From 03c9874f63ec7482f98d47aeedf15d91e1b5e4a7 Mon Sep 17 00:00:00 2001
From: Egor fureunoir Gorbunov <contact@fureunoir.com>
Date: Thu, 29 May 2025 23:14:32 +0300
Subject: [PATCH] Features: 1) Add permission-aware `get_queryset` method to
 OrderProductViewSet; 2) Add permission-aware `get_queryset` method to
 PromoCodeViewSet;

Fixes: None;

Extra: None;
---
 core/viewsets.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/core/viewsets.py b/core/viewsets.py
index 10647fea..af3a123a 100644
--- a/core/viewsets.py
+++ b/core/viewsets.py
@@ -377,6 +377,15 @@ class OrderProductViewSet(EvibesViewSet):
         "list": OrderProductSimpleSerializer,
     }
 
+    def get_queryset(self):
+        qs = super().get_queryset()
+        user = self.request.user
+
+        if user.has_perm("core.view_orderproduct"):
+            return qs
+
+        return qs.filter(user=user)
+
 
 class ProductImageViewSet(EvibesViewSet):
     queryset = ProductImage.objects.all()
@@ -397,6 +406,15 @@ class PromoCodeViewSet(EvibesViewSet):
         "list": PromoCodeSimpleSerializer,
     }
 
+    def get_queryset(self):
+        qs = super().get_queryset()
+        user = self.request.user
+
+        if user.has_perm("core.view_promocode"):
+            return qs
+
+        return qs.filter(user=user)
+
 
 class PromotionViewSet(EvibesViewSet):
     queryset = Promotion.objects.all()