from rest_framework import permissions, status, viewsets from rest_framework.response import Response from django.utils.translation import gettext as _ from apps.bookings.models import Booking from apps.payments.models import Payment from apps.payments.serializers import PaymentCreateSerializer, PaymentSerializer def user_can_access_booking(user, booking: Booking) -> bool: if getattr(user, "is_superuser", False) or user.role == "admin": return True if user.role == "manager": return booking.salon.owner_id == user.id if user.role == "staff": return booking.staff_id and booking.staff.user_id == user.id return booking.customer_id == user.id class PaymentViewSet(viewsets.ModelViewSet): permission_classes = [permissions.IsAuthenticated] def get_queryset(self): user = self.request.user if getattr(user, "is_superuser", False) or user.role == "admin": return Payment.objects.all().order_by("-created_at") if user.role == "manager": return Payment.objects.filter(booking__salon__owner=user).order_by("-created_at") if user.role == "staff": return Payment.objects.filter(booking__staff__user=user).order_by("-created_at") return Payment.objects.filter(booking__customer=user).order_by("-created_at") def get_serializer_class(self): if self.action == "create": return PaymentCreateSerializer return PaymentSerializer def create(self, request, *args, **kwargs): serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) booking = Booking.objects.get(id=serializer.validated_data["booking_id"]) if not user_can_access_booking(request.user, booking): return Response({"detail": _("Not allowed")}, status=status.HTTP_403_FORBIDDEN) payment = serializer.save() return Response( { "detail": _("Payment record created. Provider integration pending."), "payment_id": payment.id, "amount": str(payment.amount), "currency": payment.currency, "status": payment.status, }, status=status.HTTP_201_CREATED, )