from django.db import transaction from rest_framework import permissions from rest_framework import serializers, viewsets from django.db.models import Q from rest_framework import status, exceptions from rest_framework.filters import OrderingFilter from django_filters.rest_framework import DjangoFilterBackend from rest_framework.response import Response from app.models import Preset class PresetSerializer(serializers.ModelSerializer): class Meta: model = Preset exclude = ('owner', ) read_only_fields = ('owner', 'created_at', 'system', ) class PresetViewSet(viewsets.ModelViewSet): """ Preset get/add/delete/update Presets represent a set of options that a user can save/customize for use in processing a task. """ pagination_class = None serializer_class = PresetSerializer # We don't use object level permissions on presets permission_classes = (permissions.DjangoModelPermissions, ) filter_backends = (DjangoFilterBackend, OrderingFilter, ) def get_queryset(self): return Preset.objects.filter(Q(owner=self.request.user.id) | Q(system=True)) def create(self, request): with transaction.atomic(): preset = Preset.objects.create(owner=self.request.user) # Update other parameters serializer = PresetSerializer(preset, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.save() return Response(serializer.data, status=status.HTTP_201_CREATED) def destroy(self, request, pk=None): preset = Preset.objects.get(pk=pk) # Only owners can delete their own presets (except superusers) if preset.owner != request.user and not request.user.is_superuser: raise exceptions.NotFound() # Even superusers cannot delete global presets via the API (must use admin backend) if preset.system: raise exceptions.PermissionDenied() return super().destroy(request, pk)