From ed57afcf96217ad3c4e18c336c28399fa76dbf53 Mon Sep 17 00:00:00 2001
From: Mads Nylund <73914541+MadsNyl@users.noreply.github.com>
Date: Mon, 10 Jun 2024 00:03:19 +0200
Subject: [PATCH] Permission refactor of QR Codes (#807)

* added permissions to qr code and refactored viewset

* format

* removed unused imports
---
 app/content/models/qr_code.py | 31 ++++++++++++++++++++++++++++++-
 app/content/views/qr_code.py  |  7 +++----
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/app/content/models/qr_code.py b/app/content/models/qr_code.py
index 476b4e330..aab7550cd 100644
--- a/app/content/models/qr_code.py
+++ b/app/content/models/qr_code.py
@@ -1,7 +1,7 @@
 from django.db import models
 
 from app.common.enums import Groups
-from app.common.permissions import BasePermissionModel
+from app.common.permissions import BasePermissionModel, check_has_access
 from app.content.models import User
 from app.util.models import BaseModel, OptionalImage
 
@@ -20,3 +20,32 @@ class Meta:
 
     def __str__(self):
         return f"{self.name} - {self.user.user_id}"
+
+    @classmethod
+    def has_read_permission(cls, request):
+        return check_has_access(cls.read_access, request)
+
+    @classmethod
+    def has_retrieve_permission(cls, request):
+        return check_has_access(cls.read_access, request)
+
+    @classmethod
+    def has_destroy_permission(cls, request):
+        return check_has_access(cls.write_access, request)
+
+    @classmethod
+    def has_create_permission(cls, request):
+        return check_has_access(cls.write_access, request)
+
+    @classmethod
+    def has_update_permission(cls, request):
+        return check_has_access(cls.write_access, request)
+
+    def has_object_retrieve_permission(self, request):
+        return request.user == self.user
+
+    def has_object_update_permission(self, request):
+        return request.user == self.user
+
+    def has_object_destroy_permission(self, request):
+        return request.user == self.user
diff --git a/app/content/views/qr_code.py b/app/content/views/qr_code.py
index db9316f3e..478546e6d 100644
--- a/app/content/views/qr_code.py
+++ b/app/content/views/qr_code.py
@@ -1,10 +1,9 @@
-from django.shortcuts import get_object_or_404
 from rest_framework import status
 from rest_framework.response import Response
 
 from app.common.permissions import BasicViewPermission
 from app.common.viewsets import BaseViewSet
-from app.content.models import QRCode, User
+from app.content.models import QRCode
 from app.content.serializers.qr_code import (
     QRCodeCreateSerializer,
     QRCodeSerializer,
@@ -19,11 +18,11 @@ class QRCodeViewSet(BaseViewSet):
     def get_queryset(self):
         if hasattr(self, "action") and self.action == "retrieve":
             return super().get_queryset()
-        user = get_object_or_404(User, user_id=self.request.id)
+        user = self.request.user
         return super().get_queryset().filter(user=user)
 
     def create(self, request, *args, **kwargs):
-        user = get_object_or_404(User, user_id=request.id)
+        user = request.user
         data = request.data
 
         serializer = QRCodeCreateSerializer(data=data, context={"request": request})