From 948d42998b461442e2808114415982b88e3955b3 Mon Sep 17 00:00:00 2001
From: Nassim Tabchiche <n.tabchiche2@gmail.com>
Date: Thu, 22 Feb 2024 18:56:19 +0100
Subject: [PATCH] Enforce library related permissions

---
 backend/library/views.py | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/backend/library/views.py b/backend/library/views.py
index 05096a6c4..59f1bb5ee 100644
--- a/backend/library/views.py
+++ b/backend/library/views.py
@@ -2,7 +2,7 @@
 from django.core.exceptions import ValidationError
 from django.db import IntegrityError
 from django.db.models import QuerySet
-from rest_framework import status
+from rest_framework import permissions, status
 from rest_framework.generics import get_object_or_404
 from rest_framework.status import (
     HTTP_200_OK,
@@ -20,30 +20,41 @@
 
 from core.helpers import get_sorted_requirement_nodes
 from core.models import Library
+from core.views import BaseModelViewSet
+from iam.models import RoleAssignment
 from library.validators import validate_file_extension
 from .helpers import preview_library
 
 
-from rest_framework import viewsets
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from .serializers import LibrarySerializer, LibraryUploadSerializer
 from .utils import get_available_libraries, get_library, import_library_view
 
 
-class LibraryViewSet(viewsets.ModelViewSet):
+class LibraryViewSet(BaseModelViewSet):
     serializer_class = LibrarySerializer
 
     # solve issue with URN containing dot, see https://stackoverflow.com/questions/27963899/django-rest-framework-using-dot-in-url
     lookup_value_regex = r"[\w.:-]+"
-
-    def get_queryset(self) -> QuerySet:
-        return get_available_libraries()
+    model = Library
 
     def list(self, request, *args, **kwargs):
-        return Response({"results": self.get_queryset()})
+        if not RoleAssignment.has_permission(
+            user=request.user, codename="view_library"
+        ):
+            return Response(
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        return Response({"results": get_available_libraries()})
 
     def retrieve(self, request, *args, pk, **kwargs):
+        if not RoleAssignment.has_permission(
+            user=request.user, codename="view_library"
+        ):
+            return Response(
+                status=status.HTTP_403_FORBIDDEN,
+            )
         library = get_library(pk)
         return Response(library)