from rest_framework import permissions from django_filters.rest_framework import DjangoFilterBackend def get_user_club(user): """Helper to get club from user, checking profile.club first.""" if hasattr(user, 'profile') and user.profile and user.profile.club: return user.profile.club if hasattr(user, 'club') and user.club: return user.club return None class ClubFilterBackend(DjangoFilterBackend): """ Filter backend that automatically filters queries by the authenticated user's club. """ def filter_queryset(self, request, queryset, view): user = request.user if not user.is_authenticated: return queryset.none() club = get_user_club(user) if club is None: return queryset.none() if hasattr(queryset.model, 'club'): return queryset.filter(club=club) if hasattr(queryset.model, 'wrestler') and hasattr(queryset.model, 'training'): return queryset.filter(training__club=club) if hasattr(queryset.model, 'homework'): return queryset.filter(homework__club=club) return queryset class ClubLevelPermission(permissions.BasePermission): """ Permission class that ensures users can only access their own club's data. """ def has_permission(self, request, view): if not request.user or not request.user.is_authenticated: return False club = get_user_club(request.user) if club is None: return False return True def has_object_permission(self, request, view, obj): if not request.user or not request.user.is_authenticated: return False club = get_user_club(request.user) if club is None: return False obj_club = getattr(obj, 'club', None) if obj_club is None and hasattr(obj, 'training'): obj_club = getattr(obj.training, 'club', None) if obj_club is None and hasattr(obj, 'homework'): obj_club = getattr(obj.homework, 'club', None) if obj_club is None and hasattr(obj, 'wrestler'): obj_club = getattr(obj.wrestler, 'club', None) return obj_club == club