Custom permissions for Group API write operations

[to-sta]

Terms

• [x] I have searched open and closed feature requests
• [x] I agree to follow activist's Code of Conduct

Description

It would make sense to start implement custom permission for our API. At the moment we are using IsAuthenticatedOrReadOnly for GroupDetailAPIView. But for all write operations (PUT, PATCH, DELETE) we also have to check if the request user is the creator of the group or is admin or staff.

This is how it is done currently:

 if request.user != org.created_by and not request.user.is_staff:
    return Response(
                {"error": "You are not authorized to update this organization"},
                status=status.HTTP_401_UNAUTHORIZED,
            )

And we should implement something like this with BasePermissions:

class IsAdminStaffCreatorOrReadOnly(BasePermissions)
    ...

Contribution

[ChuqiaoHuang]

I am willing to be assigned!

[andrewtavis]

Thanks for your interest in helping out here, @ChuqiaoHuang! Please let us know if you need any support :)

[rohityadav2604]

hey @andrewtavis can i work on this issue?

[andrewtavis]

Adding @rohityadav2604 to the assignees here :) Please let us know if you've already started working on this, @ChuqiaoHuang! 😊

[andrewtavis]

Feel free to get started in the meantime and maybe we can combine implementations, @rohityadav2604 :)

[rohityadav2604]

thankyou @andrewtavis i will start working on this. @ChuqiaoHuang if you have started working on it. let me know the progress we can divide the task accordingly.

[andrewtavis]

Closed by #1287 🚀 Thanks so much for taking this on and for the quality contribution, @rohityadav2604! Looking forward to the next one! 😊