Merge d303e1d into caf3b4a

onepercentclub · Sep 15, 2022 · b061c96 · b061c96
2 parents caf3b4a + d303e1d
commit b061c96
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/bluebottle/activities/serializers.py b/bluebottle/activities/serializers.py
@@ -80,6 +80,7 @@ class ActivityPreviewSerializer(ModelSerializer):
     end = serializers.SerializerMethodField()
 
     collect_type = serializers.SerializerMethodField()
+    permissions = serializers.SerializerMethodField()
 
     def get_start(self, obj):
         if obj.slots:
@@ -251,6 +252,37 @@ def get_is_full(self, obj):
         elif obj.type == 'period':
             return obj.status != 'open'
 
+    def get_permissions(self, obj):
+        user = self.context['request'].user
+        permission_mapping = {
+            'deed': 'deeds.api_change_own_deed',
+            'collectactivity': 'collect.api_change_own_collectactivity',
+            'dateactivity': 'time_based.api_change_own_dateactivity',
+            'periodactivity': 'time_based.api_change_own_periodactivity',
+            'funding': 'funding.api_change_own_funding',
+        }
+
+        model_permission = user.has_perm(permission_mapping[obj.type])
+        is_activity_manager = user.pk in [manager.id for manager in obj.initiative.activity_managers]
+        is_initiative_owner = user.pk == obj.initiative.owner
+        is_owner = user.pk == obj.owner.id
+
+        has_change_permission = (
+            model_permission and (
+                is_activity_manager or
+                is_initiative_owner or
+                is_owner or
+                user.is_staff
+            )
+        )
+
+        return {
+            'GET': True,
+            'PUT': has_change_permission,
+            'PATCH': has_change_permission,
+            'DELETE': has_change_permission
+        }
+
     class Meta(object):
         model = Activity
         fields = (
@@ -261,6 +293,7 @@ class Meta(object):
             'slot_count', 'is_online', 'has_multiple_locations', 'is_full',
             'collect_type'
         )
+        meta_fields = ('permissions', )
 
     class JSONAPIMeta:
         resource_name = 'activities/preview'

diff --git a/bluebottle/activities/tests/test_api.py b/bluebottle/activities/tests/test_api.py
@@ -80,6 +80,66 @@ def test_deed_preview(self):
         self.assertEqual(attributes['is-full'], None)
         self.assertEqual(attributes['theme'], activity.initiative.theme.name)
 
+    def test_permissions_anonymous(self):
+        DeedFactory.create(status='open')
+        response = self.client.get(self.url)
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertFalse(permissions['PUT'])
+        self.assertFalse(permissions['PATCH'])
+        self.assertFalse(permissions['DELETE'])
+
+    def test_permissions_user(self):
+        DeedFactory.create(status='open')
+        response = self.client.get(self.url, user=BlueBottleUserFactory.create())
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertFalse(permissions['PUT'])
+        self.assertFalse(permissions['PATCH'])
+        self.assertFalse(permissions['DELETE'])
+
+    def test_permissions_owner(self):
+        activity = DeedFactory.create(status='open')
+        response = self.client.get(self.url, user=activity.owner)
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertTrue(permissions['PUT'])
+        self.assertTrue(permissions['PATCH'])
+        self.assertTrue(permissions['DELETE'])
+
+    def test_permissions_initiative_owner(self):
+        activity = DeedFactory.create(status='open')
+        response = self.client.get(self.url, user=activity.initiative.owner)
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertTrue(permissions['PUT'])
+        self.assertTrue(permissions['PATCH'])
+        self.assertTrue(permissions['DELETE'])
+
+    def test_permissions_initiative_activity_manager(self):
+        activity = DeedFactory.create(status='open')
+        response = self.client.get(self.url, user=activity.initiative.activity_managers.first())
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertTrue(permissions['PUT'])
+        self.assertTrue(permissions['PATCH'])
+        self.assertTrue(permissions['DELETE'])
+
+    def test_permissions_initiative_activity_staff(self):
+        DeedFactory.create(status='open')
+        response = self.client.get(self.url, user=BlueBottleUserFactory.create(is_staff=True))
+        permissions = response.json()['data'][0]['meta']['permissions']
+
+        self.assertTrue(permissions['GET'])
+        self.assertTrue(permissions['PUT'])
+        self.assertTrue(permissions['PATCH'])
+        self.assertTrue(permissions['DELETE'])
+
     def test_date_preview(self):
         activity = DateActivityFactory.create(status='open')
         response = self.client.get(self.url, user=self.owner)