From 48b84dc1d645d716dd63e1f2619df5a53d770b42 Mon Sep 17 00:00:00 2001
From: Alexey Kudelko <flexivanov237@gmail.com>
Date: Wed, 20 Mar 2024 15:01:21 +0300
Subject: [PATCH] permissions added

---
 project_rates/views.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/project_rates/views.py b/project_rates/views.py
index 00ea77d2..4be73c61 100644
--- a/project_rates/views.py
+++ b/project_rates/views.py
@@ -16,6 +16,7 @@
     ProjectScoreCreateSerializer,
     ProjectScoreGetSerializer,
 )
+from users.models import Expert
 from users.permissions import IsExpert, IsExpertPost
 
 User = get_user_model()
@@ -33,6 +34,9 @@ def get_needed_data(self) -> tuple[dict, list[int]]:
         criteria_to_get = [
             criterion["criterion_id"] for criterion in data
         ]  # is needed for validation later
+
+        Expert.objects.get(user__id=user_id, programs__criterias__id=criteria_to_get[0])
+
         for criterion in data:
             criterion["user"] = user_id
             criterion["project"] = project_id
@@ -57,7 +61,11 @@ def create(self, request, *args, **kwargs) -> Response:
             )
 
             return Response({"success": True}, status=status.HTTP_201_CREATED)
-
+        except Expert.DoesNotExist:
+            return Response(
+                {"error": "you have no permission to rate this program"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         except Exception as e:
             return Response({"error": str(e)}, status=status.HTTP_400_BAD_REQUEST)