Simplify permission handling in views and permissions logic.

Refactored `get_permissions` in `cinema/views.py` to streamline behavior and rely more on `super()`. Updated comments in `user/permissions.py` for clarity and removed redundant code, improving maintainability and readability.
mate-academy · Dec 26, 2024 · 10d7c47 · 10d7c47
1 parent f297195
commit 10d7c47
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 18 deletions.
diff --git a/cinema/views.py b/cinema/views.py
@@ -170,12 +170,9 @@ class OrderViewSet(
     permission_classes = [IsAdminOrIfAuthenticatedReadOnly]
 
     def get_permissions(self):
-        if self.action in (
-                "list",
-                "create"
-        ):
-            return (IsAdminOrIfAuthenticatedReadOnly(),)
-        return (IsAuthenticated(),)
+        if self.action == "create":
+            return [IsAuthenticated()]
+        return super().get_permissions()
 
     def get_queryset(self):
         return Order.objects.filter(user=self.request.user)

diff --git a/user/permissions.py b/user/permissions.py
@@ -1,24 +1,36 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 
+# class IsAdminOrIfAuthenticatedReadOnly(BasePermission):
+#     def has_permission(self, request, view):
+#         # If the user is an admin, we allow everything.
+#         if request.user and request.user.is_staff:
+#             return True
+#
+#         # If the request is "read" (GET/HEAD/OPTIONS),
+#         # then we allow authenticated
+#         if request.method in SAFE_METHODS:
+#             return bool(request.user and request.user.is_authenticated)
+#
+#         # Allow POST to regular authenticated users
+#         if (
+#                 request.method == "POST"
+#                 and request.user
+#                 and request.user.is_authenticated
+#         ):
+#             return True
+#
+#         # Everything else (POST, PUT, PATCH, DELETE) is prohibited
+#         return False
 class IsAdminOrIfAuthenticatedReadOnly(BasePermission):
     def has_permission(self, request, view):
-        # If the user is an admin, we allow everything.
+        # Разрешаем всё админам
         if request.user and request.user.is_staff:
             return True
 
-        # If the request is "read" (GET/HEAD/OPTIONS),
-        # then we allow authenticated
+        # Разрешаем GET/HEAD/OPTIONS аутентифицированным
         if request.method in SAFE_METHODS:
             return bool(request.user and request.user.is_authenticated)
 
-        # Allow POST to regular authenticated users
-        if (
-                request.method == "POST"
-                and request.user
-                and request.user.is_authenticated
-        ):
-            return True
-
-        # Everything else (POST, PUT, PATCH, DELETE) is prohibited
+        # Иначе (POST/PUT/PATCH/DELETE) — запрещаем
         return False