Adds IsAdminOrCourseCreator permission class (#29)

* added permission class for course creator

* added permission class to related views

Author: rehan99000

ecommerce/extensions/api/v2/views/coupons.py

@@ -11,7 +11,7 @@
 from django.shortcuts import get_object_or_404
 from oscar.core.loading import get_model
 from rest_framework import filters, generics, serializers, status, viewsets
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from ecommerce.core.constants import COUPON_PRODUCT_CLASS_NAME
@@ -25,6 +25,7 @@
 from ecommerce.extensions.basket.utils import prepare_basket
 from ecommerce.extensions.catalogue.utils import create_coupon_product, get_or_create_catalog
 from ecommerce.extensions.checkout.mixins import EdxOrderPlacementMixin
+from ecommerce.extensions.edly_ecommerce_app.permissions import IsAdminOrCourseCreator
 from ecommerce.extensions.payment.processors.invoice import InvoicePayment
 from ecommerce.extensions.voucher.models import CouponVouchers
 from ecommerce.extensions.voucher.utils import (
@@ -53,7 +54,7 @@
 
 class CouponViewSet(EdxOrderPlacementMixin, viewsets.ModelViewSet):
     """ Coupon resource. """
-    permission_classes = (IsAuthenticated, IsAdminUser)
+    permission_classes = (IsAuthenticated, IsAdminOrCourseCreator)
     filter_backends = (filters.DjangoFilterBackend,)
     filter_class = ProductFilter
 

ecommerce/extensions/api/v2/views/courses.py

@@ -4,14 +4,15 @@
 from oscar.core.loading import get_model
 from rest_framework import status
 from rest_framework.decorators import detail_route
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from ecommerce.core.constants import COURSE_ID_REGEX
 from ecommerce.courses.models import Course
 from ecommerce.extensions.api import serializers
 from ecommerce.extensions.api.v2.views import NonDestroyableModelViewSet
 from ecommerce.extensions.edly_ecommerce_app.helpers import is_valid_site_course
+from ecommerce.extensions.edly_ecommerce_app.permissions import IsAdminOrCourseCreator
 
 Product = get_model('catalogue', 'Product')
 ProductAttributeValue = get_model('catalogue', 'ProductAttributeValue')
@@ -28,7 +29,7 @@ class CourseViewSet(NonDestroyableModelViewSet):
     )
     lookup_value_regex = COURSE_ID_REGEX
     serializer_class = serializers.CourseSerializer
-    permission_classes = (IsAuthenticated, IsAdminUser,)
+    permission_classes = (IsAuthenticated, IsAdminOrCourseCreator,)
 
     def get_queryset(self):
         site_configuration = self.request.site.siteconfiguration

ecommerce/extensions/api/v2/views/publication.py

@@ -1,9 +1,10 @@
 """HTTP endpoints for course publication."""
 from rest_framework import generics, status
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from ecommerce.extensions.api import serializers
+from ecommerce.extensions.edly_ecommerce_app.permissions import IsAdminOrCourseCreator
 from ecommerce.extensions.partner.shortcuts import get_partner_for_site
 
 
@@ -12,7 +13,7 @@ class AtomicPublicationView(generics.CreateAPIView, generics.UpdateAPIView):
 
     If either fails, the entire operation is rolled back. This keeps Otto and the LMS in sync.
     """
-    permission_classes = (IsAuthenticated, IsAdminUser,)
+    permission_classes = (IsAuthenticated, IsAdminOrCourseCreator,)
     serializer_class = serializers.AtomicPublicationSerializer
 
     def get_serializer_context(self):

ecommerce/extensions/edly_ecommerce_app/permissions.py

@@ -0,0 +1,13 @@
+from rest_framework.permissions import BasePermission
+from ecommerce.extensions.edly_ecommerce_app.helpers import user_is_course_creator
+
+
+class IsAdminOrCourseCreator(BasePermission):
+    """
+    Checks if logged in user is staff or a course creator.
+    """
+
+    def has_permission(self, request, view):
+        is_admin = request.user.is_staff or request.user.is_superuser
+        is_course_creator = user_is_course_creator(request)
+        return is_admin or is_course_creator