Ensure that the user is authenticated before that it has the permission to see page

2020-08-15 23:27:58 +02:00 · 2020-08-15 23:27:58 +02:00 · 4997a37058
parent b16871d925
commit 4997a37058
6 changed files with 34 additions and 13 deletions
--- a/apps/activity/views.py
+++ b/apps/activity/views.py
@ -20,7 +20,7 @@ from .models import Activity, Entry, Guest
 from .tables import ActivityTable, EntryTable, GuestTable


-class ActivityCreateView(LoginRequiredMixin, ProtectedCreateView):
+class ActivityCreateView(ProtectedCreateView):
    model = Activity
    form_class = ActivityForm
    extra_context = {"title": _("Create new activity")}
@ -98,7 +98,7 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
        return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})


-class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
    model = Guest
    form_class = GuestForm
    template_name = "activity/activity_invite.html"
--- a/apps/member/views.py
+++ b/apps/member/views.py
@ -295,7 +295,7 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
 # ******************************* #


-class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ClubCreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create Club
    """
@ -446,7 +446,7 @@ class ClubPictureUpdateView(PictureUpdateView):
        return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id})


-class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Add a membership to a club.
    """
--- a/apps/note/views.py
+++ b/apps/note/views.py
@ -156,6 +156,10 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
    table_class = HistoryTable

    def dispatch(self, request, *args, **kwargs):
+        # Check that the user is authenticated
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
        templates = TransactionTemplate.objects.filter(
            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
        )
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@ -3,6 +3,7 @@

 from datetime import date

+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import Q
 from django.forms import HiddenInput
@ -44,7 +45,7 @@ class ProtectQuerysetMixin:
        return form


-class ProtectedCreateView(CreateView):
+class ProtectedCreateView(LoginRequiredMixin, CreateView):
    """
    Extends a CreateView to check is the user has the right to create a sample instance of the given Model.
    If not, a 403 error is displayed.
@ -58,6 +59,10 @@ class ProtectedCreateView(CreateView):
        raise NotImplementedError

    def dispatch(self, request, *args, **kwargs):
+        # Check that the user is authenticated before that he/she has the permission to access here
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
        model_class = self.model
        # noinspection PyProtectedMember
        app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()
--- a/apps/treasury/views.py
+++ b/apps/treasury/views.py
@ -29,7 +29,7 @@ from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeC
 from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable


-class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class InvoiceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create Invoice
    """
@ -90,6 +90,10 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView):
    extra_context = {"title": _("Invoices list")}

    def dispatch(self, request, *args, **kwargs):
+        # Check that the user is authenticated
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
        sample_invoice = Invoice(
            id=0,
            object="",
@ -215,7 +219,7 @@ class InvoiceRenderView(LoginRequiredMixin, View):
        return response


-class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class RemittanceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create Remittance
    """
@ -251,6 +255,10 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
    extra_context = {"title": _("Remittances list")}

    def dispatch(self, request, *args, **kwargs):
+        # Check that the user is authenticated
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
        sample_remittance = Remittance(
            remittance_type_id=1,
            comment="",
@ -377,6 +385,10 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
    extra_context = {"title": _("List of credits from the Société générale")}

    def dispatch(self, request, *args, **kwargs):
+        # Check that the user is authenticated
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+
        if not self.get_queryset().exists():
            raise PermissionDenied(_("You are not able to see the treasury interface."))
        return super().dispatch(request, *args, **kwargs)
--- a/apps/wei/views.py
+++ b/apps/wei/views.py
@ -67,7 +67,7 @@ class WEIListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
        return context


-class WEICreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEICreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create WEI
    """
@ -286,7 +286,7 @@ class WEIUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
        return reverse_lazy("wei:wei_detail", kwargs={"pk": self.object.pk})


-class BusCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class BusCreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create Bus
    """
@ -381,7 +381,7 @@ class BusManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
        return context


-class BusTeamCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class BusTeamCreateView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Create BusTeam
    """
@ -474,7 +474,7 @@ class BusTeamManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
        return context


-class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIRegister1AView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Register a new user to the WEI
    """
@ -541,7 +541,7 @@ class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreat
        return reverse_lazy("wei:wei_survey", kwargs={"pk": self.object.pk})


-class WEIRegister2AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIRegister2AView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Register an old user to the WEI
    """
@ -761,7 +761,7 @@ class WEIDeleteRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, Delete
        return reverse_lazy('wei:wei_detail', args=(self.object.wei.pk,))


-class WEIValidateRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIValidateRegistrationView(ProtectQuerysetMixin, ProtectedCreateView):
    """
    Validate WEI Registration
    """