refactor object write permissions
diff --git a/planetstack/core/models/user.py b/planetstack/core/models/user.py
index 60fd290..250b546 100644
--- a/planetstack/core/models/user.py
+++ b/planetstack/core/models/user.py
@@ -316,6 +316,52 @@
return False
+ def can_update_root(self):
+ """
+ Return True if user has root (global) write access.
+ """
+ if self.is_readonly:
+ return False
+ if self.is_admin:
+ return True
+
+ return False
+
+ def can_update_deployment(self, deployment):
+ from core.models.site import DeploymentPrivilege
+ if self.can_update_root():
+ return True
+
+ if DeploymentPrivilege.objects.filter(
+ deployment=deployment,
+ user=self,
+ role__role__in=['admin', 'Admin']):
+ return True
+ return False
+
+ def can_update_site(self, site, allow=[]):
+ from core.models.site import SitePrivilege
+ if self.can_update_root():
+ return True
+ if SitePrivilege.objects.filter(
+ site=site, user=self, role__role__in=['admin', 'Admin']+allow):
+ return True
+ return False
+
+ def can_update_slice(self, slice):
+ from core.models.slice import SlicePrivilege
+ if self.can_update_root():
+ return True
+ if self == slice.creator:
+ return True
+ if self.can_update_site(slice.site, allow=['pi']):
+ return True
+
+ if SlicePrivilege.objects.filter(
+ slice=slice, user=self, role__role__in=['admin', 'Admin']):
+ return True
+ return False
+
@staticmethod
def select_by_user(user):
if user.is_admin: