""" interview/permissions.py — Custom DRF permissions for the admin dashboard. """ from rest_framework.permissions import BasePermission class IsAdminRole(BasePermission): """ Allows access only to authenticated users with role='admin' or superusers. Used on all Dashboard-only endpoints to prevent regular students from accessing admin data even if they have a valid JWT. """ message = 'Acceso denegado. Se requiere rol de administrador.' def has_permission(self, request, view): if not request.user or not request.user.is_authenticated: return False return request.user.is_superuser or getattr(request.user, 'role', '') == 'admin'