From a9f14dec66457bf75e90f0168a7e931ec64dd7f3 Mon Sep 17 00:00:00 2001
From: kshitijrajsharma <skshitizraj@gmail.com>
Date: Tue, 15 Oct 2024 15:08:35 +0200
Subject: [PATCH] Add permission for user to be able to submit the training
 request but not modify / delete it

---
 backend/login/permissions.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/backend/login/permissions.py b/backend/login/permissions.py
index 58848120..b40c1390 100644
--- a/backend/login/permissions.py
+++ b/backend/login/permissions.py
@@ -28,10 +28,15 @@ def has_object_permission(self, request, view, obj):
         # Allow modification (PUT, DELETE) if the user is staff or admin
         if request.user.is_staff or request.user.is_superuser:
             return True
-
-        if hasattr(obj, "user") and obj.user == request.user:
-            return True
-
+        ## if the object it is trying to access has user info
+        if hasattr(obj, "user"):
+            # in order to change it it needs to be in his/her name
+            if obj.user == request.user:
+                return True
+        else:
+            if request.method == "POST":
+                # if object doesn't have user in it then he has permission to access the object , considered as common object
+                return True
         return False