✨ GIS API: verify read-only permission

author: Étienne Loks <etienne.loks@iggdrasil.net> 2025-10-28 11:10:52 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2025-10-28 15:32:37 +0100
commit: 47fed5b99a86ff0c491be041a173b31d256b98ff (patch)
tree: f55f31e62cc293ed860bf5462e0e4c131aad9f8c /ishtar_common/views_api.py
parent: b0584e863898569f63d53b4d5dd2df6b764d12e4 (diff)
download: Ishtar-47fed5b99a86ff0c491be041a173b31d256b98ff.tar.bz2
Ishtar-47fed5b99a86ff0c491be041a173b31d256b98ff.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/ishtar_common/views_api.py b/ishtar_common/views_api.py
index e0226811b..71bf921da 100644
--- a/ishtar_common/views_api.py
+++ b/ishtar_common/views_api.py
@@ -65,6 +65,8 @@ class GISSourceAPI(GISAPIView):
 
     def get(self, request, format=None):
         serializer = ImporterTypeSerializer(self.get_queryset(), many=True)
+        for source in serializer.data:
+            source["access_type"] = request.auth.access_type
         return Response(serializer.data)
 
 
@@ -143,6 +145,9 @@ class GISImportAPI(GISBaseImportView, GISAPIView):
         if not importer:
             return Response({"error": "Importer not found"},
                             status=status.HTTP_400_BAD_REQUEST)
+        if request.auth.access_type != "W":
+            return Response({"error": "No write permission"},
+                            status=status.HTTP_403_FORBIDDEN)
         data = {}
         for k in request.data:
             data[k] = request.data.get(k)
author	Étienne Loks <etienne.loks@iggdrasil.net>	2025-10-28 11:10:52 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2025-10-28 15:32:37 +0100
commit	47fed5b99a86ff0c491be041a173b31d256b98ff (patch)
tree	f55f31e62cc293ed860bf5462e0e4c131aad9f8c /ishtar_common/views_api.py
parent	b0584e863898569f63d53b4d5dd2df6b764d12e4 (diff)
download	Ishtar-47fed5b99a86ff0c491be041a173b31d256b98ff.tar.bz2 Ishtar-47fed5b99a86ff0c491be041a173b31d256b98ff.zip