From ac3268748eed76c0ee69d774463bcf1947c2821a Mon Sep 17 00:00:00 2001
From: Egor fureunoir Gorbunov <contact@fureunoir.com>
Date: Thu, 29 May 2025 23:07:02 +0300
Subject: [PATCH] Features: 1) Add `get_queryset` method to filter queries
 based on user permissions;

Fixes: 1) None;

Extra: None;
---
 core/viewsets.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/viewsets.py b/core/viewsets.py
index 756edd55..2001618e 100644
--- a/core/viewsets.py
+++ b/core/viewsets.py
@@ -234,6 +234,15 @@ class OrderViewSet(EvibesViewSet):
         "remove_order_product": RemoveOrderProductSerializer,
     }
 
+    def get_queryset(self):
+        qs = super().get_queryset()
+        user = self.request.user
+
+        if user.has_perm("core.view_order"):
+            return qs
+
+        return qs.filter(user=user)
+
     @action(detail=False, methods=["get"], url_path="current")
     def current(self, request, *_args, **kwargs):
         if not request.user.is_authenticated: