17 lines
615 B
Python
17 lines
615 B
Python
from rest_framework.permissions import BasePermission, SAFE_METHODS
|
|
|
|
|
|
class IsAdminOrReadOnly(BasePermission):
|
|
"""
|
|
Read access for any authenticated user.
|
|
Write access (create / update / delete) restricted to staff only.
|
|
Regular users may still POST (to submit a pending gear request) —
|
|
that special case is handled at the view level, not here.
|
|
"""
|
|
def has_permission(self, request, view):
|
|
if not request.user or not request.user.is_authenticated:
|
|
return False
|
|
if request.method in SAFE_METHODS:
|
|
return True
|
|
return request.user.is_staff
|