From 066804db26b795f7a10d41ddc278924139ee1916 Mon Sep 17 00:00:00 2001
From: Hironsan <light.tree.1.13@gmail.com>
Date: Wed, 22 Dec 2021 08:07:33 +0900
Subject: [PATCH] Add CanEditAnnotation permission

---
 backend/api/permissions.py      | 14 ++++++++++++++
 backend/api/views/tasks/base.py |  8 ++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/backend/api/permissions.py b/backend/api/permissions.py
index ee03e973..63e9f4b1 100644
--- a/backend/api/permissions.py
+++ b/backend/api/permissions.py
@@ -47,6 +47,20 @@ class IsOwnAnnotation(ProjectMixin, BasePermission):
         return annotation.exists()
 
 
+class CanEditAnnotation(ProjectMixin, BasePermission):
+
+    def __init__(self, queryset):
+        super().__init__()
+        self.queryset = queryset
+
+    def has_permission(self, request, view):
+        if request.user.is_superuser:
+            return True
+
+        annotation_id = view.kwargs.get('annotation_id')
+        return self.queryset.filter(id=annotation_id, user=request.user).exists()
+
+
 class IsOwnComment(ProjectMixin, BasePermission):
     @classmethod
     def has_object_permission(cls, request, view, obj):
diff --git a/backend/api/views/tasks/base.py b/backend/api/views/tasks/base.py
index ebcf22ff..af259a74 100644
--- a/backend/api/views/tasks/base.py
+++ b/backend/api/views/tasks/base.py
@@ -1,3 +1,5 @@
+from functools import partial
+
 from django.core.exceptions import ValidationError
 from django.shortcuts import get_object_or_404
 from rest_framework import generics, status
@@ -5,7 +7,7 @@ from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from ...models import Project
-from ...permissions import IsInProjectOrAdmin, IsOwnAnnotation
+from ...permissions import CanEditAnnotation, IsInProjectOrAdmin
 
 
 class BaseListAPI(generics.ListCreateAPIView):
@@ -53,5 +55,7 @@ class BaseDetailAPI(generics.RetrieveUpdateDestroyAPIView):
         if self.project.collaborative_annotation:
             self.permission_classes = [IsAuthenticated & IsInProjectOrAdmin]
         else:
-            self.permission_classes = [IsAuthenticated & IsInProjectOrAdmin & IsOwnAnnotation]
+            self.permission_classes = [
+                IsAuthenticated & IsInProjectOrAdmin & partial(CanEditAnnotation, self.queryset)
+            ]
         return super().get_permissions()