""" Custom decorators for loan management system Provides permission checking decorators for admin-only endpoints Requirements: Security Requirements 1, 2, 3, 5 """ from functools import wraps from django.shortcuts import redirect from django.contrib import messages from django.http import JsonResponse def admin_only(view_func): """ Decorator to restrict view access to admin users only Requirements: Security Requirements 1, 2, 3 Usage: @login_required @admin_only def my_admin_view(request): ... """ @wraps(view_func) def wrapper(request, *args, **kwargs): if not request.user.is_authenticated: messages.error(request, 'You must be logged in to access this page.') return redirect('users:login') if not request.user.is_admin(): messages.error(request, 'You do not have permission to access this page.') return redirect('loans:dashboard') return view_func(request, *args, **kwargs) return wrapper def admin_only_ajax(view_func): """ Decorator to restrict AJAX endpoint access to admin users only Returns JSON error response instead of redirect Requirements: Security Requirements 1, 2, 3 Usage: @login_required @admin_only_ajax def my_admin_ajax_view(request): ... """ @wraps(view_func) def wrapper(request, *args, **kwargs): if not request.user.is_authenticated: return JsonResponse({ 'status': 'error', 'message': 'Authentication required' }, status=401) if not request.user.is_admin(): return JsonResponse({ 'status': 'error', 'message': 'You do not have permission to perform this action' }, status=403) return view_func(request, *args, **kwargs) return wrapper def permission_required_custom(permission_type, permission_action): """ Decorator to check specific permissions Requirements: Security Requirement 5 Args: permission_type: Type of permission (e.g., 'loans', 'reports') permission_action: Action to check (e.g., 'edit', 'delete', 'view') Usage: @login_required @permission_required_custom('loans', 'edit') def edit_loan_view(request, pk): ... """ def decorator(view_func): @wraps(view_func) def wrapper(request, *args, **kwargs): if not request.user.is_authenticated: messages.error(request, 'You must be logged in to access this page.') return redirect('users:login') if not request.user.has_permission(permission_type, permission_action): messages.error(request, f'You do not have permission to {permission_action} {permission_type}.') return redirect('loans:dashboard') return view_func(request, *args, **kwargs) return wrapper return decorator def permission_required_ajax(permission_type, permission_action): """ Decorator to check specific permissions for AJAX endpoints Returns JSON error response instead of redirect Requirements: Security Requirement 5 Args: permission_type: Type of permission (e.g., 'loans', 'reports') permission_action: Action to check (e.g., 'edit', 'delete', 'view') Usage: @login_required @permission_required_ajax('loans', 'edit') def edit_loan_ajax_view(request, pk): ... """ def decorator(view_func): @wraps(view_func) def wrapper(request, *args, **kwargs): if not request.user.is_authenticated: return JsonResponse({ 'status': 'error', 'message': 'Authentication required' }, status=401) if not request.user.has_permission(permission_type, permission_action): return JsonResponse({ 'status': 'error', 'message': f'You do not have permission to {permission_action} {permission_type}' }, status=403) return view_func(request, *args, **kwargs) return wrapper return decorator