Add permission validation on element patch/delete

4608cfeb · Valentin Rigal · Valentin Rigal · 1f91579a · 4608cfeb
Commit 4608cfeb authored 5 years ago by Valentin Rigal Committed by Valentin Rigal 5 years ago
--- a/arkindex/documents/api/elements.py
+++ b/arkindex/documents/api/elements.py
@@ -176,10 +176,7 @@ class ElementRetrieve(RetrieveUpdateDestroyAPIView):
    permission_classes = (IsVerifiedOrReadOnly, )

    def get_queryset(self):
-        if self.request.method == 'GET':
-            corpora = Corpus.objects.readable(self.request.user)
-        else:
-            corpora = Corpus.objects.writable(self.request.user)
+        corpora = Corpus.objects.readable(self.request.user)
        return Element.objects \
            .filter(corpus__in=corpora) \
            .select_related(
@@ -193,6 +190,14 @@ class ElementRetrieve(RetrieveUpdateDestroyAPIView):
                Prefetch('classifications', queryset=classifications_queryset)
            )

+    def check_object_permissions(self, request, obj):
+        super().check_object_permissions(request, obj)
+        rights = obj.corpus.get_acl_rights(request.user)
+        if request.method == 'DELETE' and Right.Admin not in rights:
+            self.permission_denied(request, message='You do not have admin acces to this element.')
+        elif request.method != 'GET' and Right.Write not in rights:
+            self.permission_denied(request, message='You do not have write access to this element.')
+
    def perform_destroy(self, instance):
        children_count = ElementPath.objects.filter(path__contains=[instance.id]).count()
        if children_count: