_values(self.kwargs, "pk") pk = get_values(self.kwargs, "pk")
# Common users only see themselves # Common users only see themselves
...@@ -227,8 +227,9 @@ class APIUserViewSet( ...@@ -227,8 +227,9 @@ class APIUserViewSet(
def create(self, request, *args, **kwargs): def create(self, request, *args, **kwargs):
""" """
Create a User Create a User.
Only superusers may create a user
Only superusers may create users.
""" """
if not request.user.is_superuser: if not request.user.is_superuser:
...@@ -243,6 +244,11 @@ class APIUserViewSet( ...@@ -243,6 +244,11 @@ class APIUserViewSet(
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def update(self, request, *args, **kwargs): def update(self, request, *args, **kwargs):
"""
Updates the user’s data.
Non-superusers may not be able to edit all of the available data.
"""
pk = get_values(self.kwargs, "pk") pk = get_values(self.kwargs, "pk")
serializer = UserSerializer(data=request.data) serializer = UserSerializer(data=request.data)
...@@ -267,6 +273,7 @@ class APIUserViewSet( ...@@ -267,6 +273,7 @@ class APIUserViewSet(
class APIShowViewSet(viewsets.ModelViewSet): class APIShowViewSet(viewsets.ModelViewSet):
""" """
Returns a list of available shows. Returns a list of available shows.
Only superusers may add and delete shows. Only superusers may add and delete shows.
""" """
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment