notification permissions

ipynbsrv/api/permissions.py

@@ -51,6 +51,15 @@ def is_creator(self, user, obj):
             return obj.creator == user.backend_user
 
 
+class IsObjectSenderMixin(object):
+
+    def is_sender(self, user, obj):
+        if type(obj.sender) == User:
+            return obj.sender == user
+        elif type(obj.sender) == BackendUser:
+            return obj.sender == user.backend_user
+
+
 class IsSuperUserMixin(object):
 
     def is_superuser(self, user):
@@ -122,6 +131,22 @@ def has_object_permission(self, request, view, obj):
         return False
 
 
+class IsSuperUserOrSender(
+        permissions.BasePermission,
+        IsObjectSenderMixin,
+        IsBackendUserMixin,
+        IsSuperUserMixin):
+    """
+    Only allow access to User which is set as sender of the object.
+    Created for permissions on notifications.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        if self.is_superuser(request.user):
+            return True
+        return self.is_sender(request.user, obj)
+
+
 class IsSuperUserOrIsObjectOwnerOrReadOnlyIfPublic(
         IsSuperUserOrIsObjectOwner,
         IsPublicMixin,

ipynbsrv/api/views.py

@@ -841,7 +841,7 @@ def perform_create(self, serializer):
             serializer.save(sender=self.request.user)
 
 
-class NotificationDetail(generics.RetrieveUpdateDestroyAPIView):
+class NotificationDetail(generics.RetrieveDestroyAPIView):
     """
     Get details of a notification.
     """
@@ -851,7 +851,7 @@ def get_serializer_class(self, *args, **kwargs):
             return FlatNotificationSerializer
         return NestedNotificationSerializer
 
-    permission_classes = [IsSuperUserOrReadOnly]
+    permission_classes = [IsSuperUserOrSender]
 
     def get_queryset(self):
         if self.request.user.is_superuser: