From b22b7df269d57b1a3371d28c6ad6c85e2eadec4c Mon Sep 17 00:00:00 2001
From: ivinayakg <vinayak20029@gmail.com>
Date: Fri, 15 Sep 2023 20:00:44 +0530
Subject: [PATCH 1/2] feat: added authorization middleware

---
 apps/base/constants.py            |  2 ++
 apps/base/permissions.py          | 19 ++++++++++++++++---
 apps/base/tests.py                |  3 ---
 apps/goals/views.py               |  5 ++++-
 apps/user/tests/test_drf_views.py | 18 ++++++++++++++++++
 apps/user/v1/views.py             |  5 +++--
 6 files changed, 43 insertions(+), 9 deletions(-)
 create mode 100644 apps/base/constants.py
 delete mode 100644 apps/base/tests.py

diff --git a/apps/base/constants.py b/apps/base/constants.py
new file mode 100644
index 0000000..c0f6226
--- /dev/null
+++ b/apps/base/constants.py
@@ -0,0 +1,2 @@
+SUPER_USER_ROLE = "super_user"
+MEMBER_ROLE = "member"
diff --git a/apps/base/permissions.py b/apps/base/permissions.py
index ab2ea6f..1499b44 100644
--- a/apps/base/permissions.py
+++ b/apps/base/permissions.py
@@ -1,6 +1,19 @@
 from rest_framework import permissions
+from apps.base.constants import SUPER_USER_ROLE, MEMBER_ROLE
 
 
-class IsSuperUserPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        return False
+def AuthorizationPermissions(roles=[]):
+    class AuthorizationPermission:
+        def has_permission(self, request, view):
+            if not request.user.is_authenticated:
+                return False
+
+            user_roles = request.user.roles
+            for role in roles:
+                if user_roles.get(role, False) is False:
+                    return False
+                else:
+                    continue
+            return True
+
+    return AuthorizationPermission
diff --git a/apps/base/tests.py b/apps/base/tests.py
deleted file mode 100644
index 7ce503c..0000000
--- a/apps/base/tests.py
+++ /dev/null
@@ -1,3 +0,0 @@
-from django.test import TestCase
-
-# Create your tests here.
diff --git a/apps/goals/views.py b/apps/goals/views.py
index 56af2ec..4204a36 100644
--- a/apps/goals/views.py
+++ b/apps/goals/views.py
@@ -1,7 +1,10 @@
+from rest_framework.permissions import IsAuthenticated
+
 from apps.base.base_views import ModelBaseViewSet
 from apps.goals.models import Goal
 from apps.goals.serializers import GoalSerializer
-from rest_framework.permissions import IsAuthenticated
+from apps.base.permissions import AuthorizationPermissions
+from apps.base.constants import MEMBER_ROLE
 
 
 class GoalViewSet(ModelBaseViewSet):
diff --git a/apps/user/tests/test_drf_views.py b/apps/user/tests/test_drf_views.py
index bd8a27e..0e9db25 100644
--- a/apps/user/tests/test_drf_views.py
+++ b/apps/user/tests/test_drf_views.py
@@ -4,6 +4,7 @@
 from django.conf import LazySettings
 
 from apps.conftest import get_user_token
+from apps.base.constants import SUPER_USER_ROLE
 
 settings = LazySettings()
 
@@ -61,3 +62,20 @@ def test_get_user(self, client, user_t1):
                      **_response_data["attributes"]}
 
         assert user_data["rds_id"] == user_t1.rds_id
+
+    def test_list_users(self, client, user_t1, user_t2):
+        self.client.credentials(HTTP_AUTHORIZATION=get_user_token(user_t1))
+
+        _response = self.client.get(
+            f"/api/v1/user/",  format="vnd.api+json")
+
+        assert _response.status_code == status.HTTP_403_FORBIDDEN
+
+        # giving a role to authorize
+        user_t1.roles[SUPER_USER_ROLE] = True
+        user_t1.save()
+
+        _response = self.client.get(
+            f"/api/v1/user/",  format="vnd.api+json")
+
+        assert _response.status_code == status.HTTP_200_OK
diff --git a/apps/user/v1/views.py b/apps/user/v1/views.py
index 7f5f74d..bc4e037 100644
--- a/apps/user/v1/views.py
+++ b/apps/user/v1/views.py
@@ -6,7 +6,7 @@
 from apps.user.models import User
 from apps.user.v1.serializer import UserSerializer, CreateUserSerializer
 from apps.user.permission import RestKeyPermission
-from apps.base.permissions import IsSuperUserPermission
+from apps.base.permissions import AuthorizationPermissions, SUPER_USER_ROLE
 
 
 class UserViewSet(ModelBaseViewSet):
@@ -18,7 +18,8 @@ def get_permissions(self):
         if self.action in ["create"]:
             self.permission_classes = [RestKeyPermission]
         elif self.action in ["list"]:
-            self.permission_classes = [IsSuperUserPermission]
+            self.permission_classes = [
+                AuthorizationPermissions([SUPER_USER_ROLE])]
         else:
             self.permission_classes = [IsAuthenticated]
         return [permission() for permission in self.permission_classes]

From a02b45b14bc323b3321cce2b9410b5ac2972ec37 Mon Sep 17 00:00:00 2001
From: ivinayakg <vinayak20029@gmail.com>
Date: Fri, 15 Sep 2023 20:04:12 +0530
Subject: [PATCH 2/2] refact: changes in the authorization middleware

---
 apps/base/permissions.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/base/permissions.py b/apps/base/permissions.py
index 1499b44..2a1bfc2 100644
--- a/apps/base/permissions.py
+++ b/apps/base/permissions.py
@@ -10,10 +10,10 @@ def has_permission(self, request, view):
 
             user_roles = request.user.roles
             for role in roles:
-                if user_roles.get(role, False) is False:
-                    return False
+                if user_roles.get(role, False) is True:
+                    return True
                 else:
                     continue
-            return True
+            return False
 
     return AuthorizationPermission