#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""This module implements permission handling for DRF API views"""
from rest_framework.permissions import BasePermission, IsAuthenticated

CATEGORIES_PATH = "/document/api/categories/"
DOCUMENTS_PATH = "/document/api/documents/"
ORDERS_PATH = "/document/api/orders/"


class UserPermission(IsAuthenticated):
    """Basic Authenticated User permissions"""
    def has_object_permission(self, request, view, obj):
        if not request.user.is_authenticated:
            return False

        if view.action in ["destroy", "retrieve"]:
            return obj.user == request.user or request.user.is_superuser
        return False


class RestrictedAnonymous(BasePermission):
    """
    Permission class for anonymous user.
    Anonymous user has some scoped access to basic resources from API.
    Namely, possibility to request POST to create Document object inside its
    request session. This is due to te fact, that non-logged user should also
    have possibility to order and download documents (after sucessful payment)
    """
    def has_permission(self, request, view):
        if view.action in ["list", "retrieve"]:
            if not request.path.startswith(ORDERS_PATH):
                return request.user.is_authenticated
            return True
        if view.action == "create" and request.path in [DOCUMENTS_PATH, ORDERS_PATH]:
            return True
        if view.action == "default" and request.path.startswith(CATEGORIES_PATH):
            return True
        if view.action in ["update_answers", "download"] and request.path.startswith(DOCUMENTS_PATH) :
            return True
        return False

    def has_object_permission(self, request, view, obj):
        return False