Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Only allow PartStar creation for the currently authenticated user

Browse Source
This commit is contained in:
Oliver Walters 2019-05-05 09:14:12 +10:00
parent 70f1097ea0
commit d245e58990
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
InvenTree/part/api.py
View File

@ -6,8 +6,10 @@ Provides a JSON API for the Part app
from __future__ import unicode_literals from __future__ import unicode_literals
from django_filters.rest_framework import DjangoFilterBackend from django_filters.rest_framework import DjangoFilterBackend
from rest_framework import filters from rest_framework import filters
from rest_framework import generics, permissions from rest_framework import generics, permissions
from rest_framework.serializers import ValidationError
from django.db.models import Q from django.db.models import Q
from django.conf.urls import url, include from django.conf.urls import url, include
@ -161,6 +163,16 @@ class PartStarList(generics.ListCreateAPIView):
queryset = PartStar.objects.all() queryset = PartStar.objects.all()
serializer_class = PartStarSerializer serializer_class = PartStarSerializer
def create(self, request, *args, **kwargs):
# Ensure the 'user' field is the authenticated user
user_id = request.data['user']
if not str(user_id) == str(request.user.id):
raise ValidationError({'user': 'Parts can only be starred for the currently authenticated user'})
return super(generics.ListCreateAPIView, self).create(request, *args, **kwargs)
permission_classes = [ permission_classes = [
permissions.IsAuthenticatedOrReadOnly, permissions.IsAuthenticatedOrReadOnly,
] ]