Commits

Tim Savage  committed af01cf2

Changed method _get_owner_pks to get_owner_pks as this class is useful if you wish to implement an alternative method of getting the list of owner pks (ie owner is a parent object).

Added helper shortcut for getting owned items that raises a 403 if current user does not have access.

  • Participants
  • Parent commits 9d323a3

Comments (0)

Files changed (3)

File django_extras/contrib/auth/models.py

     class Meta:
         abstract = True
 
-    def _get_owner_pks(self):
+    def get_owner_pks(self):
         """
         Get all primary keys from owners.
 
                 user = User.objects.only('is_staff', 'is_superuser').get(pk=user_pk)
             if (include_staff and user.is_staff) or (include_superuser and user.is_superuser):
                 return True
-        return user_pk in self._get_owner_pks()
+        return user_pk in self.get_owner_pks()
+
+    def is_not_owned_by(self, user, include_staff=False, include_superuser=False):
+        """
+        Convenience method, is an inversion of is_owned_by.
+        """
+        return not self.is_owned_by(user, include_staff, include_superuser)
 
 
 class SingleOwnerMixin(OwnerMixinBase):
         """
         return [self.owner]
 
-    def _get_owner_pks(self):
+    def get_owner_pks(self):
         return [self.owner_id]
 
 
         """
         return list(self.owners.all())
 
-    def _get_owner_pks(self):
+    def get_owner_pks(self):
         return self.owners.values_list('id', flat=True)

File django_extras/contrib/auth/shortcuts.py

+from django.shortcuts import get_object_or_404
+from django.core.exceptions import PermissionDenied
+
+
+def get_owned_object_or_40x(klass, owner, include_staff=False, include_superuser=False, *args, **kwargs):
+    """
+    Returns an object if it can be found (using get_object_or_404).
+    If the object is not owned by the supplied owner a 403 will be raised.
+    """
+    obj = get_object_or_404(klass, *args, **kwargs)
+    if obj.is_not_owned_by(owner, include_staff, include_superuser):
+        raise PermissionDenied()
+    return obj

File django_extras/tests/contrib/auth.py

         SingleOwner.objects.create(name="Test 4", description="123", owner_id=4) # Superuser
 
     def test_get_owner_pks(self):
-        actual = SingleOwner.objects.get(pk=1)._get_owner_pks()
+        actual = SingleOwner.objects.get(pk=1).get_owner_pks()
         self.assertListEqual([1], actual)
 
-        actual = SingleOwner.objects.get(pk=2)._get_owner_pks()
+        actual = SingleOwner.objects.get(pk=2).get_owner_pks()
         self.assertListEqual([2], actual)
 
     def test_get_owners_list(self):
         MultiOwner.objects.create(name="Test 4", description="123")
 
     def test_get_owner_pks(self):
-        actual = MultiOwner.objects.get(pk=1)._get_owner_pks()
+        actual = MultiOwner.objects.get(pk=1).get_owner_pks()
         self.assertSequenceEqual([1], actual)
 
-        actual = MultiOwner.objects.get(pk=2)._get_owner_pks()
+        actual = MultiOwner.objects.get(pk=2).get_owner_pks()
         self.assertSequenceEqual([1, 2], actual)
 
     def test_get_owners_list(self):