permissions: create a PatchDetailPermission to allow non delegate users to edit it

Signed-off-by: andrepapoti <andrepapoti@gmail.com>

Author: andrepapoti

patchwork/api/patch.py

@@ -17,6 +17,7 @@
 from rest_framework.relations import RelatedField
 from rest_framework.reverse import reverse
 from rest_framework.serializers import SerializerMethodField
+from rest_framework import permissions
 from rest_framework import status
 
 from patchwork.api.base import BaseHyperlinkedModelSerializer
@@ -30,6 +31,7 @@
 from patchwork.models import Patch
 from patchwork.models import PatchRelation
 from patchwork.models import State
+from patchwork.models import User
 from patchwork.parser import clean_subject
 
 
@@ -373,6 +375,26 @@ def get_queryset(self):
         )
 
 
+class PatchDetailPermission(permissions.BasePermission):
+    non_delegate_editable_fields = set(['planning_to_review'])
+
+    def has_object_permission(self, request, view, obj):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+
+        data = request.data
+
+        if set(data.keys()).issubset(self.non_delegate_editable_fields):
+            user_id = data['planning_to_review'][0]['user']
+            reviewing_user = User.objects.get(id=user_id)
+            if request.user == reviewing_user:
+                return True
+            detail = "Only the user can declare it's own intention to reviewing a patch"
+            raise PermissionDenied(detail=detail)
+        else:
+            return obj.is_editable(request.user)
+
+
 class PatchDetail(RetrieveUpdateAPIView):
     """
     get:
@@ -385,7 +407,7 @@ class PatchDetail(RetrieveUpdateAPIView):
     Update a patch.
     """
 
-    permission_classes = (PatchworkPermission,)
+    permission_classes = (PatchDetailPermission,)
     serializer_class = PatchDetailSerializer
 
     def get_queryset(self):