Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53

2025-06-21 01:48:21 +02:00 · 2020-08-13 15:20:15 +02:00
parent 71f6436d06
commit c466715e8a
15 changed files with 584 additions and 173 deletions
--- a/apps/member/templates/member/club_list.html
+++ b/apps/member/templates/member/club_list.html
@ -1,12 +1,15 @@
 {% extends "base.html" %}
 {% load render_table from django_tables2 %}
 {% load i18n %}
+
 {% block content %}
 <div class="row justify-content-center mb-4">
    <div class="col-md-10 text-center">
        <input class="form-control mx-auto w-25" type="text" id="search_field"/>
        <hr>
-        <a class="btn btn-primary text-center my-4" href="{% url 'member:club_create' %}" data-turbolinks="false">{% trans "Create club" %}</a>
+        {% if can_add_club %}
+            <a class="btn btn-primary text-center my-4" href="{% url 'member:club_create' %}" data-turbolinks="false">{% trans "Create club" %}</a>
+        {% endif %}
    </div>
 </div>
 <div class="row justify-content-center">   
--- a/apps/member/tests/test_login.py
+++ b/apps/member/tests/test_login.py
@ -3,6 +3,7 @@

 from django.contrib.auth.models import User
 from django.test import TestCase
+from note.models import TransactionTemplate, TemplateCategory

 """
 Test that login page still works
@ -16,6 +17,8 @@ class TemplateLoggedOutTests(TestCase):


 class TemplateLoggedInTests(TestCase):
+    fixtures = ('initial', )
+
    def setUp(self):
        self.user = User.objects.create_superuser(
            username="admin",
@ -48,5 +51,12 @@ class TemplateLoggedInTests(TestCase):
        self.assertEqual(response.status_code, 200)

    def test_consos_page(self):
+        # Create one button and ensure that it is visible
+        cat = TemplateCategory.objects.create()
+        TransactionTemplate.objects.create(
+            destination_id=5,
+            category=cat,
+            amount=0,
+        )
        response = self.client.get('/note/consos/')
        self.assertEqual(response.status_code, 200)
--- a/apps/member/views.py
+++ b/apps/member/views.py
@ -15,7 +15,7 @@ from django.shortcuts import redirect
 from django.urls import reverse_lazy
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import CreateView, DetailView, UpdateView, TemplateView
+from django.views.generic import DetailView, UpdateView, TemplateView
 from django.views.generic.edit import FormMixin
 from django_tables2.views import SingleTableView
 from rest_framework.authtoken.models import Token
@ -26,7 +26,7 @@ from note.tables import HistoryTable, AliasTable
 from note_kfet.middlewares import _set_current_user_and_ip
 from permission.backends import PermissionBackend
 from permission.models import Role
-from permission.views import ProtectQuerysetMixin
+from permission.views import ProtectQuerysetMixin, ProtectedCreateView

 from .forms import ProfileForm, ClubForm, MembershipForm, CustomAuthenticationForm, UserForm, MembershipRolesForm
 from .models import Club, Membership
@ -295,7 +295,7 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
 # ******************************* #


-class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
+class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
    """
    Create Club
    """
@ -304,6 +304,12 @@ class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
    success_url = reverse_lazy('member:club_list')
    extra_context = {"title": _("Create new club")}

+    def get_sample_object(self):
+        return Club(
+            name="",
+            email="",
+        )
+
    def form_valid(self, form):
        return super().form_valid(form)

@ -332,6 +338,14 @@ class ClubListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):

        return qs

+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["can_add_club"] = PermissionBackend.check_perm(self.request.user, "member.add_club", Club(
+            name="",
+            email="club@example.com",
+        ))
+        return context
+

 class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
    """
@ -432,7 +446,7 @@ class ClubPictureUpdateView(PictureUpdateView):
        return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id})


-class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
+class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
    """
    Add a membership to a club.
    """
@ -441,6 +455,19 @@ class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
    template_name = 'member/add_members.html'
    extra_context = {"title": _("Add new member to the club")}

+    def get_sample_object(self):
+        if "club_pk" in self.kwargs:
+            club = Club.objects.get(pk=self.kwargs["club_pk"])
+        else:
+            club = Membership.objects.get(pk=self.kwargs["pk"]).club
+        return Membership(
+            user=self.request.user,
+            club=club,
+            fee=0,
+            date_start=timezone.now(),
+            date_end=timezone.now() + timedelta(days=1),
+        )
+
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        form = context['form']