Merge 3039e86 into 78a0419

ephios-dev · Mar 18, 2024 · de355a9 · de355a9
2 parents 78a0419 + 3039e86
commit de355a9
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 5 deletions.
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,4 +1,8 @@
 sphinx-github-changelog
 sphinxcontrib-openapi
 sphinx-notfound-page>=1.0.0rc1
-sphinx-rtd-theme
+sphinx-rtd-theme
+
+# No module named 'inflection'
+# https://github.com/encode/django-rest-framework/discussions/9288
+inflection
diff --git a/ephios/api/views/users.py b/ephios/api/views/users.py
@@ -10,6 +10,7 @@
 from rest_framework.mixins import RetrieveModelMixin
 from rest_framework.permissions import DjangoObjectPermissions
 from rest_framework.relations import SlugRelatedField
+from rest_framework.schemas.openapi import AutoSchema
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
@@ -65,6 +66,7 @@ class UserProfileMeView(RetrieveAPIView):
     queryset = UserProfile.objects.all()
     permission_classes = [IsAuthenticatedOrTokenHasScope]
     required_scopes = ["ME_READ"]
+    schema = AutoSchema(operation_id_base="OwnUserProfile")
 
     def get_object(self):
         if self.request.user is None:
@@ -94,6 +96,7 @@ class UserByMailView(RetrieveModelMixin, GenericViewSet):
     filter_backends = [ObjectPermissionsFilter]
     lookup_url_kwarg = "email"
     lookup_field = "email"
+    schema = AutoSchema(operation_id_base="UserProfileByMail")
 
 
 class UserParticipationView(viewsets.ReadOnlyModelViewSet):
@@ -104,4 +107,4 @@ class UserParticipationView(viewsets.ReadOnlyModelViewSet):
     required_scopes = ["CONFIDENTIAL_READ"]
 
     def get_queryset(self):
-        return LocalParticipation.objects.filter(user=self.kwargs["user"])
+        return LocalParticipation.objects.filter(user=self.kwargs.get("user"))
diff --git a/ephios/extra/mixins.py b/ephios/extra/mixins.py
@@ -10,11 +10,12 @@
 
 class CustomPermissionRequiredMixin(PermissionRequiredMixin):
     """
-    As of 2020-09-26, guardians permission mixin
-    doesn't support the mode of operation we want, but Django's does:
+    We modify Django's Mixin to support object permissions:
     * Logged in users without permission get 403
     * not logged in users get redirected to login
-    Therefore we patch Django's mixin to support object permissions
+
+    Set accept_object_perms to False to disable
+    object permissions (e.g. on create views).
     """
 
     accept_global_perms = True

diff --git a/ephios/plugins/pages/views.py b/ephios/plugins/pages/views.py
@@ -29,6 +29,7 @@ def dispatch(self, request, *args, **kwargs):
 class PageCreateView(CustomPermissionRequiredMixin, CreateView):
     model = Page
     permission_required = "pages.add_page"
+    accept_object_perms = False
     fields = ["title", "slug", "content", "show_in_footer", "publicly_visible"]
 
     def get_success_url(self):

diff --git a/ephios/plugins/qualification_management/views.py b/ephios/plugins/qualification_management/views.py
@@ -58,6 +58,7 @@ class QualificationCreateView(CustomPermissionRequiredMixin, CreateView):
     model = Qualification
     form_class = QualificationForm
     permission_required = "core.add_qualification"
+    accept_object_perms = False
 
     def get_form_kwargs(self):
         return {

diff --git a/ephios/plugins/simpleresource/views.py b/ephios/plugins/simpleresource/views.py
@@ -20,6 +20,7 @@ def get_queryset(self):
 
 class ResourceCreateView(CustomPermissionRequiredMixin, CreateView):
     permission_required = "simpleresource.add_resource"
+    accept_object_perms = False
     model = Resource
     fields = ["title", "category"]
     success_url = reverse_lazy("simpleresource:resource_list")