2020-03-31 02:16:30 +00:00
|
|
|
# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-04-25 23:20:46 +00:00
|
|
|
from datetime import date
|
2020-03-31 02:16:30 +00:00
|
|
|
|
2020-08-05 19:07:31 +00:00
|
|
|
from django.db.models import Q
|
2020-04-18 01:27:12 +00:00
|
|
|
from django.forms import HiddenInput
|
2020-08-05 19:07:31 +00:00
|
|
|
from django.utils import timezone
|
2020-04-25 23:20:46 +00:00
|
|
|
from django.utils.translation import gettext_lazy as _
|
|
|
|
from django.views.generic import UpdateView, TemplateView
|
2020-07-25 17:40:30 +00:00
|
|
|
from member.models import Membership
|
2020-04-18 01:27:12 +00:00
|
|
|
|
|
|
|
from .backends import PermissionBackend
|
2020-07-25 17:40:30 +00:00
|
|
|
from .models import Role
|
2020-08-05 19:07:31 +00:00
|
|
|
from .tables import RightsTable
|
2020-03-31 02:16:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
class ProtectQuerysetMixin:
|
2020-04-18 01:27:12 +00:00
|
|
|
"""
|
2020-04-25 23:20:46 +00:00
|
|
|
This is a View class decorator and not a proper View class.
|
2020-04-18 01:27:12 +00:00
|
|
|
Ensure that the user has the right to see or update objects.
|
|
|
|
Display 404 error if the user can't see an object, remove the fields the user can't
|
|
|
|
update on an update form (useful if the user can't change only specified fields).
|
|
|
|
"""
|
2020-03-31 02:16:30 +00:00
|
|
|
def get_queryset(self, **kwargs):
|
|
|
|
qs = super().get_queryset(**kwargs)
|
2020-08-02 06:57:16 +00:00
|
|
|
return qs.filter(PermissionBackend.filter_queryset(self.request.user, qs.model, "view")).distinct()
|
2020-04-18 01:27:12 +00:00
|
|
|
|
|
|
|
def get_form(self, form_class=None):
|
|
|
|
form = super().get_form(form_class)
|
|
|
|
|
|
|
|
if not isinstance(self, UpdateView):
|
|
|
|
return form
|
|
|
|
|
|
|
|
# If we are in an UpdateView, we display only the fields the user has right to see.
|
|
|
|
# No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
|
|
|
|
# a custom request.
|
|
|
|
# We could also delete the field, but some views might be affected.
|
|
|
|
for key in form.base_fields:
|
|
|
|
if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object):
|
|
|
|
form.fields[key].widget = HiddenInput()
|
|
|
|
|
|
|
|
return form
|
2020-04-25 23:20:46 +00:00
|
|
|
|
|
|
|
|
|
|
|
class RightsView(TemplateView):
|
|
|
|
template_name = "permission/all_rights.html"
|
2020-07-30 15:30:21 +00:00
|
|
|
extra_context = {"title": _("Rights")}
|
2020-04-25 23:20:46 +00:00
|
|
|
|
|
|
|
def get_context_data(self, **kwargs):
|
|
|
|
context = super().get_context_data(**kwargs)
|
|
|
|
|
|
|
|
context["title"] = _("All rights")
|
|
|
|
roles = Role.objects.all()
|
|
|
|
context["roles"] = roles
|
|
|
|
if self.request.user.is_authenticated:
|
|
|
|
active_memberships = Membership.objects.filter(user=self.request.user,
|
|
|
|
date_start__lte=date.today(),
|
|
|
|
date_end__gte=date.today()).all()
|
|
|
|
else:
|
|
|
|
active_memberships = Membership.objects.none()
|
|
|
|
|
|
|
|
for role in roles:
|
|
|
|
role.clubs = [membership.club for membership in active_memberships if role in membership.roles.all()]
|
|
|
|
|
2020-08-05 19:07:31 +00:00
|
|
|
if self.request.user.is_authenticated:
|
|
|
|
special_memberships = Membership.objects.filter(
|
|
|
|
date_start__lte=timezone.now().date(),
|
|
|
|
date_end__gte=timezone.now().date(),
|
|
|
|
).filter(roles__in=Role.objects.filter(~(Q(name="Adhérent BDE")
|
|
|
|
| Q(name="Adhérent Kfet")
|
|
|
|
| Q(name="Membre de club")
|
|
|
|
| Q(name="Adhérent WEI")
|
|
|
|
| Q(name="1A")))).order_by("club", "user__last_name")\
|
|
|
|
.distinct().all()
|
|
|
|
context["special_memberships_table"] = RightsTable(special_memberships)
|
|
|
|
|
2020-04-25 23:20:46 +00:00
|
|
|
return context
|