Merge pull request #357 from elixir-luxembourg/correct-who-can-delete…

…-the-document feat: auditors cannot upload/delete the document
elixir-luxembourg · Jul 7, 2022 · 5504e58 · 5504e58
2 parents 3b9f1c3 + bccb967
commit 5504e58
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/core/models/data_declaration.py b/core/models/data_declaration.py
@@ -114,7 +114,6 @@ class Meta:
         null=False, 
         help_text='How has the data been de-identified, is it pseudonymized or anonymized?')
 
-
     embargo_date = models.DateField(verbose_name='Embargo date',
         blank=True,
         null=True,

diff --git a/core/models/document.py b/core/models/document.py
@@ -72,6 +72,7 @@ def shortname(self):
     def size(self):
         return self.content.size
 
+
 @receiver(post_delete, sender=Document, dispatch_uid='document_delete')
 def document_cleanup(sender, instance, **kwargs):
     if hasattr(instance.content, 'path') and os.path.exists(instance.content.path):

diff --git a/web/views/documents.py b/web/views/documents.py
@@ -10,7 +10,7 @@
 from core.constants import Permissions
 from core.forms import DocumentForm
 from core.models import Document
-from core.permissions import permission_required
+from core.permissions import permission_required, permission_required_from_content_type
 from core.utils import DaisyLogger
 
 
@@ -26,6 +26,8 @@ def rfc5987_content_disposition(file_name):
     return header
 
 
+@permission_required_from_content_type(Permissions.PROTECTED, content_type_attr='content_type', object_id_attr='object_id')
+@permission_required_from_content_type(Permissions.EDIT, content_type_attr='content_type', object_id_attr='object_id')
 def upload_document(request, object_id, content_type):
     log.debug('uploading document', post=request.POST, files=request.FILES)
     if request.method == 'POST':
@@ -96,6 +98,7 @@ def download_document(request, pk):
 
 @require_http_methods(["DELETE"])
 @permission_required(Permissions.PROTECTED, (Document, 'pk', 'pk'))
+@permission_required(Permissions.EDIT, (Document, 'pk', 'pk'))
 def delete_document(request, pk):
     document = get_object_or_404(Document, pk=pk)
     # perm = PERMISSION_MAPPING[document.content_type.name].DELETE.value
@@ -104,7 +107,7 @@ def delete_document(request, pk):
     try:
         document.delete()
     except Exception as e:
-        return JsonResponse({'message': str(e)})
+        return JsonResponse({'message': str(e)}, status=403)
     return JsonResponse({'message': 'document deleted'})