Initial commit: WrestleDesk full project

- Django backend with DRF (clubs, wrestlers, trainers, exercises, templates, trainings, homework, locations, leistungstest) - Next.js 16 frontend with React, Shadcn UI, Tailwind - JWT authentication - Full CRUD for all entities - Calendar view for trainings - Homework management system - Leistungstest tracking
2026-03-26 13:24:57 +01:00
commit 3fefc550fe
256 changed files with 38295 additions and 0 deletions
@@ -0,0 +1,75 @@
+from rest_framework import permissions
+from django_filters.rest_framework import DjangoFilterBackend
+
+
+def get_user_club(user):
+    """Helper to get club from user, checking profile.club first."""
+    if hasattr(user, 'profile') and user.profile and user.profile.club:
+        return user.profile.club
+    if hasattr(user, 'club') and user.club:
+        return user.club
+    return None
+
+
+class ClubFilterBackend(DjangoFilterBackend):
+    """
+    Filter backend that automatically filters queries by the authenticated user's club.
+    """
+
+    def filter_queryset(self, request, queryset, view):
+        user = request.user
+
+        if not user.is_authenticated:
+            return queryset.none()
+
+        club = get_user_club(user)
+        if club is None:
+            return queryset.none()
+
+        if hasattr(queryset.model, 'club'):
+            return queryset.filter(club=club)
+
+        if hasattr(queryset.model, 'wrestler') and hasattr(queryset.model, 'training'):
+            return queryset.filter(training__club=club)
+
+        if hasattr(queryset.model, 'homework'):
+            return queryset.filter(homework__club=club)
+
+        return queryset
+
+
+class ClubLevelPermission(permissions.BasePermission):
+    """
+    Permission class that ensures users can only access their own club's data.
+    """
+
+    def has_permission(self, request, view):
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        club = get_user_club(request.user)
+        if club is None:
+            return False
+
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        club = get_user_club(request.user)
+        if club is None:
+            return False
+
+        obj_club = getattr(obj, 'club', None)
+
+        if obj_club is None and hasattr(obj, 'training'):
+            obj_club = getattr(obj.training, 'club', None)
+
+        if obj_club is None and hasattr(obj, 'homework'):
+            obj_club = getattr(obj.homework, 'club', None)
+
+        if obj_club is None and hasattr(obj, 'wrestler'):
+            obj_club = getattr(obj.wrestler, 'club', None)
+
+        return obj_club == club