Usage Spike

permissions.yml

- resource: listing
  - permissions:
    - profile1:
        - READ
    - profile2:
        - UPDATE
  - fields:
    - code:
        - profile1:
          - SET

serializers.py

from drf import fields
from permissions import READ, UPDATE, SET

# READ == read the duh!
# UPDATE(list-of-values-or-none-for-all-values) == update value (duh!*2)
# SET(list-of-values-or-none) == 'write once'. From None -> value
# UNSET(...) == remove info. From value -> None.


class OrderSerializer(OlistSerializer):
    class Meta:
        permissions = {
            'seller': [READ],
            'store': [UPDATE],
            'channel': [READ],
        }
        # ownership access/queryset will be handled at the Resource Level
    
    # fields
    code = allow(  # assuming a deny-all default. We can invert this to allow-all and create a deny() decorator.
        fields.CharField(...),
        permissions={
            'store': [READ, SET],
            # ... fallback to resources permission ...
            # eg. 'channel': [READ],
        },
    )
    
    channel_code = allow(
        fields.CharField(...),
        permissions={
            'channel': [SET],
        },
    )
    
    status = allow(
        fields.OptionField(...),
        permissions={
            'channel': [
                UPDATE('created', 'approved', 'canceled'),
            ],
            'seller': [
                UPDATE('invoiced'),  # <-- this is a fake case just for ilustration
            ],
        },
    )
    
class ListingSerializer(OlistSerializer):
    class Meta:
        permissions = load('config.yml', 'listing')