nestict/ihrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[FIX] HORILLA API: Removed the manager permission check on user level api

Browse Source
This commit is contained in:
Horilla
2024-10-19 16:06:50 +05:30
parent 9b162d90b9
commit 7ec08d1784
3 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
horilla_api/api_views/attendance/views.py
View File

@@ -233,7 +233,8 @@ class AttendanceView(APIView):
"error": [ "error": [
"Attendance for this employee on the current date already exists." "Attendance for this employee on the current date already exists."
] ]
} },
status=400,
) )
return Response(serializer.errors, status=400) return Response(serializer.errors, status=400)

18
horilla_api/api_views/base/views.py
View File

@@ -539,9 +539,23 @@ class RotatingWorkTypeAssignView(APIView):
filterset_class = RotatingWorkTypeAssignFilter filterset_class = RotatingWorkTypeAssignFilter
permission_classes = [IsAuthenticated] permission_classes = [IsAuthenticated]
def _permission_check(self, request, obj=None, pk=None):
if pk:
employee = request.user.employee_get
manager = obj.employee_id.get_reporting_manager()
if (
employee == obj.employee_id
or manager == employee
or request.user.has_perm("base.view_rotatingworktypeassign")
):
return True
return False
@manager_permission_required("base.view_rotatingworktypeassign") @manager_permission_required("base.view_rotatingworktypeassign")
def get(self, request, pk=None): def get(self, request, pk=None):
if pk: if pk:
rotating_work_type_assign = object_check(RotatingWorkTypeAssign, pk) rotating_work_type_assign = object_check(RotatingWorkTypeAssign, pk)
if rotating_work_type_assign is None: if rotating_work_type_assign is None:
return Response( return Response(
@@ -1276,8 +1290,6 @@ class EmployeeTabPermissionCheck(APIView):
class CheckUserLevel(APIView): class CheckUserLevel(APIView):
def get(self, request): def get(self, request):
perm = request.GET.get("perm") perm = request.GET.get("perm")
instance = Employee.objects.filter(id=request.GET.get("employee_id")).first() if request.user.has_perm(perm):
if _is_reportingmanger(request, instance) or request.user.has_perm(perm):
return Response(status=200) return Response(status=200)
return Response({"error": "No permission"}, status=400) return Response({"error": "No permission"}, status=400)

23
horilla_api/api_views/employee/views.py
View File

@@ -50,6 +50,10 @@ from ...api_serializers.employee.serializers import (
) )
def permission_check(request, perm):
return request.user.has_perm(perm)
def object_check(cls, pk): def object_check(cls, pk):
try: try:
obj = cls.objects.get(id=pk) obj = cls.objects.get(id=pk)
@@ -440,6 +444,8 @@ class ActiontypeView(APIView):
return paginater.get_paginated_response(serializer.data) return paginater.get_paginated_response(serializer.data)
def post(self, request): def post(self, request):
if permission_check(request, "employee.add_actiontype") is False:
return Response({"error": "No permission"}, status=401)
serializer = self.serializer_class(data=request.data) serializer = self.serializer_class(data=request.data)
if serializer.is_valid(): if serializer.is_valid():
serializer.save() serializer.save()
@@ -447,6 +453,8 @@ class ActiontypeView(APIView):
return Response(serializer.errors, status=400) return Response(serializer.errors, status=400)
def put(self, request, pk): def put(self, request, pk):
if permission_check(request, "employee.change_actiontype") is False:
return Response({"error": "No permission"}, status=401)
action_type = object_check(Actiontype, pk) action_type = object_check(Actiontype, pk)
if action_type is None: if action_type is None:
return Response({"error": "Actiontype not found"}, status=404) return Response({"error": "Actiontype not found"}, status=404)
@@ -457,6 +465,8 @@ class ActiontypeView(APIView):
return Response(serializer.errors, status=400) return Response(serializer.errors, status=400)
def delete(self, request, pk): def delete(self, request, pk):
if permission_check(request, "employee.delete_actiontype") is False:
return Response({"error": "No permission"}, status=401)
action_type = object_check(Actiontype, pk) action_type = object_check(Actiontype, pk)
if action_type is None: if action_type is None:
return Response({"error": "Actiontype not found"}, status=404) return Response({"error": "Actiontype not found"}, status=404)
@@ -544,6 +554,8 @@ class DisciplinaryActionAPIView(APIView):
return paginator.get_paginated_response(serializer.data) return paginator.get_paginated_response(serializer.data)
def post(self, request): def post(self, request):
if permission_check(request, "employee.add_disciplinaryaction") is False:
return Response({"error": "No permission"}, status=401)
serializer = DisciplinaryActionSerializer(data=request.data) serializer = DisciplinaryActionSerializer(data=request.data)
if serializer.is_valid(): if serializer.is_valid():
serializer.save() serializer.save()
@@ -551,6 +563,8 @@ class DisciplinaryActionAPIView(APIView):
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def put(self, request, pk): def put(self, request, pk):
if permission_check(request, "employee.add_disciplinaryaction") is False:
return Response({"error": "No permission"}, status=401)
disciplinary_action = self.get_object(pk) disciplinary_action = self.get_object(pk)
serializer = DisciplinaryActionSerializer( serializer = DisciplinaryActionSerializer(
disciplinary_action, data=request.data disciplinary_action, data=request.data
@@ -561,6 +575,8 @@ class DisciplinaryActionAPIView(APIView):
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def delete(self, request, pk): def delete(self, request, pk):
if permission_check(request, "employee.add_disciplinaryaction") is False:
return Response({"error": "No permission"}, status=401)
disciplinary_action = self.get_object(pk) disciplinary_action = self.get_object(pk)
disciplinary_action.delete() disciplinary_action.delete()
return Response(status=status.HTTP_204_NO_CONTENT) return Response(status=status.HTTP_204_NO_CONTENT)
@@ -613,6 +629,9 @@ class PolicyAPIView(APIView):
return paginator.get_paginated_response(serializer.data) return paginator.get_paginated_response(serializer.data)
def post(self, request): def post(self, request):
if permission_check(request, "employee.add_policy") is False:
return Response({"error": "No permission"}, status=401)
serializer = PolicySerializer(data=request.data) serializer = PolicySerializer(data=request.data)
if serializer.is_valid(): if serializer.is_valid():
serializer.save() serializer.save()
@@ -620,6 +639,8 @@ class PolicyAPIView(APIView):
return Response(serializer.errors, status=400) return Response(serializer.errors, status=400)
def put(self, request, pk): def put(self, request, pk):
if permission_check(request, "employee.change_policy") is False:
return Response({"error": "No permission"}, status=401)
policy = self.get_object(pk) policy = self.get_object(pk)
serializer = PolicySerializer(policy, data=request.data) serializer = PolicySerializer(policy, data=request.data)
if serializer.is_valid(): if serializer.is_valid():
@@ -628,6 +649,8 @@ class PolicyAPIView(APIView):
return Response(serializer.errors, status=400) return Response(serializer.errors, status=400)
def delete(self, request, pk): def delete(self, request, pk):
if permission_check(request, "employee.delete_policy") is False:
return Response({"error": "No permission"}, status=401)
policy = self.get_object(pk) policy = self.get_object(pk)
policy.delete() policy.delete()
return Response(status=204) return Response(status=204)