From 4997a370585923bccea565e29ee6ea1d1a31b9a0 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sat, 15 Aug 2020 23:27:58 +0200 Subject: [PATCH] Ensure that the user is authenticated before that it has the permission to see page --- apps/activity/views.py | 4 ++-- apps/member/views.py | 4 ++-- apps/note/views.py | 4 ++++ apps/permission/views.py | 7 ++++++- apps/treasury/views.py | 16 ++++++++++++++-- apps/wei/views.py | 12 ++++++------ 6 files changed, 34 insertions(+), 13 deletions(-) diff --git a/apps/activity/views.py b/apps/activity/views.py index 3d596a3f..a0f812d9 100644 --- a/apps/activity/views.py +++ b/apps/activity/views.py @@ -20,7 +20,7 @@ from .models import Activity, Entry, Guest from .tables import ActivityTable, EntryTable, GuestTable -class ActivityCreateView(LoginRequiredMixin, ProtectedCreateView): +class ActivityCreateView(ProtectedCreateView): model = Activity form_class = ActivityForm extra_context = {"title": _("Create new activity")} @@ -98,7 +98,7 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView): return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]}) -class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView): model = Guest form_class = GuestForm template_name = "activity/activity_invite.html" diff --git a/apps/member/views.py b/apps/member/views.py index 869f060d..8cb384e8 100644 --- a/apps/member/views.py +++ b/apps/member/views.py @@ -295,7 +295,7 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView): # ******************************* # -class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class ClubCreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create Club """ @@ -446,7 +446,7 @@ class ClubPictureUpdateView(PictureUpdateView): return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id}) -class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView): """ Add a membership to a club. """ diff --git a/apps/note/views.py b/apps/note/views.py index 17efdc3e..0312f11f 100644 --- a/apps/note/views.py +++ b/apps/note/views.py @@ -156,6 +156,10 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView): table_class = HistoryTable def dispatch(self, request, *args, **kwargs): + # Check that the user is authenticated + if not request.user.is_authenticated: + return self.handle_no_permission() + templates = TransactionTemplate.objects.filter( PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view") ) diff --git a/apps/permission/views.py b/apps/permission/views.py index 4b59204b..6a5c9b12 100644 --- a/apps/permission/views.py +++ b/apps/permission/views.py @@ -3,6 +3,7 @@ from datetime import date +from django.contrib.auth.mixins import LoginRequiredMixin from django.core.exceptions import PermissionDenied from django.db.models import Q from django.forms import HiddenInput @@ -44,7 +45,7 @@ class ProtectQuerysetMixin: return form -class ProtectedCreateView(CreateView): +class ProtectedCreateView(LoginRequiredMixin, CreateView): """ Extends a CreateView to check is the user has the right to create a sample instance of the given Model. If not, a 403 error is displayed. @@ -58,6 +59,10 @@ class ProtectedCreateView(CreateView): raise NotImplementedError def dispatch(self, request, *args, **kwargs): + # Check that the user is authenticated before that he/she has the permission to access here + if not request.user.is_authenticated: + return self.handle_no_permission() + model_class = self.model # noinspection PyProtectedMember app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower() diff --git a/apps/treasury/views.py b/apps/treasury/views.py index 351253bf..480ed290 100644 --- a/apps/treasury/views.py +++ b/apps/treasury/views.py @@ -29,7 +29,7 @@ from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeC from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable -class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class InvoiceCreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create Invoice """ @@ -90,6 +90,10 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView): extra_context = {"title": _("Invoices list")} def dispatch(self, request, *args, **kwargs): + # Check that the user is authenticated + if not request.user.is_authenticated: + return self.handle_no_permission() + sample_invoice = Invoice( id=0, object="", @@ -215,7 +219,7 @@ class InvoiceRenderView(LoginRequiredMixin, View): return response -class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class RemittanceCreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create Remittance """ @@ -251,6 +255,10 @@ class RemittanceListView(LoginRequiredMixin, TemplateView): extra_context = {"title": _("Remittances list")} def dispatch(self, request, *args, **kwargs): + # Check that the user is authenticated + if not request.user.is_authenticated: + return self.handle_no_permission() + sample_remittance = Remittance( remittance_type_id=1, comment="", @@ -377,6 +385,10 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi extra_context = {"title": _("List of credits from the Société générale")} def dispatch(self, request, *args, **kwargs): + # Check that the user is authenticated + if not request.user.is_authenticated: + return self.handle_no_permission() + if not self.get_queryset().exists(): raise PermissionDenied(_("You are not able to see the treasury interface.")) return super().dispatch(request, *args, **kwargs) diff --git a/apps/wei/views.py b/apps/wei/views.py index 74830066..978c77f7 100644 --- a/apps/wei/views.py +++ b/apps/wei/views.py @@ -67,7 +67,7 @@ class WEIListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView): return context -class WEICreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class WEICreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create WEI """ @@ -286,7 +286,7 @@ class WEIUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView): return reverse_lazy("wei:wei_detail", kwargs={"pk": self.object.pk}) -class BusCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class BusCreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create Bus """ @@ -381,7 +381,7 @@ class BusManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView): return context -class BusTeamCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class BusTeamCreateView(ProtectQuerysetMixin, ProtectedCreateView): """ Create BusTeam """ @@ -474,7 +474,7 @@ class BusTeamManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView): return context -class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class WEIRegister1AView(ProtectQuerysetMixin, ProtectedCreateView): """ Register a new user to the WEI """ @@ -541,7 +541,7 @@ class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreat return reverse_lazy("wei:wei_survey", kwargs={"pk": self.object.pk}) -class WEIRegister2AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class WEIRegister2AView(ProtectQuerysetMixin, ProtectedCreateView): """ Register an old user to the WEI """ @@ -761,7 +761,7 @@ class WEIDeleteRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, Delete return reverse_lazy('wei:wei_detail', args=(self.object.wei.pk,)) -class WEIValidateRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): +class WEIValidateRegistrationView(ProtectQuerysetMixin, ProtectedCreateView): """ Validate WEI Registration """