From 862bf63d6e13e8dd6630eb5cdb1b17e56310b799 Mon Sep 17 00:00:00 2001
From: Josh Washburne <recursive.green@gmail.com>
Date: Wed, 28 Mar 2018 16:56:53 -0400
Subject: [PATCH] Add custom permissions and apply them to radio API views.

---
 savepointradio/api/permissions.py | 44 +++++++++++++++++++++++++++++++
 savepointradio/api/views/radio.py |  5 ++++
 2 files changed, 49 insertions(+)
 create mode 100644 savepointradio/api/permissions.py

diff --git a/savepointradio/api/permissions.py b/savepointradio/api/permissions.py
new file mode 100644
index 0000000..f140be9
--- /dev/null
+++ b/savepointradio/api/permissions.py
@@ -0,0 +1,44 @@
+from rest_framework import permissions
+
+
+class IsAdminOrOwner(permissions.BasePermission):
+    message = 'Only an admin user or owner can access this.'
+
+    def has_object_permission(self, request, view, obj):
+        if request.user.is_authenticated():
+            return request.user.is_staff or request.user == obj.user
+        else:
+            return False
+
+
+class IsAdminOrReadOnly(permissions.BasePermission):
+    message = 'Only an admin user can make changes.'
+
+    def has_permission(self, request, view):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        else:
+            return request.user.is_authenticated and request.user.is_staff
+
+
+class IsAdminOwnerOrReadOnly(permissions.BasePermission):
+    message = 'Only an admin user or the owner can change this object.'
+
+    def has_object_permission(self, request, view, obj):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        else:
+            if request.user.is_authenticated:
+                return request.user.is_staff or request.user == obj.user
+            else:
+                return False
+
+
+class IsDJ(permissions.BasePermission):
+    message = 'Only the DJ can request the next song.'
+
+    def has_permission(self, request, view):
+        if request.user.is_authenticated:
+            return request.user.is_dj
+        else:
+            return False
diff --git a/savepointradio/api/views/radio.py b/savepointradio/api/views/radio.py
index 6fdf691..7b043d6 100644
--- a/savepointradio/api/views/radio.py
+++ b/savepointradio/api/views/radio.py
@@ -1,25 +1,30 @@
 from rest_framework import viewsets
 
 from radio.models import Album, Artist, Game, Song
+from ..permissions import IsAdminOrReadOnly
 from ..serializers.radio import (AlbumSerializer, ArtistSerializer,
                                  GameSerializer, SongSerializer)
 
 
 class AlbumViewSet(viewsets.ModelViewSet):
+    permission_classes = [IsAdminOrReadOnly]
     queryset = Album.objects.all()
     serializer_class = AlbumSerializer
 
 
 class ArtistViewSet(viewsets.ModelViewSet):
+    permission_classes = [IsAdminOrReadOnly]
     queryset = Artist.objects.all()
     serializer_class = ArtistSerializer
 
 
 class GameViewSet(viewsets.ModelViewSet):
+    permission_classes = [IsAdminOrReadOnly]
     queryset = Game.objects.all()
     serializer_class = GameSerializer
 
 
 class SongViewSet(viewsets.ModelViewSet):
+    permission_classes = [IsAdminOrReadOnly]
     queryset = Song.objects.all()
     serializer_class = SongSerializer