codebox/backend_legacy/backend/permissions.py

from rest_framework import permissions
from backend.models import SnippetParticipant


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user


class IsAccessedOrDeny(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if obj.owner == request.user:
            return True
        allowed_users = SnippetParticipant.objects.filter(snippet=obj)
        return request.user in [i.user for i in allowed_users]