[FIX] HORILLA API: Employee api permission fix

horilla_api/api_methods/employee/methods.py

@@ -1,4 +1,7 @@
+import re
+
 from django.http import QueryDict
+from responses import logger
 from rest_framework.pagination import PageNumberPagination
 
 from base.models import *
@@ -10,26 +13,47 @@ def get_next_badge_id():
     """
     This method is used to generate badge id
     """
-    try:
-        highest_badge_id = (
-            Employee.objects.filter(badge_id__isnull=False)
-            .order_by("-badge_id")
-            .first()
-            .badge_id
-        )
-    except AttributeError:
-        highest_badge_id = None
+    from base.context_processors import get_initial_prefix
+    from employee.methods.methods import get_ordered_badge_ids
 
-    # Increment the badge_id if it exists, otherwise start from '1'
-    if highest_badge_id:
-        if "#" in highest_badge_id:
-            prefix, number = highest_badge_id.split("#")  # Split prefix and number
-            # Increment the number
-            new_number = str(int(number) + 1).zfill(len(number))
-            new_badge_id = f"{prefix}#{new_number}"
-        else:
-            # Add number to existing prefix
-            new_badge_id = f"{highest_badge_id}#001"
-    else:
-        new_badge_id = "EMP#001"  # Default start badge ID if no employees exist
-    return new_badge_id
+    prefix = get_initial_prefix(None)["get_initial_prefix"]
+    data = get_ordered_badge_ids()
+    result = []
+    try:
+        for sublist in data:
+            for item in sublist:
+                if isinstance(item, str) and item.lower().startswith(prefix.lower()):
+                    # Find the index of the item in the sublist
+                    index = sublist.index(item)
+                    # Check if there is a next item in the sublist
+                    if index + 1 < len(sublist):
+                        result = sublist[index + 1]
+                        result = re.findall(r"[a-zA-Z]+|\d+|[^a-zA-Z\d\s]", result)
+
+        if result:
+            prefix = []
+            incremented = False
+            for item in reversed(result):
+                total_letters = len(item)
+                total_zero_leads = 0
+                for letter in item:
+                    if letter == "0":
+                        total_zero_leads = total_zero_leads + 1
+                        continue
+                    break
+
+                if total_zero_leads:
+                    item = item[total_zero_leads:]
+                if isinstance(item, list):
+                    item = item[-1]
+                if not incremented and isinstance(eval(str(item)), int):
+                    item = int(item) + 1
+                    incremented = True
+                if isinstance(item, int):
+                    item = "{:0{}d}".format(item, total_letters)
+                prefix.insert(0, str(item))
+            prefix = "".join(prefix)
+    except Exception as e:
+        logger.exception(e)
+        prefix = get_initial_prefix(None)["get_initial_prefix"]
+    return prefix

horilla_api/api_urls/employee/urls.py

@@ -16,11 +16,6 @@ urlpatterns = [
         views.EmployeeListAPIView.as_view(),
         name="employee-list-detailed",
     ),  # Alternative endpoint for listing employees
-    path(
-        "employee-bank-details/",
-        views.EmployeeBankDetailsAPIView.as_view(),
-        name="employee-bank-details-list",
-    ),
     path(
         "employee-bank-details/<int:pk>/",
         views.EmployeeBankDetailsAPIView.as_view(),

horilla_api/api_views/base/views.py

@@ -357,6 +357,8 @@ class WorkTypeRequestView(APIView):
             return Response(serializer.data, status=200)
         # permission based queryset
         work_type_requests = self.get_queryset(request)
+        print("work_type_requests: ", work_type_requests)
+
         # filtering queryset
         work_type_request_filter_queryset = self.filterset_class(
             request.GET, queryset=work_type_requests
@@ -1362,9 +1364,14 @@ class EmployeeTabPermissionCheck(APIView):
     permission_classes = [IsAuthenticated]
 
