fishy/Dynavera
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revised checks for edge cases with cleaner handling of query parms and data

Browse source
This commit is contained in:
Viswamedha Nalabotu 2026-03-08 12:58:12 +00:00
parent 3dd147e1af
commit 030ce12b41
1 changed files with 47 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
apps/knowledge/viewsets.py
View file

@ -1,12 +1,11 @@
from django.db.models import Q from django.db.models import Q
from rest_framework import status
from django_filters.rest_framework import DjangoFilterBackend
from rest_framework.parsers import FormParser, MultiPartParser from rest_framework.parsers import FormParser, MultiPartParser
from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError
from rest_framework.permissions import IsAuthenticated from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
from apps.accounts.models import Role from apps.accounts.models import Role
from apps.accounts.permissions import can_manage_organization
from apps.knowledge.models import RoleRagDocument, TrainingFile from apps.knowledge.models import RoleRagDocument, TrainingFile
from apps.knowledge.serializers import RoleRagDocumentSerializer, TrainingFileSerializer from apps.knowledge.serializers import RoleRagDocumentSerializer, TrainingFileSerializer
@ -18,38 +17,50 @@ class TrainingFileViewSet(ModelViewSet):
parser_classes = [MultiPartParser, FormParser] parser_classes = [MultiPartParser, FormParser]
lookup_field = 'uuid' lookup_field = 'uuid'
filterset_fields = {
'role__organization__uuid': ['exact'],
'role__uuid': ['exact'],
}
def get_queryset(self): def get_queryset(self):
user = self.request.user user = self.request.user
return TrainingFile.objects.filter( queryset = TrainingFile.objects.filter(
Q(role__organization__owner=user) | Q(role__organization__owner=user) |
Q(role__organization__members=user) Q(role__organization__members=user)
).distinct() ).distinct()
organization_uuid = self.request.query_params.get('organization_uuid')
if organization_uuid in (None, ''):
organization_uuid = self.request.data.get('organization_uuid')
if organization_uuid:
queryset = queryset.filter(role__organization__uuid=organization_uuid)
role_uuid = self.request.query_params.get('role_uuid')
if role_uuid in (None, ''):
role_uuid = self.request.data.get('role_uuid')
if role_uuid:
queryset = queryset.filter(role__uuid=role_uuid)
return queryset
def perform_create(self, serializer): def perform_create(self, serializer):
role_uuid = self.request.data.get('role') role_uuid = self.request.data.get('role_uuid')
if not role_uuid:
raise ValidationError({'role_uuid': 'role_uuid is required.'})
try: try:
role = Role.objects.get(uuid=role_uuid) role = Role.objects.get(uuid=role_uuid)
except Role.DoesNotExist: except Role.DoesNotExist:
return Response({'error': 'Role not found'}, status=status.HTTP_404_NOT_FOUND) raise NotFound('Role not found')
is_owner = role.organization.owner == self.request.user if not can_manage_organization(self.request.user, role.organization):
is_member = role.organization.members.filter(uuid=self.request.user.uuid).exists() raise PermissionDenied('Permission denied')
if not (is_owner or is_member): uploaded_file = self.request.FILES.get('file')
return Response({'error': 'Permission denied'}, status=status.HTTP_403_FORBIDDEN) if uploaded_file is None:
raise ValidationError({'file': 'File is required.'})
serializer.save( serializer.save(
uploaded_by=self.request.user, uploaded_by=self.request.user,
role=role, role=role,
file_name=self.request.FILES['file'].name, file_name=uploaded_file.name,
file_size=self.request.FILES['file'].size, file_size=uploaded_file.size,
file_type=self.request.FILES['file'].content_type file_type=uploaded_file.content_type,
) )
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):
@ -57,9 +68,10 @@ class TrainingFileViewSet(ModelViewSet):
is_uploader = instance.uploaded_by == request.user is_uploader = instance.uploaded_by == request.user
is_org_owner = instance.role.organization.owner == request.user is_org_owner = instance.role.organization.owner == request.user
is_org_manager = bool(request.user.is_manager) and instance.role.organization.members.filter(id=request.user.id).exists()
if not (is_uploader or is_org_owner or request.user.is_manager): if not (is_uploader or is_org_owner or is_org_manager):
return Response({'error': 'Permission denied'}, status=status.HTTP_403_FORBIDDEN) raise PermissionDenied('Permission denied')
return super().destroy(request, *args, **kwargs) return super().destroy(request, *args, **kwargs)
@ -70,14 +82,23 @@ class RoleRagDocumentViewSet(ReadOnlyModelViewSet):
permission_classes = [IsAuthenticated] permission_classes = [IsAuthenticated]
lookup_field = 'uuid' lookup_field = 'uuid'
filterset_fields = {
'role__organization__uuid': ['exact'],
'role__uuid': ['exact'],
}
def get_queryset(self): def get_queryset(self):
user = self.request.user user = self.request.user
return RoleRagDocument.objects.filter( queryset = RoleRagDocument.objects.filter(
Q(role__organization__owner=user) | Q(role__organization__owner=user) |
Q(role__organization__members=user) Q(role__organization__members=user)
).distinct() ).distinct()
organization_uuid = self.request.query_params.get('organization_uuid')
if organization_uuid in (None, ''):
organization_uuid = self.request.data.get('organization_uuid')
if organization_uuid:
queryset = queryset.filter(role__organization__uuid=organization_uuid)
role_uuid = self.request.query_params.get('role_uuid')
if role_uuid in (None, ''):
role_uuid = self.request.data.get('role_uuid')
if role_uuid:
queryset = queryset.filter(role__uuid=role_uuid)
return queryset