Merge pull request #194 from ISPP-G5/hotfix/188-fix-put-and-patch-don…

…ation hotfix/188 fix put and patch donation
ISPP-G5 · Apr 27, 2024 · 414424a · 414424a
2 parents 0d9cc75 + eb2f0c3
commit 414424a
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 13 deletions.
diff --git a/nexong/api/Donation/views.py b/nexong/api/Donation/views.py
@@ -24,7 +24,19 @@ class DonationApiViewSet(ModelViewSet):
     queryset = Donation.objects.all()
     http_method_names = ["get", "post", "put", "delete", "patch"]
     serializer_class = DonationSerializer
-    permission_classes = [isPartnerPostAndGet | isAdminGetAndDelete]
+    permission_classes = [isPartner | isAdminGetAndDelete]
+
+    def update(self, request, pk, *args, **kwargs):
+        instance = self.get_object()
+        old_donation = Donation.objects.get(pk=pk)
+        if request.method in ("PATCH") and "iban" in request.data:
+            return Response(status=status.HTTP_401_UNAUTHORIZED)
+        serializer = self.get_serializer(instance, data=request.data, partial=True)
+        if request.method in ("PUT") and request.data["iban"] != old_donation.iban:
+            return Response(status=status.HTTP_401_UNAUTHORIZED)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        return Response(serializer.data)
 
     def destroy(self, request, *args, **kwargs):
         instance = self.get_object()

diff --git a/nexong/api/Lesson/lessonSerializer.py b/nexong/api/Lesson/lessonSerializer.py
@@ -28,11 +28,21 @@ class Meta:
 
     def validate(self, attrs):
         validation_error = {}
-
         max_attendees = attrs.get("capacity")
+        attendees = attrs.get("students")
+        m_lesson = attrs.get("is_morning_lesson")
+        lesson = None
+        if self.context["request"].method == "PATCH":
+            lesson = self.context.get("lesson")
+            if max_attendees is None:
+                max_attendees = lesson.capacity
+            if attendees is None:
+                attendees = list(lesson.students.all())
+            if m_lesson is None:
+                m_lesson = lesson.is_morning_lesson
+
         if max_attendees < 1:
             validation_error["capacity"] = "capacity must be higher than 0."
-        attendees = attrs.get("students")
         if attendees:
             num_attendees = len(attendees)
         else:
@@ -42,11 +52,19 @@ def validate(self, attrs):
                 "capacity"
             ] = "capacity must be higher or equal to the number of attendees selected."
 
-        validation_error.update(date_validations(attrs))
+        if lesson is None:
+            validation_error.update(date_validations(attrs))
+        else:
+            start_date = lesson.start_date
+            end_date = lesson.end_date
+            if end_date <= start_date:
+                validation_error[
+                    "end_date"
+                ] = "The end date must be after the start date."
 
-        if attendees is not None:
+        if attendees:
             for student in attendees:
-                if student.is_morning_student != attrs.get("is_morning_lesson"):
+                if student.is_morning_student != m_lesson:
                     validation_error[
                         "students"
                     ] = "There is a student with incorrect schedule (is a morning student or not)."

diff --git a/nexong/api/Lesson/views.py b/nexong/api/Lesson/views.py
@@ -8,7 +8,7 @@
 
 class LessonApiViewSet(ModelViewSet):
     queryset = Lesson.objects.all()
-    http_method_names = ["get", "post", "put", "delete"]
+    http_method_names = ["get", "post", "put", "delete", "patch"]
     serializer_class = LessonSerializer
     permission_classes = [
         isEducatorGet | isFamilyGet | isVolunteerGet | isEducationCenterGet | isAdmin
@@ -19,12 +19,25 @@ def destroy(self, request, *args, **kwargs):
         self.perform_destroy(instance)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+    def partial_update(self, request, pk, *args, **kwargs):
+        instance = self.get_object()
+        lesson = Lesson.objects.get(pk=pk)
+        serializer = self.get_serializer(
+            instance,
+            data=request.data,
+            context={"lesson": lesson, "request": request},
+            partial=True,
+        )
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        return Response(serializer.data)
+
 
 class LessonAttendanceApiViewSet(ModelViewSet):
     queryset = LessonAttendance.objects.all()
     http_method_names = ["get", "post", "put", "delete"]
     serializer_class = LessonAttendanceSerializer
-    permission_classes = [isEducatorGet | isVolunteerPostPutAndGet | isAdmin]
+    permission_classes = [isEducatorGet | isVolunteer | isAdmin]
 
     def destroy(self, request, *args, **kwargs):
         instance = self.get_object()

diff --git a/nexong/api/helpers/serializerValidators.py b/nexong/api/helpers/serializerValidators.py
@@ -4,12 +4,14 @@
 def date_validations(attrs):
     validations = {}
     now = date.today()
+    end_date = attrs.get("end_date")
     start_date = attrs.get("start_date")
+
     if isinstance(start_date, datetime):
         now = datetime.now(timezone.utc)
+
     if start_date <= now:
         validations["start_date"] = "The start date must be in the future."
-    end_date = attrs.get("end_date")
     if end_date <= now:
         validations["end_date"] = "The end date must be in the future."
     if end_date <= start_date:

diff --git a/nexong/api/permissions.py b/nexong/api/permissions.py
@@ -196,13 +196,32 @@ def has_permission(self, request, view):
 class isVolunteer(BasePermission):
     def has_permission(self, request, view):
         if request.user.is_authenticated:
-            return (
-                request.user.role == "VOLUNTARIO"
-                or request.user.role == "VOLUNTARIO_SOCIO"
-            )
+            if view.__class__.__name__ == "VolunteerApiViewSet":
+                return (
+                    request.user.role == "VOLUNTARIO"
+                    or request.user.role == "VOLUNTARIO_SOCIO"
+                )
+            else:
+                return (
+                    request.user.role == "VOLUNTARIO"
+                    or request.user.role == "VOLUNTARIO_SOCIO"
+                ) and request.user.volunteer.status == "ACEPTADO"
         else:
             return False
 
+    def has_object_permission(self, request, view, obj):
+        if request.user.is_authenticated:
+            if isinstance(obj, Volunteer):
+                return (
+                    request.user.role == "VOLUNTARIO"
+                    or request.user.role == "VOLUNTARIO_SOCIO"
+                ) and obj == request.user.volunteer
+            else:
+                return (
+                    request.user.role == "VOLUNTARIO"
+                    or request.user.role == "VOLUNTARIO_SOCIO"
+                ) and request.user.volunteer.status == "ACEPTADO"
+
 
 class isVolunteerPutAndGet(BasePermission):
     def has_permission(self, request, view):