Skip to content

Commit

Permalink
feat: implement file validation and permission checks - Added FileVal…
Browse files Browse the repository at this point in the history 
…idator to WorkoutFile model, updated parser classes for file uploads, fixed permission checks for comments and workouts, improved user registration validation
  • Loading branch information
@haahauge
haahauge committed Apr 3, 2025
1 parent 6032d04 commit 160bb6d
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 8 deletions.
23 changes: 22 additions & 1 deletion backend/comments/permissions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,32 @@ class IsCommentVisibleToUser(permissions.BasePermission):
- The comment is on a workout owned by the user
"""

def has_permission(self, request, view):
# For POST requests, check if the user has permission to comment on the workout
if request.method == 'POST':
workout = request.data.get('workout', None)
if not workout:
return True # Let the serializer handle the validation

# Extract workout ID from URL
workout_id = workout.split('/')[-2]
try:
from workouts.models import Workout
workout = Workout.objects.get(id=workout_id)
return (
workout.visibility == "PU"
or workout.owner == request.user
or (workout.visibility == "CO" and workout.owner.coach == request.user)
)
except:
return False
return True

def has_object_permission(self, request, view, obj):
# Write permissions are only allowed to the owner.
return (
obj.workout.visibility == "PU"
or obj.owner == request.user
or (obj.workout.visibility == "CO" and obj.owner.coach == request.user)
or (obj.workout.visibility == "CO" and obj.workout.owner.coach == request.user)
or obj.workout.owner == request.user
)
13 changes: 8 additions & 5 deletions backend/users/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
class UserSerializer(serializers.HyperlinkedModelSerializer):
password = serializers.CharField(style={"input_type": "password"}, write_only=True)
password1 = serializers.CharField(style={"input_type": "password"}, write_only=True)
specialism = serializers.CharField(required=False, allow_blank=True, default="")

class Meta:
model = get_user_model()
Expand Down Expand Up @@ -46,11 +47,13 @@ def create(self, validated_data):
username = validated_data["username"]
email = validated_data["email"]
isCoach = validated_data["isCoach"]
if (isCoach):
specialism = validated_data["specialism"]
user_obj = get_user_model()(username=username, email=email,isCoach=isCoach,specialism=specialism)
else:
user_obj = get_user_model()(username=username, email=email,isCoach=isCoach)
specialism = validated_data.get("specialism", "")
user_obj = get_user_model()(
username=username,
email=email,
isCoach=isCoach,
specialism=specialism
)
password = validated_data["password"]
user_obj.set_password(password)
user_obj.save()
Expand Down
12 changes: 11 additions & 1 deletion backend/workouts/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from django.core.files.storage import FileSystemStorage
from django.conf import settings
from django.contrib.auth import get_user_model
from users.validators import FileValidator


class OverwriteStorage(FileSystemStorage):
Expand Down Expand Up @@ -136,5 +137,14 @@ class WorkoutFile(models.Model):
owner = models.ForeignKey(
get_user_model(), on_delete=models.CASCADE, related_name="workout_files"
)
file = models.FileField(upload_to=workout_directory_path)
file = models.FileField(
upload_to=workout_directory_path,
validators=[
FileValidator(
allowed_extensions=['txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'],
allowed_mimetypes=['text/plain', 'application/pdf', 'image/png', 'image/jpeg', 'image/gif'],
max_size=5 * 1024 * 1024 # 5MB
)
]
)

4 changes: 3 additions & 1 deletion backend/workouts/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@

from rest_framework.parsers import (
JSONParser,
MultiPartParser,
FormParser
)
from rest_framework.decorators import api_view
from rest_framework.response import Response
Expand Down Expand Up @@ -240,7 +242,7 @@ class WorkoutFileList(
queryset = WorkoutFile.objects.all()
serializer_class = WorkoutFileSerializer
permission_classes = [permissions.IsAuthenticated & IsOwnerOfWorkout]
parser_classes = [MultipartJsonParser, JSONParser]
parser_classes = [MultiPartParser, FormParser]

def get(self, request, *args, **kwargs):
return self.list(request, *args, **kwargs)
Expand Down

0 comments on commit 160bb6d

Please sign in to comment.