from rest_framework.permissions import BasePermission, SAFE_METHODS


class IsAdminOrReadOnly(BasePermission):
    """
    Read access for any authenticated user.
    Write access (create / update / delete) restricted to staff only.
    Regular users may still POST (to submit a pending gear request) —
    that special case is handled at the view level, not here.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        if request.method in SAFE_METHODS:
            return True
        return request.user.is_staff