diff --git a/backend/comments/permissions.py b/backend/comments/permissions.py index b863cc7..4fc1da8 100644 --- a/backend/comments/permissions.py +++ b/backend/comments/permissions.py @@ -11,11 +11,32 @@ class IsCommentVisibleToUser(permissions.BasePermission): - The comment is on a workout owned by the user """ + def has_permission(self, request, view): + # For POST requests, check if the user has permission to comment on the workout + if request.method == 'POST': + workout = request.data.get('workout', None) + if not workout: + return True # Let the serializer handle the validation + + # Extract workout ID from URL + workout_id = workout.split('/')[-2] + try: + from workouts.models import Workout + workout = Workout.objects.get(id=workout_id) + return ( + workout.visibility == "PU" + or workout.owner == request.user + or (workout.visibility == "CO" and workout.owner.coach == request.user) + ) + except: + return False + return True + def has_object_permission(self, request, view, obj): # Write permissions are only allowed to the owner. return ( obj.workout.visibility == "PU" or obj.owner == request.user - or (obj.workout.visibility == "CO" and obj.owner.coach == request.user) + or (obj.workout.visibility == "CO" and obj.workout.owner.coach == request.user) or obj.workout.owner == request.user ) diff --git a/backend/users/serializers.py b/backend/users/serializers.py index 321a9ff..add716c 100644 --- a/backend/users/serializers.py +++ b/backend/users/serializers.py @@ -7,6 +7,7 @@ class UserSerializer(serializers.HyperlinkedModelSerializer): password = serializers.CharField(style={"input_type": "password"}, write_only=True) password1 = serializers.CharField(style={"input_type": "password"}, write_only=True) + specialism = serializers.CharField(required=False, allow_blank=True, default="") class Meta: model = get_user_model() @@ -46,11 +47,13 @@ def create(self, validated_data): username = validated_data["username"] email = validated_data["email"] isCoach = validated_data["isCoach"] - if (isCoach): - specialism = validated_data["specialism"] - user_obj = get_user_model()(username=username, email=email,isCoach=isCoach,specialism=specialism) - else: - user_obj = get_user_model()(username=username, email=email,isCoach=isCoach) + specialism = validated_data.get("specialism", "") + user_obj = get_user_model()( + username=username, + email=email, + isCoach=isCoach, + specialism=specialism + ) password = validated_data["password"] user_obj.set_password(password) user_obj.save() diff --git a/backend/workouts/models.py b/backend/workouts/models.py index 22bffec..7bfede3 100644 --- a/backend/workouts/models.py +++ b/backend/workouts/models.py @@ -7,6 +7,7 @@ from django.core.files.storage import FileSystemStorage from django.conf import settings from django.contrib.auth import get_user_model +from users.validators import FileValidator class OverwriteStorage(FileSystemStorage): @@ -136,5 +137,14 @@ class WorkoutFile(models.Model): owner = models.ForeignKey( get_user_model(), on_delete=models.CASCADE, related_name="workout_files" ) - file = models.FileField(upload_to=workout_directory_path) + file = models.FileField( + upload_to=workout_directory_path, + validators=[ + FileValidator( + allowed_extensions=['txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'], + allowed_mimetypes=['text/plain', 'application/pdf', 'image/png', 'image/jpeg', 'image/gif'], + max_size=5 * 1024 * 1024 # 5MB + ) + ] + ) diff --git a/backend/workouts/views.py b/backend/workouts/views.py index 0387bc6..9d70fa7 100644 --- a/backend/workouts/views.py +++ b/backend/workouts/views.py @@ -5,6 +5,8 @@ from rest_framework.parsers import ( JSONParser, + MultiPartParser, + FormParser ) from rest_framework.decorators import api_view from rest_framework.response import Response @@ -240,7 +242,7 @@ class WorkoutFileList( queryset = WorkoutFile.objects.all() serializer_class = WorkoutFileSerializer permission_classes = [permissions.IsAuthenticated & IsOwnerOfWorkout] - parser_classes = [MultipartJsonParser, JSONParser] + parser_classes = [MultiPartParser, FormParser] def get(self, request, *args, **kwargs): return self.list(request, *args, **kwargs)