First commit of claude's rework in django + vanillajs fronted

2026-04-02 11:24:30 +02:00
parent 7710a876df
commit fde92f92db
163 changed files with 84852 additions and 15 deletions
--- a/apps/tools/permissions.py
+++ b/apps/tools/permissions.py
@@ -0,0 +1,27 @@
+from rest_framework.permissions import BasePermission, SAFE_METHODS
+
+
+class IsOwnerOrUnclaimed(BasePermission):
+    """
+    Permission for resources with an optional `user` FK.
+
+    - POST (create): open to anyone — viewset sets user=None for anonymous callers.
+    - GET list:      viewset filters to own records (or returns empty for anonymous).
+    - GET detail:    open to anyone with the ID.
+    - PATCH/PUT/DELETE:
+        * unclaimed (user=None) → anyone may mutate.
+        * claimed   (user set)  → owner only.
+
+    NOTE: The global DRF default is IsAuthenticated; this class must be
+    explicitly declared on every viewset in the tools app.
+    """
+
+    def has_permission(self, request, view):
+        return True  # object-level and queryset filtering handle the rest
+
+    def has_object_permission(self, request, view, obj):
+        if request.method in SAFE_METHODS:
+            return True
+        if obj.user is None:
+            return True
+        return request.user.is_authenticated and obj.user == request.user