Merge branch 'beta' into 'master'

Permissions PC Kfet

See merge request bde/nk20!138

apps/member/tables.py

@@ -43,8 +43,24 @@ class UserTable(tables.Table):
 
     section = tables.Column(accessor='profile__section')
 
+    # Override the column to let replace the URL
+    email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
+
     balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
 
+    def render_email(self, record, value):
+        # Replace the email by a dash if the user can't see the profile detail
+        # Replace also the URL
+        if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
+            value = "—"
+            record.email = value
+        return value
+
+    def render_section(self, record, value):
+        return value \
+            if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
+            else "—"
+
     def render_balance(self, record, value):
         return pretty_money(value)\
             if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"

apps/member/templates/member/includes/profile_info.html

@@ -25,25 +25,27 @@
         </a>
     </dd>
 
-    <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
+    {% if "member.view_profile"|has_perm:user_object.profile %}
+        <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
 
-    <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
+        <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
+        <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
 
-    <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
-    </dd>
+        <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
+        <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+        </dd>
 
-    <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+        <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
 
-    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
-    <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+        {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
 
-    <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+        {% endif %}
     {% endif %}
 </dl>
 

apps/member/views.py

@@ -70,10 +70,11 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         form.fields['email'].required = True
         form.fields['email'].help_text = _("This address must be valid.")
 
-        context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
-                                                    data=self.request.POST if self.request.POST else None)
-        if not self.object.profile.report_frequency:
-            del context['profile_form'].fields["last_report"]
+        if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
+            context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
+                                                        data=self.request.POST if self.request.POST else None)
+            if not self.object.profile.report_frequency:
+                del context['profile_form'].fields["last_report"]
 
         return context
 
@@ -677,11 +678,13 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
             if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
                 if not last_name:
                     form.add_error('last_name', _("This field is required."))
+                    error = True
                 if not first_name:
                     form.add_error('first_name', _("This field is required."))
+                    error = True
                 if not bank and credit_type.special_type == "Chèque":
                     form.add_error('bank', _("This field is required."))
-                return self.form_invalid(form)
+                    error = True
 
         return not error
 

apps/permission/fixtures/initial.json

@@ -2839,6 +2839,22 @@
 			"description": "Voir n'importe quel profil non encore inscrit"
 		}
 	},
+	{
+		"model": "permission.permission",
+		"pk": 182,
+		"fields": {
+			"model": [
+				"auth",
+				"user"
+			],
+			"query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}",
+			"type": "view",
+			"mask": 2,
+			"field": "",
+			"permanent": false,
+			"description": "Voir n'importe quel utilisateur qui est adhérent BDE"
+		}
+	},
 	{
 		"model": "permission.role",
 		"pk": 1,
@@ -2971,14 +2987,14 @@
 				62,
 				127,
 				133,
-				135,
 				136,
 				141,
 				142,
 				150,
 				166,
 				167,
-				168
+				168,
+				182
 			]
 		}
 	},
@@ -3271,7 +3287,12 @@
 				170,
 				171,
 				176,
-				177
+				177,
+				178,
+				179,
+				180,
+				181,
+				182
 			]
 		}
 	},
@@ -3466,7 +3487,9 @@
 				56,
 				57,
 				58,
+				137,
 				143,
+				147,
 				150,
 				166,
 				167,
@@ -3474,7 +3497,8 @@
 				176,
 				177,
 				180,
-				181
+				181,
+				182
 			]
 		}
 	},

apps/permission/models.py

@@ -45,6 +45,7 @@ class InstancedPermission:
                 with transaction.atomic():
                     sid = transaction.savepoint()
                     for o in self.model.model_class().objects.filter(pk=0).all():
+                        o._no_signal = True
                         o._force_delete = True
                         Model.delete(o)
                         # An object with pk 0 wouldn't deleted. That's not normal, we alert admins.
@@ -62,10 +63,6 @@ class InstancedPermission:
                     obj._no_signal = True
                     Model.save(obj, force_insert=True)
                     ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
-                    # Delete testing object
-                    obj._no_signal = True
-                    obj._force_delete = True
-                    Model.delete(obj)
                     transaction.savepoint_rollback(sid)
 
                 return ret

apps/permission/views.py

@@ -51,8 +51,10 @@ class ProtectQuerysetMixin:
         # No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
         # a custom request.
         # We could also delete the field, but some views might be affected.
+        meta = form.instance._meta
         for key in form.base_fields:
-            if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object):
+            if not PermissionBackend.check_perm(self.request.user,
+                                                f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
                 form.fields[key].widget = HiddenInput()
 
         return form