diff --git a/core/apps/accounts/permissions.py b/core/apps/accounts/permissions.py new file mode 100644 index 0000000..cc451fe --- /dev/null +++ b/core/apps/accounts/permissions.py @@ -0,0 +1,15 @@ +from rest_framework.exceptions import PermissionDenied +from rest_framework.permissions import BasePermission + +from core.apps.accounts.choices import RoleChoice + + +class IsAdminRole(BasePermission): + def has_permission(self, request, view): + if not request.user.is_authenticated: + return False + + if request.user.role != RoleChoice.ADMIN: + raise PermissionDenied("Only admin can access this") + + return True diff --git a/core/apps/accounts/urls.py b/core/apps/accounts/urls.py index d3637f2..44df55f 100644 --- a/core/apps/accounts/urls.py +++ b/core/apps/accounts/urls.py @@ -27,7 +27,7 @@ urlpatterns = [ path("", include(router.urls)), path("auth/token/", jwt_views.TokenObtainPairView.as_view(), name="token_obtain_pair"), path("auth/token/verify/", jwt_views.TokenVerifyView.as_view(), name="token_verify"), - path("auth/token/refresh/",jwt_views.TokenRefreshView.as_view()), + path("auth/token/refresh/", jwt_views.TokenRefreshView.as_view()), path("user/list/", UserListApiView.as_view(), name="user-list"), path("admin-user/list/", AdminUserListApiView.as_view(), name="admin-user-list"), path("admin/create/", AdminCreateAPIView.as_view(), name="user-create"), diff --git a/core/apps/accounts/views/user.py b/core/apps/accounts/views/user.py index aff8801..569febc 100644 --- a/core/apps/accounts/views/user.py +++ b/core/apps/accounts/views/user.py @@ -106,6 +106,7 @@ class UserDetailAPIView(generics.RetrieveAPIView): class AdminPermissionsAPIView(generics.GenericAPIView): permission_classes = [IsAuthenticated] + queryset = User.objects.all() def get(self, request): if request.user.role.name != RoleChoice.ADMIN: diff --git a/core/apps/evaluation/serializers/auto/AutoEvaluation.py b/core/apps/evaluation/serializers/auto/AutoEvaluation.py index ae28e21..16e91cf 100644 --- a/core/apps/evaluation/serializers/auto/AutoEvaluation.py +++ b/core/apps/evaluation/serializers/auto/AutoEvaluation.py @@ -321,6 +321,7 @@ class AutoEvaluationAppraisersSerializer(serializers.Serializer): data['users'] = users return data + class AutoEvaluationSerializer(serializers.Serializer): brand = serializers.CharField() brand_model = serializers.CharField() @@ -331,7 +332,58 @@ class AutoEvaluationSerializer(serializers.Serializer): fuel_type = serializers.CharField() mileage = serializers.CharField() + class AutoEvaluationModelSerializer(serializers.ModelSerializer): + user = serializers.StringRelatedField(read_only=True) + appraisers = serializers.PrimaryKeyRelatedField( + many=True, + queryset=User.objects.all(), + required=False + ) + class Meta: model = AutoEvaluationModel - fields = "__all__" \ No newline at end of file + fields = ("tex_passport_file", + + "registration_number", + "contract_date", + "object_inspection_date", + "rate_date", + "rate_report_date", + "object_type", + + "object_owner_type", + "object_owner_individual_person_f_name", + "object_owner_individual_person_l_name", + "object_owner_individual_person_p_name", + "object_owner_individual_person_passport_num", + "object_owner_legal_entity", + "object_owner_legal_inn", + "value_determined", + "rate_type", + + "tex_passport_serie_num", + "tex_passport_gived_date", + "tex_passport_gived_location", + "car_type", + "car_wheel", + "car_brand", + "car_model", + "car_number", + "manufacture_year", + "car_dvigatel_number", + "car_color", + + "rating_goal", + "status", + "is_archived", + + "created_at", + "updated_at", + ) + + read_only_fields = ( + "id", + "created_at", + "updated_at", + ) diff --git a/core/apps/evaluation/serializers/quick/QuickEvaluation.py b/core/apps/evaluation/serializers/quick/QuickEvaluation.py index 7b6586d..4823531 100644 --- a/core/apps/evaluation/serializers/quick/QuickEvaluation.py +++ b/core/apps/evaluation/serializers/quick/QuickEvaluation.py @@ -131,4 +131,39 @@ class CreateQuickevaluationSerializer(serializers.ModelSerializer): class QuickEvaluationModelSerializer(serializers.ModelSerializer): class Meta: model = QuickEvaluationModel - fields = '__all__' \ No newline at end of file + fields = ( + "id", + + "created_by", + "brand", + "marka", + "car_position", + "body_type", + "color", + "fuel_type", + "state_car", + + "tex_passport_serie_num", + "tech_passport_issued_date", + "tech_passport_issued_place", + + "car_type", + "distance_covered", + "vin_number", + "car_number", + "car_manufactured_date", + "engine_number", + + "estimated_price", + "status", + "is_archive", + + "created_at", + "updated_at", + ) + + read_only_fields = ( + "id", + "created_at", + "updated_at", + ) \ No newline at end of file diff --git a/core/apps/evaluation/views/auto.py b/core/apps/evaluation/views/auto.py index b2ed9fc..66fb894 100644 --- a/core/apps/evaluation/views/auto.py +++ b/core/apps/evaluation/views/auto.py @@ -11,7 +11,7 @@ from rest_framework.response import Response from rest_framework.views import APIView from rest_framework.viewsets import ModelViewSet -from core.apps.accounts.choices import RoleChoice +from core.apps.accounts.permissions import IsAdminRole from core.apps.accounts.serializers.user import UserSerializer from core.apps.evaluation.filters.auto import AutoevaluationFilter from core.apps.evaluation.models import AutoEvaluationModel @@ -177,13 +177,14 @@ class AutoEvaluationArchiveAPIView(APIView): status=200 ) + @extend_schema(tags=["AutoEvaluation"]) class AdminEvaluationsAPIView(generics.GenericAPIView): - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticated, IsAdminRole] + queryset = AutoEvaluationModel.objects.all() + serializer_class = AutoEvaluationModel def get(self, request): - if request.user.role != RoleChoice.ADMIN: - return Response({'detail': 'Forbidden'}, status=403) auto_eval = AutoEvaluationModel.objects.filter( created_by=self.request.user ).select_related('appraisers').distinct() diff --git a/core/apps/evaluation/views/quick.py b/core/apps/evaluation/views/quick.py index 1cc2110..a78acfa 100644 --- a/core/apps/evaluation/views/quick.py +++ b/core/apps/evaluation/views/quick.py @@ -16,7 +16,7 @@ from rest_framework.response import Response from rest_framework.views import APIView from rest_framework.viewsets import ModelViewSet -from core.apps.accounts.choices import RoleChoice +from core.apps.accounts.permissions import IsAdminRole # core apps from core.apps.evaluation.filters.quick import QuickevaluationFilter from core.apps.evaluation.models import QuickEvaluationModel @@ -88,11 +88,11 @@ class QuickEvaluationArchivedListAPIView(ListAPIView): @extend_schema(tags=["QuickEvaluation"]) class AdminQuickEvalAPIView(generics.GenericAPIView): - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticated, IsAdminRole] + queryset = QuickEvaluationModel.objects.all() + serializer_class = QuickEvaluationModelSerializer def get(self, request): - if request.user.role != RoleChoice.ADMIN: - return Response({'detail': 'Forbidden'}, status=403) quick_eval = QuickEvaluationModel.objects.filter( created_by=self.request.user ).select_related('created_by').distinct()