     def get(self, request):
-        instance = request.user.employee_get
+
+        instance = Employee.objects.filter(id=request.GET.get("employee_id")).first()
         if _is_reportingmanger(request, instance) or request.user.has_perms(
-            ["attendance.view_worktyperequest", "perms.attendance.view_shiftrequest"]
+            [
+                "attendance.view_worktyperequest",
+                "attendance.view_shiftrequest",
+                "employee.change_employee",
+            ]
         ):
             return Response(status=200)
-        return Response(status=400)
+        return Response({"message": "No permission"}, status=400)

horilla_api/api_views/employee/views.py

@@ -24,6 +24,7 @@ from employee.models import (
 )
 from employee.views import work_info_export, work_info_import
 from horilla.decorators import owner_can_enter
+from horilla_api.api_methods.employee.methods import get_next_badge_id
 from horilla_documents.models import Document, DocumentRequest
 from notifications.signals import notify
 
@@ -89,7 +90,6 @@ class EmployeeAPIView(APIView):
     permission_classes = [IsAuthenticated]
 
     def get(self, request, pk=None):
-
         if pk:
             try:
                 employee = Employee.objects.get(pk=pk)
@@ -215,22 +215,19 @@ class EmployeeBankDetailsAPIView(APIView):
         return queryset
 
     def get(self, request, pk=None):
-        if pk:
-            try:
-                bank_detail = EmployeeBankDetails.objects.get(pk=pk)
-            except EmployeeBankDetails.DoesNotExist:
-                return Response(
-                    {"error": "Bank details do not exist"},
-                    status=status.HTTP_404_NOT_FOUND,
-                )
+        bank_detail = EmployeeBankDetails.objects.get(pk=pk)
+        if (
+            request.user.employee_get
+            in [
+                bank_detail.employee_id,
+                bank_detail.employee_id.get_reporting_manager(),
+            ]
+        ) or request.user.has_perm("employee.view_employeebankdetails"):
 
             serializer = EmployeeBankDetailsSerializer(bank_detail)
             return Response(serializer.data)
-        paginator = PageNumberPagination()
-        employee_bank_details = self.get_queryset(request)
-        page = paginator.paginate_queryset(employee_bank_details, request)
-        serializer = EmployeeBankDetailsSerializer(page, many=True)
-        return paginator.get_paginated_response(serializer.data)
+
+        return Response({"message": "No permission"}, status=400)
 
     @manager_or_owner_permission_required(
         EmployeeBankDetails, "employee.add_employeebankdetails"
@@ -296,8 +293,13 @@ class EmployeeWorkInformationAPIView(APIView):
 
     def get(self, request, pk):
         work_info = EmployeeWorkInformation.objects.get(pk=pk)
-        serializer = EmployeeWorkInformationSerializer(work_info)
-        return Response(serializer.data)
+        if (
+            request.user.employee_get == work_info.reporting_manager_id
+            or request.user.has_perm("employee.view_employeeworkinformation")
+        ):
+            serializer = EmployeeWorkInformationSerializer(work_info)
+            return Response(serializer.data, status=200)
+        return Response({"message": "No permission"}, status=400)
 
     @manager_permission_required("employee.add_employeeworkinformation")
     def post(self, request):
@@ -309,17 +311,19 @@ class EmployeeWorkInformationAPIView(APIView):
 
     @manager_permission_required("employee.change_employeeworkinformation")
     def put(self, request, pk):
-        try:
-            work_info = EmployeeWorkInformation.objects.get(pk=pk)
-        except EmployeeWorkInformation.DoesNotExist:
-            raise Http404
-        serializer = EmployeeWorkInformationSerializer(
-            work_info, data=request.data, partial=True
-        )
-        if serializer.is_valid():
-            serializer.save()
-            return Response(serializer.data)
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        work_info = EmployeeWorkInformation.objects.get(pk=pk)
+        if (
+            request.user.employee_get == work_info.reporting_manager_id
+            or request.user.has_perm("employee.change_employeeworkinformation")
+        ):
+            serializer = EmployeeWorkInformationSerializer(
+                work_info, data=request.data, partial=True
+            )
+            if serializer.is_valid():
+                serializer.save()
+                return Response(serializer.data)
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        return Response({"message": "No permission"}, status=400)
 
     @method_decorator(
         permission_required("employee.delete_employeeworkinformation"), name="dispatch"