From b2580dc37ca4b744feb6e14468715f42d6f1486e Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Fri, 23 Jan 2015 23:11:18 -0400
Subject: [PATCH] Add access control check to the APIDocumentMetadataListView
 API view, add docstrings for the get and post methods

---
 mayan/apps/metadata/api_views.py | 33 +++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/mayan/apps/metadata/api_views.py b/mayan/apps/metadata/api_views.py
index 1d3c0a3310..f76f11f546 100644
--- a/mayan/apps/metadata/api_views.py
+++ b/mayan/apps/metadata/api_views.py
@@ -81,13 +81,40 @@ class APIMetadataTypeView(generics.RetrieveUpdateDestroyAPIView):
 class APIDocumentMetadataListView(generics.ListCreateAPIView):
     permission_classes = (MayanPermission,)
     serializer_class = DocumentMetadataSerializer
-    mayan_view_permissions = {'POST': [PERMISSION_METADATA_DOCUMENT_ADD]}
+
+    def get_document(self):
+        return get_object_or_404(Document, pk=self.kwargs['document_pk'])
 
     def get_queryset(self):
-        return DocumentMetadata.objects.filter(document=self.kwargs['document_pk'])
+        document = self.get_document()
+
+        if self.request == 'GET':
+            # Make sure the use has the permission to see the metadata for this document
+            try:
+                Permission.objects.check_permissions(self.request.user, [PERMISSION_METADATA_DOCUMENT_VIEW])
+            except PermissionDenied:
+                AccessEntry.objects.check_access(PERMISSION_METADATA_DOCUMENT_VIEW, self.request.user, document)
+            else:
+                return document.metadata.all()
+        elif self.request == 'POST':
+            # Make sure the use has the permission to add metadata to this document
+            try:
+                Permission.objects.check_permissions(self.request.user, [PERMISSION_METADATA_DOCUMENT_ADD])
+            except PermissionDenied:
+                AccessEntry.objects.check_access(PERMISSION_METADATA_DOCUMENT_ADD, self.request.user, document)
+            else:
+                return document.metadata.all()
 
     def pre_save(self, serializer):
-        serializer.document = Document.objects.get(pk=self.kwargs['document_pk'])
+        serializer.document = self.get_document()
+
+    def get(self, *args, **kwargs):
+        """Returns a list of selected document's metadata types and values."""
+        return super(APIDocumentMetadataListView, self).get(*args, **kwargs)
+
+    def post(self, *args, **kwargs):
+        """Add an existing metadata type and value to the selected document."""
+        return super(APIDocumentMetadataListView, self).post(*args, **kwargs)
 
 
 class APIDocumentMetadataView(generics.RetrieveUpdateDestroyAPIView):