From 9048a416dfdd6ff926c074fe134c4bc7bae1dd3d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 23 Dec 2021 23:25:18 +0100 Subject: [PATCH] In the /api/me page, display note, profile and memberships only if we have associated permissions Signed-off-by: Yohann D'ANELLO --- apps/api/serializers.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/apps/api/serializers.py b/apps/api/serializers.py index f91132d5..d6403dd1 100644 --- a/apps/api/serializers.py +++ b/apps/api/serializers.py @@ -7,8 +7,11 @@ from django.contrib.auth.models import User from django.utils import timezone from rest_framework import serializers from member.api.serializers import ProfileSerializer, MembershipSerializer +from member.models import Membership from note.api.serializers import NoteSerializer from note.models import Alias +from note_kfet.middlewares import get_current_request +from permission.backends import PermissionBackend class UserSerializer(serializers.ModelSerializer): @@ -45,18 +48,30 @@ class OAuthSerializer(serializers.ModelSerializer): """ normalized_name = serializers.SerializerMethodField() - profile = ProfileSerializer() + profile = serializers.SerializerMethodField() - note = NoteSerializer() + note = serializers.SerializerMethodField() memberships = serializers.SerializerMethodField() def get_normalized_name(self, obj): return Alias.normalize(obj.username) + def get_profile(self, obj): + # Display the profile of the user only if we have rights to see it. + return ProfileSerializer().to_representation(obj.profile) \ + if PermissionBackend.has_perm(get_current_request(), obj.profile, 'view') else None + + def get_note(self, obj): + # Display the note of the user only if we have rights to see it. + return NoteSerializer().to_representation(obj.note) \ + if PermissionBackend.has_perm(get_current_request(), obj.note, 'view') else None + def get_memberships(self, obj): + # Display only memberships that we are allowed to see. return serializers.ListSerializer(child=MembershipSerializer()).to_representation( - obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now())) + obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now()) + .filter(PermissionBackend.filter_queryset(get_current_request(), Membership, 'view'))) class Meta: model = User