ynerant
/
nk20
mirror of https://gitlab.crans.org/bde/nk20
1
0
Fork 0
Code Issues Releases Wiki Activity

Ensure that the user is authenticated before that it has the permission to see page

This commit is contained in:
Yohann D'ANELLO 2020-08-15 23:27:58 +02:00
parent b16871d925
commit 4997a37058
6 changed files with 34 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/activity/views.py
View File

@ -20,7 +20,7 @@ from .models import Activity, Entry, Guest
from .tables import ActivityTable, EntryTable, GuestTable from .tables import ActivityTable, EntryTable, GuestTable
class ActivityCreateView(LoginRequiredMixin, ProtectedCreateView): class ActivityCreateView(ProtectedCreateView):
model = Activity model = Activity
form_class = ActivityForm form_class = ActivityForm
extra_context = {"title": _("Create new activity")} extra_context = {"title": _("Create new activity")}
@ -98,7 +98,7 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]}) return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})
class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
model = Guest model = Guest
form_class = GuestForm form_class = GuestForm
template_name = "activity/activity_invite.html" template_name = "activity/activity_invite.html"

4
apps/member/views.py
View File

@ -295,7 +295,7 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
# ******************************* # # ******************************* #
class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class ClubCreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create Club Create Club
""" """
@ -446,7 +446,7 @@ class ClubPictureUpdateView(PictureUpdateView):
return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id}) return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id})
class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Add a membership to a club. Add a membership to a club.
""" """

4
apps/note/views.py
View File

@ -156,6 +156,10 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
table_class = HistoryTable table_class = HistoryTable
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
# Check that the user is authenticated
if not request.user.is_authenticated:
return self.handle_no_permission()
templates = TransactionTemplate.objects.filter( templates = TransactionTemplate.objects.filter(
PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view") PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
) )

7
apps/permission/views.py
View File

@ -3,6 +3,7 @@
from datetime import date from datetime import date
from django.contrib.auth.mixins import LoginRequiredMixin
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.db.models import Q from django.db.models import Q
from django.forms import HiddenInput from django.forms import HiddenInput
@ -44,7 +45,7 @@ class ProtectQuerysetMixin:
return form return form
class ProtectedCreateView(CreateView): class ProtectedCreateView(LoginRequiredMixin, CreateView):
""" """
Extends a CreateView to check is the user has the right to create a sample instance of the given Model. Extends a CreateView to check is the user has the right to create a sample instance of the given Model.
If not, a 403 error is displayed. If not, a 403 error is displayed.
@ -58,6 +59,10 @@ class ProtectedCreateView(CreateView):
raise NotImplementedError raise NotImplementedError
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
# Check that the user is authenticated before that he/she has the permission to access here
if not request.user.is_authenticated:
return self.handle_no_permission()
model_class = self.model model_class = self.model
# noinspection PyProtectedMember # noinspection PyProtectedMember
app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower() app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()

16
apps/treasury/views.py
View File

@ -29,7 +29,7 @@ from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeC
from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable
class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class InvoiceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create Invoice Create Invoice
""" """
@ -90,6 +90,10 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView):
extra_context = {"title": _("Invoices list")} extra_context = {"title": _("Invoices list")}
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
# Check that the user is authenticated
if not request.user.is_authenticated:
return self.handle_no_permission()
sample_invoice = Invoice( sample_invoice = Invoice(
id=0, id=0,
object="", object="",
@ -215,7 +219,7 @@ class InvoiceRenderView(LoginRequiredMixin, View):
return response return response
class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class RemittanceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create Remittance Create Remittance
""" """
@ -251,6 +255,10 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
extra_context = {"title": _("Remittances list")} extra_context = {"title": _("Remittances list")}
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
# Check that the user is authenticated
if not request.user.is_authenticated:
return self.handle_no_permission()
sample_remittance = Remittance( sample_remittance = Remittance(
remittance_type_id=1, remittance_type_id=1,
comment="", comment="",
@ -377,6 +385,10 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
extra_context = {"title": _("List of credits from the Société générale")} extra_context = {"title": _("List of credits from the Société générale")}
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
# Check that the user is authenticated
if not request.user.is_authenticated:
return self.handle_no_permission()
if not self.get_queryset().exists(): if not self.get_queryset().exists():
raise PermissionDenied(_("You are not able to see the treasury interface.")) raise PermissionDenied(_("You are not able to see the treasury interface."))
return super().dispatch(request, *args, **kwargs) return super().dispatch(request, *args, **kwargs)

12
apps/wei/views.py
View File

@ -67,7 +67,7 @@ class WEIListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
return context return context
class WEICreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class WEICreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create WEI Create WEI
""" """
@ -286,7 +286,7 @@ class WEIUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
return reverse_lazy("wei:wei_detail", kwargs={"pk": self.object.pk}) return reverse_lazy("wei:wei_detail", kwargs={"pk": self.object.pk})
class BusCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class BusCreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create Bus Create Bus
""" """
@ -381,7 +381,7 @@ class BusManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
return context return context
class BusTeamCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class BusTeamCreateView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Create BusTeam Create BusTeam
""" """
@ -474,7 +474,7 @@ class BusTeamManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
return context return context
class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class WEIRegister1AView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Register a new user to the WEI Register a new user to the WEI
""" """
@ -541,7 +541,7 @@ class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreat
return reverse_lazy("wei:wei_survey", kwargs={"pk": self.object.pk}) return reverse_lazy("wei:wei_survey", kwargs={"pk": self.object.pk})
class WEIRegister2AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class WEIRegister2AView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Register an old user to the WEI Register an old user to the WEI
""" """
@ -761,7 +761,7 @@ class WEIDeleteRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, Delete
return reverse_lazy('wei:wei_detail', args=(self.object.wei.pk,)) return reverse_lazy('wei:wei_detail', args=(self.object.wei.pk,))
class WEIValidateRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView): class WEIValidateRegistrationView(ProtectQuerysetMixin, ProtectedCreateView):
""" """
Validate WEI Registration Validate WEI Registration
""" """