mirror of
https://gitlab.crans.org/bde/nk20
synced 2025-11-04 01:12:08 +01:00
Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53
This commit is contained in:
Yohann D'ANELLO
@@ -124,7 +124,7 @@ class Activity(models.Model):
|
||||
Update the activity wiki page each time the activity is updated (validation, change description, ...)
|
||||
"""
|
||||
ret = super().save(*args, **kwargs)
|
||||
if self.pk and "scripts" in settings.INSTALLED_APPS:
|
||||
if settings.DEBUG and self.pk and "scripts" in settings.INSTALLED_APPS:
|
||||
def refresh_activities():
|
||||
from scripts.management.commands.refresh_activities import Command as RefreshActivitiesCommand
|
||||
RefreshActivitiesCommand.refresh_human_readable_wiki_page("Modification de l'activité " + self.name)
|
||||
|
||||
@@ -4,26 +4,39 @@
|
||||
from django.conf import settings
|
||||
from django.contrib.auth.mixins import LoginRequiredMixin
|
||||
from django.contrib.contenttypes.models import ContentType
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.db.models import F, Q
|
||||
from django.urls import reverse_lazy
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.views.generic import CreateView, DetailView, TemplateView, UpdateView
|
||||
from django.views.generic import DetailView, TemplateView, UpdateView
|
||||
from django_tables2.views import SingleTableView
|
||||
from note.models import Alias, NoteSpecial, NoteUser
|
||||
from permission.backends import PermissionBackend
|
||||
from permission.views import ProtectQuerysetMixin
|
||||
from permission.views import ProtectQuerysetMixin, ProtectedCreateView
|
||||
|
||||
from .forms import ActivityForm, GuestForm
|
||||
from .models import Activity, Entry, Guest
|
||||
from .tables import ActivityTable, EntryTable, GuestTable
|
||||
|
||||
|
||||
class ActivityCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
|
||||
class ActivityCreateView(LoginRequiredMixin, ProtectedCreateView):
|
||||
model = Activity
|
||||
form_class = ActivityForm
|
||||
extra_context = {"title": _("Create new activity")}
|
||||
|
||||
def get_sample_object(self):
|
||||
return Activity(
|
||||
name="",
|
||||
description="",
|
||||
creater=self.request.user,
|
||||
activity_type_id=1,
|
||||
organizer_id=1,
|
||||
attendees_club_id=1,
|
||||
date_start=timezone.now(),
|
||||
date_end=timezone.now(),
|
||||
)
|
||||
|
||||
def form_valid(self, form):
|
||||
form.instance.creater = self.request.user
|
||||
return super().form_valid(form)
|
||||
@@ -85,11 +98,20 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
|
||||
return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})
|
||||
|
||||
|
||||
class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
|
||||
class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
|
||||
model = Guest
|
||||
form_class = GuestForm
|
||||
template_name = "activity/activity_invite.html"
|
||||
|
||||
def get_sample_object(self):
|
||||
activity = Activity.objects.get(pk=self.kwargs["pk"])
|
||||
return Guest(
|
||||
activity=activity,
|
||||
first_name="",
|
||||
last_name="",
|
||||
inviter=self.request.user.note,
|
||||
)
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
context = super().get_context_data(**kwargs)
|
||||
activity = context["form"].activity
|
||||
@@ -114,6 +136,24 @@ class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
|
||||
class ActivityEntryView(LoginRequiredMixin, TemplateView):
|
||||
template_name = "activity/activity_entry.html"
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
"""
|
||||
Don't display the entry interface if the user has no right to see it (no right to add an entry for itself),
|
||||
it is closed or doesn't manage entries.
|
||||
"""
|
||||
activity = Activity.objects.get(pk=self.kwargs["pk"])
|
||||
|
||||
sample_entry = Entry(activity=activity, note=self.request.user.note)
|
||||
if not PermissionBackend.check_perm(self.request.user, "activity.add_entry", sample_entry):
|
||||
raise PermissionDenied(_("You are not allowed to display the entry interface for this activity."))
|
||||
|
||||
if not activity.activity_type.manage_entries:
|
||||
raise PermissionDenied(_("This activity does not support activity entries."))
|
||||
|
||||
if not activity.open:
|
||||
raise PermissionDenied(_("This activity is closed."))
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
context = super().get_context_data(**kwargs)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user