Improved permissions, 404 and 403 errors will be more frequent (when we type an invalid URL)

2025-06-21 01:48:21 +02:00 · 2020-03-31 04:16:30 +02:00
parent c384ee02eb
commit 1aae18e6a6
13 changed files with 272 additions and 105 deletions
--- a/apps/note/models/init.py
+++ b/apps/note/models/init.py
@ -1,13 +1,13 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
+from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser, NoteActivity
 from .transactions import MembershipTransaction, Transaction, \
    TemplateCategory, TransactionTemplate, RecurrentTransaction, SpecialTransaction

 __all__ = [
    # Notes
-    'Alias', 'Note', 'NoteClub', 'NoteSpecial', 'NoteUser',
+    'Alias', 'Note', 'NoteClub', 'NoteSpecial', 'NoteUser', 'NoteActivity',
    # Transactions
    'MembershipTransaction', 'Transaction', 'TemplateCategory', 'TransactionTemplate',
    'RecurrentTransaction', 'SpecialTransaction',
--- a/apps/note/views.py
+++ b/apps/note/views.py
@ -9,6 +9,7 @@ from django_tables2 import SingleTableView
 from django.urls import reverse_lazy
 from note_kfet.inputs import AmountInput
 from permission.backends import PermissionBackend
+from permission.views import ProtectQuerysetMixin

 from .forms import TransactionTemplateForm
 from .models import Transaction, TransactionTemplate, RecurrentTransaction, NoteSpecial
@ -16,7 +17,7 @@ from .models.transactions import SpecialTransaction
 from .tables import HistoryTable, ButtonTable


-class TransactionCreateView(LoginRequiredMixin, SingleTableView):
+class TransactionCreateView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
    """
    View for the creation of Transaction between two note which are not :models:`transactions.RecurrentTransaction`.
    e.g. for donation/transfer between people and clubs or for credit/debit with :models:`note.NoteSpecial`
@ -26,12 +27,9 @@ class TransactionCreateView(LoginRequiredMixin, SingleTableView):
    model = Transaction
    # Transaction history table
    table_class = HistoryTable
-    table_pagination = {"per_page": 50}

-    def get_queryset(self):
-        return Transaction.objects.filter(PermissionBackend.filter_queryset(
-            self.request.user, Transaction, "view")
-        ).order_by("-id").all()[:50]
+    def get_queryset(self, **kwargs):
+        return super().get_queryset(**kwargs).order_by("-id").all()[:50]

    def get_context_data(self, **kwargs):
        """
@ -42,12 +40,14 @@ class TransactionCreateView(LoginRequiredMixin, SingleTableView):
        context['amount_widget'] = AmountInput(attrs={"id": "amount"})
        context['polymorphic_ctype'] = ContentType.objects.get_for_model(Transaction).pk
        context['special_polymorphic_ctype'] = ContentType.objects.get_for_model(SpecialTransaction).pk
-        context['special_types'] = NoteSpecial.objects.order_by("special_type").all()
+        context['special_types'] = NoteSpecial.objects\
+            .filter(PermissionBackend.filter_queryset(self.request.user, NoteSpecial, "view"))\
+            .order_by("special_type").all()

        return context


-class TransactionTemplateCreateView(LoginRequiredMixin, CreateView):
+class TransactionTemplateCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
    """
    Create TransactionTemplate
    """
@ -56,7 +56,7 @@ class TransactionTemplateCreateView(LoginRequiredMixin, CreateView):
    success_url = reverse_lazy('note:template_list')


-class TransactionTemplateListView(LoginRequiredMixin, SingleTableView):
+class TransactionTemplateListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
    """
    List TransactionsTemplates
    """
@ -64,7 +64,7 @@ class TransactionTemplateListView(LoginRequiredMixin, SingleTableView):
    table_class = ButtonTable


-class TransactionTemplateUpdateView(LoginRequiredMixin, UpdateView):
+class TransactionTemplateUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
    """
    """
    model = TransactionTemplate
@ -72,21 +72,19 @@ class TransactionTemplateUpdateView(LoginRequiredMixin, UpdateView):
    success_url = reverse_lazy('note:template_list')


-class ConsoView(LoginRequiredMixin, SingleTableView):
+class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
    """
    The Magic View that make people pay their beer and burgers.
    (Most of the magic happens in the dark world of Javascript see consos.js)
    """
+    model = Transaction
    template_name = "note/conso_form.html"

    # Transaction history table
    table_class = HistoryTable
-    table_pagination = {"per_page": 50}

-    def get_queryset(self):
-        return Transaction.objects.filter(
-            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
-        ).order_by("-id").all()[:50]
+    def get_queryset(self, **kwargs):
+        return super().get_queryset(**kwargs).order_by("-id").all()[:50]

    def get_context_data(self, **kwargs):
        """