sarlink-portal-api/api/permissions.py

from rest_framework import permissions


class IsStaffEditorPermission(permissions.DjangoModelPermissions):
    perms_map = {
        "GET": ["%(app_label)s.view_%(model_name)s"],
        "OPTIONS": [],
        "HEAD": [],
        "POST": ["%(app_label)s.add_%(model_name)s"],
        "PUT": ["%(app_label)s.change_%(model_name)s"],
        "PATCH": ["%(app_label)s.change_%(model_name)s"],
        "DELETE": ["%(app_label)s.delete_%(model_name)s"],
    }

    message = {
        "message": "You do not have permission to perform this action.",
    }

    def has_permission(self, request, view):
        # Ensure the user is authenticated
        if not request.user.is_authenticated:
            return False

        # Get the model name from the view
        model_name = view.queryset.model._meta.model_name
        app_label = view.queryset.model._meta.app_label

        # Check permissions based on the request method
        perms = self.perms_map.get(request.method, [])
        perms = [perm % {'app_label': app_label, 'model_name': model_name} for perm in perms]

        return request.user.has_perms(perms)