check for a model in permission and use that in treasury

This commit is contained in:
bleizi 2023-09-28 18:48:57 +02:00
parent d82a1001c4
commit 0f1e4d2e60
No known key found for this signature in database
GPG Key ID: D46D7E3364433208
3 changed files with 39 additions and 16 deletions

View File

@ -198,6 +198,41 @@ class PermissionBackend(ModelBackend):
def has_module_perms(self, user_obj, app_label): def has_module_perms(self, user_obj, app_label):
return False return False
@staticmethod
@memoize
def has_model_perm(request, model, type):
"""
Check is the given user has the permission over a given model for a given action.
The result is then memoized.
:param request: The current request
:param model: The model that the permissions shoud apply
:param type: The type of the permissions: view, change, add or delete
For view action, it is consider possible if user can view or change the model
"""
# Requested by a shell
if request is None:
return False
user_obj = request.user
sess = request.session
if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
# OAuth2 Authentication
user_obj = request.auth.user
if user_obj is None or user_obj.is_anonymous:
return False
if user_obj.is_superuser and sess.get("permission_mask", -1) >= 42:
return True
ct = ContentType.objects.get_for_model(model)
if any(PermissionBackend.permissions(request, ct, type)):
return True
if type == "view" and any(PermissionBackend.permissions(request, ct, "change")):
return True
return False
def get_all_permissions(self, user_obj, obj=None): def get_all_permissions(self, user_obj, obj=None):
ct = ContentType.objects.get_for_model(obj) ct = ContentType.objects.get_for_model(obj)
return list(self.permissions(get_current_request(), ct, "view")) return list(self.permissions(get_current_request(), ct, "view"))

View File

@ -385,8 +385,7 @@ class TestSogeCredits(TestCase):
response = self.client.post(reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)), response = self.client.post(reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)),
data=dict(delete=True)) data=dict(delete=True))
# 403 because no SogeCredit exists anymore, then a PermissionDenied is raised self.assertRedirects(response, reverse("treasury:soge_credits"), 302, 200)
self.assertRedirects(response, reverse("treasury:soge_credits"), 302, 403)
self.assertFalse(SogeCredit.objects.filter(pk=soge_credit.pk)) self.assertFalse(SogeCredit.objects.filter(pk=soge_credit.pk))
self.user.note.refresh_from_db() self.user.note.refresh_from_db()
self.assertEqual(self.user.note.balance, 0) self.assertEqual(self.user.note.balance, 0)

View File

@ -101,14 +101,7 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView):
if not request.user.is_authenticated: if not request.user.is_authenticated:
return self.handle_no_permission() return self.handle_no_permission()
sample_invoice = Invoice( if not PermissionBackend.has_model_perm(self.request, Invoice(), "view"):
id=0,
object="",
description="",
name="",
address="",
)
if not PermissionBackend.check_perm(self.request, "treasury.view_invoice", sample_invoice):
raise PermissionDenied(_("You are not able to see the treasury interface.")) raise PermissionDenied(_("You are not able to see the treasury interface."))
return super().dispatch(request, *args, **kwargs) return super().dispatch(request, *args, **kwargs)
@ -278,11 +271,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
if not request.user.is_authenticated: if not request.user.is_authenticated:
return self.handle_no_permission() return self.handle_no_permission()
sample_remittance = Remittance( if not PermissionBackend.has_model_perm(self.request, Remittance(), "view"):
remittance_type_id=1,
comment="",
)
if not PermissionBackend.check_perm(self.request, "treasury.add_remittance", sample_remittance):
raise PermissionDenied(_("You are not able to see the treasury interface.")) raise PermissionDenied(_("You are not able to see the treasury interface."))
return super().dispatch(request, *args, **kwargs) return super().dispatch(request, *args, **kwargs)
@ -408,7 +397,7 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
if not request.user.is_authenticated: if not request.user.is_authenticated:
return self.handle_no_permission() return self.handle_no_permission()
if not super().get_queryset().exists(): if not PermissionBackend.has_model_perm(self.request, SogeCredit(), "view"):
raise PermissionDenied(_("You are not able to see the treasury interface.")) raise PermissionDenied(_("You are not able to see the treasury interface."))
return super().dispatch(request, *args, **kwargs) return super().dispatch(request, *args, **kwargs)