From 7f87f83b807dd3a9e6812937bbfd3ae715f7754c Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Pasquier <contact@jbpasquier.eu>
Date: Fri, 23 Aug 2019 14:56:03 +0200
Subject: [PATCH] update: custom permissions for nested_field

---
 djangoldp_notification/models.py      |  2 ++
 djangoldp_notification/permissions.py | 38 +++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 djangoldp_notification/permissions.py

diff --git a/djangoldp_notification/models.py b/djangoldp_notification/models.py
index 5a02433..f47ebcb 100644
--- a/djangoldp_notification/models.py
+++ b/djangoldp_notification/models.py
@@ -16,6 +16,7 @@ from djangoldp.fields import LDPUrlField
 from djangoldp.models import Model
 
 from django.template import loader
+from .permissions import InboxPermissions
 
 
 class Notification(Model):
@@ -30,6 +31,7 @@ class Notification(Model):
     class Meta(Model.Meta):
         owner_field = 'user'
         ordering = ['-date']
+        permission_classes = [InboxPermissions]
         anonymous_perms = ['add']
         authenticated_perms = ['inherit']
         owner_perms = ['view', 'change', 'control']
diff --git a/djangoldp_notification/permissions.py b/djangoldp_notification/permissions.py
new file mode 100644
index 0000000..f013752
--- /dev/null
+++ b/djangoldp_notification/permissions.py
@@ -0,0 +1,38 @@
+from djangoldp.permissions import LDPPermissions
+
+
+class InboxPermissions(LDPPermissions):
+    def has_permission(self, request, view):
+        from djangoldp.models import Model
+
+        if self.is_a_container(request._request.path):
+            try:
+                """
+                If on nested field we use users permissions
+                """
+                obj = Model.resolve_parent(request.path)
+                model = view.parent_model
+
+                """
+                If still on nested field and request is post (/users/X/inbox/) we use notification permissions
+                """
+                if view.parent_model != view.model and request.method == 'POST':
+                    obj = None
+                    model = view.model
+            except:
+                """
+                Not on nested field we use notification permissions
+                """
+                obj = None
+                model = view.model
+        else:
+            obj = Model.resolve_id(request._request.path)
+            model = view.model
+
+        perms = self.get_permissions(request.method, model)
+
+        for perm in perms:
+            if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, model, obj):
+                return False
+
+        return True
\ No newline at end of file