From d8b8234a3288c20b3e67569d8407e7cbb90420af Mon Sep 17 00:00:00 2001
From: Ankur <ankur_roy@outlook.com>
Date: Fri, 19 Jan 2024 14:28:21 +0100
Subject: [PATCH] Creation, Deletion and Update of Application implemented, it
 only works on own application

---
 src/{ => involvement}/customPermissions.py | 6 ++++++
 src/involvement/views/application_api.py   | 9 ++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)
 rename src/{ => involvement}/customPermissions.py (69%)

diff --git a/src/customPermissions.py b/src/involvement/customPermissions.py
similarity index 69%
rename from src/customPermissions.py
rename to src/involvement/customPermissions.py
index 6fe57201..3d201426 100644
--- a/src/customPermissions.py
+++ b/src/involvement/customPermissions.py
@@ -14,3 +14,9 @@ class ReadCreateUpdate(BasePermission):
     def has_permission(self, request, view):
         return True if request.method not in ["DELETE"] else False
 
+class OwnApplicationPermission(BasePermission):
+    """
+    Object-level permission to only allow updating his own profile
+    """
+    def has_object_permission(self, request, view, obj):
+        return obj.applicant == request.user
diff --git a/src/involvement/views/application_api.py b/src/involvement/views/application_api.py
index 90fd2373..b2332d2b 100644
--- a/src/involvement/views/application_api.py
+++ b/src/involvement/views/application_api.py
@@ -1,14 +1,17 @@
-from rest_framework import viewsets
+from rest_framework import viewsets, mixins
 from involvement.serializers.application_serializer import ApplicationSerializer
 from rest_framework.permissions import IsAuthenticated
 from involvement.models.application import Application
+from involvement.customPermissions import OwnApplicationPermission
 
 #Role view
-class ApplicationViewSet(viewsets.ReadOnlyModelViewSet):
+class ApplicationViewSet(viewsets.ModelViewSet):
     serializer_class = ApplicationSerializer
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, OwnApplicationPermission]
 
     def get_queryset(self):
         user = self.request.user
         queryset = Application.objects.filter(applicant=user)
         return queryset
+
+