58 lines
1.9 KiB
Python
58 lines
1.9 KiB
Python
from rest_framework import permissions
|
|
|
|
class IsTenantUser(permissions.BasePermission):
|
|
"""
|
|
Allows access only to authenticated users who belong to a tenant.
|
|
Also ensures object-level tenant isolation.
|
|
"""
|
|
def has_permission(self, request, view):
|
|
return bool(request.user and request.user.is_authenticated and request.user.tenant)
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if hasattr(obj, 'tenant'):
|
|
return obj.tenant == request.user.tenant
|
|
return True
|
|
|
|
class IsAdmin(permissions.BasePermission):
|
|
"""
|
|
Allows access only to super_admin and institution_admin roles.
|
|
"""
|
|
def has_permission(self, request, view):
|
|
return bool(
|
|
request.user and
|
|
request.user.is_authenticated and
|
|
request.user.role in ['super_admin', 'institution_admin']
|
|
)
|
|
|
|
class IsProjectOwner(permissions.BasePermission):
|
|
"""
|
|
Allows object level access only to the user who created it.
|
|
"""
|
|
def has_object_permission(self, request, view, obj):
|
|
if hasattr(obj, 'created_by'):
|
|
return obj.created_by == request.user
|
|
return False
|
|
|
|
class IsTeacher(permissions.BasePermission):
|
|
"""
|
|
Allows access only to teacher, institution_admin, or super_admin roles.
|
|
"""
|
|
def has_permission(self, request, view):
|
|
return bool(
|
|
request.user and
|
|
request.user.is_authenticated and
|
|
request.user.role in ['teacher', 'institution_admin', 'super_admin']
|
|
)
|
|
|
|
class IsStudentReadOnly(permissions.BasePermission):
|
|
"""
|
|
Students get read-only access (GET, HEAD, OPTIONS).
|
|
Other roles are allowed (and restricted by other classes).
|
|
"""
|
|
def has_permission(self, request, view):
|
|
if request.user and request.user.is_authenticated:
|
|
if request.user.role == 'student':
|
|
return request.method in permissions.SAFE_METHODS
|
|
return True
|
|
return False
|