from rest_framework.permissions import BasePermission # --------------------------------------------------------------------------- # Utility: resolve the gym owner for any user # --------------------------------------------------------------------------- def get_gym_owner(user): """ Return the gym-owner User for any authenticated user. - Owners / admins ARE the gym → return themselves. - Staff / members → return user.gym (the owner who created them). - Superusers → return the user itself (sees everything via queryset bypass). """ if user.is_superuser: return user if user.role in ("owner", "admin"): return user return getattr(user, "gym", None) # --------------------------------------------------------------------------- # Granular permission classes # --------------------------------------------------------------------------- class IsGymStaff(BasePermission): """Any authenticated gym staff (owner, admin, manager, trainer, front_desk).""" STAFF_ROLES = {"owner", "admin", "manager", "trainer", "front_desk"} def has_permission(self, request, view): return ( request.user and request.user.is_authenticated and ( getattr(request.user, "role", None) in self.STAFF_ROLES or request.user.is_superuser ) ) class IsGymOwnerOrManager(BasePermission): """Only gym owner, admin, or manager — for sensitive ops like billing, staff management.""" ALLOWED = {"owner", "admin", "manager"} def has_permission(self, request, view): return ( request.user and request.user.is_authenticated and ( getattr(request.user, "role", None) in self.ALLOWED or request.user.is_superuser ) ) class IsGymOwner(BasePermission): """Only the gym owner or admin — for the most sensitive ops (settings, packages, deleting staff).""" ALLOWED = {"owner", "admin"} def has_permission(self, request, view): return ( request.user and request.user.is_authenticated and ( getattr(request.user, "role", None) in self.ALLOWED or request.user.is_superuser ) )