From 876e131f23ca03ec7676092c8eec53f321ab461f Mon Sep 17 00:00:00 2001
From: Olga Komleva <olyakomleva@mail.ru>
Date: Thu, 9 Nov 2023 18:41:58 +0300
Subject: [PATCH] create for projects

---
 backend/api/permissions.py | 26 ++++++++++++++++++++++----
 backend/api/serializers.py |  1 +
 backend/api/views.py       | 28 +++++++++++++++++-----------
 3 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/backend/api/permissions.py b/backend/api/permissions.py
index ddabbd5..23fb899 100644
--- a/backend/api/permissions.py
+++ b/backend/api/permissions.py
@@ -10,8 +10,9 @@ def has_permission(self, request, view):
         return request.user.is_authenticated and request.user.is_admin
 
 
-class IsOrganizer(BasePermission):
-    """Разрешает доступ только пользователям с ролью организатор."""
+class IsOrganizerOrReadOnly(BasePermission):
+    """Разрешает доступ для безопасных методов всем,
+    а для остальных только пользователям с ролью организатор."""
 
     def has_permission(self, request, view):
         return request.method in SAFE_METHODS or (
@@ -20,6 +21,17 @@ def has_permission(self, request, view):
         )
 
 
+class IsOrganizer(BasePermission):
+    """Разрешает доступ только пользователям с ролью организатор."""
+
+    def has_permission(self, request, view):
+        return bool(
+            request.user
+            and request.user.is_authenticated
+            and request.user.role == User.ORGANIZER
+        )
+
+
 class IsOrganizerOfProject(BasePermission):
     """
     Разрешает доступ только организатору проекта.
@@ -32,9 +44,15 @@ def has_object_permission(self, request, view, obj):
 class IsVolunteer(BasePermission):
     """Разрешает доступ только пользователям с ролью волонтер."""
 
+    # def has_permission(self, request, view):
+    #     return (
+    #         request.user.is_authenticated
+    #         and request.user.role == User.VOLUNTEER
+    #     )
     def has_permission(self, request, view):
-        return (
-            request.user.is_authenticated
+        return bool(
+            request.user
+            and request.user.is_authenticated
             and request.user.role == User.VOLUNTEER
         )
 
diff --git a/backend/api/serializers.py b/backend/api/serializers.py
index e820ed1..0215fe7 100644
--- a/backend/api/serializers.py
+++ b/backend/api/serializers.py
@@ -281,6 +281,7 @@ class Meta:
             'status_approve',
             'skills',
         )
+        read_only_fields = ('organization',)
 
 
 class TagSerializer(serializers.ModelSerializer):
diff --git a/backend/api/views.py b/backend/api/views.py
index f5259f6..28ed066 100644
--- a/backend/api/views.py
+++ b/backend/api/views.py
@@ -4,7 +4,7 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import filters, generics, mixins, status, viewsets
 from rest_framework.decorators import action
-from rest_framework.exceptions import PermissionDenied
+# from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, AllowAny
 from rest_framework.response import Response
 from taggit.models import Tag
@@ -40,6 +40,7 @@
 from .permissions import (
     IsOrganizer,
     IsOrganizerOfProject,
+    IsOrganizerOrReadOnly,
     IsVolunteer,
     IsVolunteerOfIncomes,
 )
@@ -120,6 +121,7 @@ class FeedbackCreateView(generics.CreateAPIView):
 
     queryset = Feedback.objects.all()
     serializer_class = FeedbackSerializer
+    permission_classes = (AllowAny,)
 
 
 class ProjectViewSet(viewsets.ModelViewSet):
@@ -135,19 +137,22 @@ class ProjectViewSet(viewsets.ModelViewSet):
     # serializer_class = ProjectSerializer
     filter_backends = [DjangoFilterBackend]
     filterset_class = ProjectFilter
-    permission_classes = [IsOrganizer]
+    permission_classes = [IsOrganizerOrReadOnly]
 
     def get_serializer_class(self):
         if self.request.method in SAFE_METHODS:
             return ProjectGetSerializer
         return ProjectSerializer
 
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        if serializer.is_valid():
-            self.perform_create(serializer)
-            return Response(serializer.data, status=status.HTTP_201_CREATED)
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+    def perform_create(self, serializer):
+        serializer.save(organization=self.request.user.organization)
+
+    # def create(self, request, *args, **kwargs):
+    #     serializer = self.get_serializer(data=request.data)
+    #     if serializer.is_valid():
+    #         self.perform_create(serializer)
+    #         return Response(serializer.data, status=status.HTTP_201_CREATED)
+    #     return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
     def update(self, request, *args, **kwargs):
         instance = self.get_object()
@@ -437,6 +442,7 @@ class ProjectMeViewSet(viewsets.GenericViewSet, mixins.ListModelMixin):
     filter_backends = [DjangoFilterBackend]
     filterset_class = StatusProjectFilter
     permission_classes = [IsOrganizer | IsVolunteer]
+    # parmission_classes = AllowAny
 
     def get_queryset(self):
         if self.request.user.is_volunteer:
@@ -464,9 +470,9 @@ def get_queryset(self):
             # return Project.objects.filter(organization=organization)
 
         #  добавила иначе ошибка если заходить администратором
-        raise PermissionDenied(
-            detail='Вы не являетесь волонтером или организатором'
-        )
+        # raise PermissionDenied(
+        #     detail='Вы не являетесь волонтером или организатором'
+        # )
 
     @swagger_auto_schema(
         manual_parameters=schemas.status_project_filter_params