Merge pull request #94 from silverlogic/BA-1337-permissions-endpoint

BA-1337: Add permission endpoint for checking current user permissions

Author: sundayguru

baseapp-auth/baseapp_auth/rest_framework/users/serializers.py

@@ -137,3 +137,7 @@ def update(self, instance, validated_data):
         instance.is_email_verified = True
         instance.save()
         return instance
+
+
+class UserPermissionSerializer(serializers.Serializer):
+    perm = serializers.CharField(required=True)

baseapp-auth/baseapp_auth/rest_framework/users/views.py

@@ -18,6 +18,7 @@
 from .serializers import (
     ChangePasswordSerializer,
     ConfirmEmailSerializer,
+    UserPermissionSerializer,
     UserSerializer,
 )
 
@@ -99,3 +100,15 @@ def delete_account(self, request):
         else:
             user.delete()
         return response.Response(data={}, status=status.HTTP_204_NO_CONTENT)
+
+    @action(detail=False, methods=["get", "post"], serializer_class=UserPermissionSerializer)
+    def permissions(self, request):
+        user = request.user
+        if request.method == "GET":
+            permissions = user.get_all_permissions()
+            return response.Response({"permissions": permissions})
+
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        return response.Response({"has_perm": user.has_perm(serializer.data["perm"])})

baseapp-auth/baseapp_auth/tests/integration/test_users.py

@@ -12,6 +12,7 @@
 from baseapp_referrals.utils import get_referral_code
 from django.conf import settings
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.utils import timezone
 
 User = get_user_model()
@@ -294,3 +295,29 @@ def test_confirm_email_invalid_token(self, client, data):
     def test_confirm_email_no_user(self, client, data):
         r = client.post(self.reverse(kwargs={"pk": self.user.pk + 1}), data)
         h.responseBadRequest(r)
+
+
+class TestUserPermission(ApiMixin):
+    view_name = "users-permissions"
+
+    def test_can_get_their_permission(self, user_client):
+        perm = Permission.objects.create(codename="test_perm", name="Test", content_type_id=1)
+        user_client.user.user_permissions.add(perm)
+        r = user_client.get(self.reverse())
+        h.responseOk(r)
+
+    def test_guest_cannot_get_permission(self, client):
+        r = client.get(self.reverse())
+        h.responseUnauthorized(r)
+
+    def test_user_can_check_their_permission(self, user_client):
+        perm = Permission.objects.create(codename="test_perm", name="Test", content_type_id=1)
+        user_client.user.user_permissions.add(perm)
+        r = user_client.post(self.reverse(), {"perm": "admin.test_perm"})
+        h.responseOk(r)
+        assert r.data["has_perm"]
+
+    def test_user_get_false_without_permission(self, user_client):
+        r = user_client.post(self.reverse(), {"perm": "admin.test_perm"})
+        h.responseOk(r)
+        assert not r.data["has_perm"]