users can only edit view destroy their data

KrystianOg · Oct 19, 2022 · 8200bef · 8200bef
1 parent acb2e15
commit 8200bef
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 2 deletions.
diff --git a/api/apps/core/models.py b/api/apps/core/models.py
@@ -50,7 +50,7 @@ def create_appointment_permissions(sender, instance=None, created=False, **kwarg
         assign_perm("change_appointment", instance.doctor, instance)
         # patient should be notified when doctor deletes appointment
         assign_perm("delete_appointment", instance.doctor, instance)
-        # doctor should be notified when patient changes appointment
+        # doctor should be notified when patient deletes appointment
         assign_perm("delete_appointment", instance.patient, instance)
 
 

diff --git a/api/apps/core/serializers.py b/api/apps/core/serializers.py
@@ -18,6 +18,9 @@ def validate_patient(self, patient):
             return patient
         raise serializers.ValidationError("This user is not a patient")
 
+    def validate_date(self, attrs):
+        pass
+
 
 class RequestSerializer(serializers.ModelSerializer):
     class Meta:
@@ -37,4 +40,10 @@ class Meta:
         fields = ["pk", "email", "first_name", "last_name"]
         read_only_fields = ["pk"]
 
-    # TODO: patients and doctors should be able to change ONLY their accounts
+    def update(self, instance, validated_data):
+        request = self.context.get("request")
+        user_pk = request.user.pk
+        user_to_be_changed_pk = request.data.get("pk")
+        if not user_pk == user_to_be_changed_pk:
+            raise serializers.ValidationError("Trying to change different account")
+        return super().update(instance, validated_data)
diff --git a/api/apps/core/views.py b/api/apps/core/views.py
@@ -7,6 +7,7 @@
 )
 from .models import Appointment, Request, User
 from .mixins import ObjectPermissionMixin
+from django.core.exceptions import PermissionDenied
 
 
 class AppointmentViewSet(ObjectPermissionMixin, viewsets.ModelViewSet):
@@ -28,6 +29,20 @@ def get_queryset(self):
             queryset = Appointment.objects.filter(patient=user)
         return queryset
 
+    def destroy(self, request, *args, **kwargs):
+        doctor_pk = Appointment.objects.get(pk=int(kwargs["pk"])).doctor
+        patient_pk = Appointment.objects.get(pk=int(kwargs["pk"])).patient
+        if patient_pk != self.request.user.pk and doctor_pk != self.request.user.pk:
+            raise PermissionDenied
+        return super().destroy(request, args, kwargs)
+
+    def retrieve(self, request, *args, **kwargs):
+        patient_pk = Appointment.objects.get(pk=int(kwargs["pk"])).patient
+        doctor_pk = Appointment.objects.get(pk=int(kwargs["pk"])).doctor
+        if patient_pk != self.request.user.pk and doctor_pk != self.request.user.pk:
+            raise PermissionDenied
+        return super().retrieve(request, args, kwargs)
+
 
 class RequestViewSet(ObjectPermissionMixin, viewsets.ModelViewSet):
     permission_classes = [IsAuthenticated]
@@ -46,6 +61,20 @@ def get_queryset(self):
             queryset = Request.objects.filter(patient=user)
         return queryset
 
+    def destroy(self, request, *args, **kwargs):
+        patient_pk = Request.objects.get(pk=int(kwargs["pk"])).patient
+        if patient_pk != self.request.user.pk:
+            raise PermissionDenied
+        return super().destroy(request, args, kwargs)
+
+    def retrieve(self, request, *args, **kwargs):
+        user = self.request.user
+        user_groups = set(user.groups.values_list("name", flat=True))
+        patient_pk = Request.objects.get(pk=int(kwargs["pk"])).patient
+        if "Patient" in user_groups and patient_pk != self.request.user.pk:
+            raise PermissionDenied
+        return super().retrieve(request, args, kwargs)
+
 
 class UserViewSet(
     viewsets.GenericViewSet,
@@ -66,3 +95,18 @@ def get_queryset(self):
         else:
             queryset = User.objects.filter(email=user.email)
         return queryset
+
+    def update(self, request, *args, **kwargs):
+        if int(kwargs["pk"]) != int(self.request.user.pk):
+            raise PermissionDenied
+        return super().update(request, args, kwargs)
+
+    def destroy(self, request, *args, **kwargs):
+        if int(kwargs["pk"]) != int(self.request.user.pk):
+            raise PermissionDenied
+        return super().destroy(request, args, kwargs)
+
+    def retrieve(self, request, *args, **kwargs):
+        if int(kwargs["pk"]) != int(self.request.user.pk):
+            raise PermissionDenied
+        return super().retrieve(request, args, kwargs)