1
0
mirror of https://gitlab.crans.org/bde/nk20 synced 2024-12-23 16:02:25 +00:00

Merge branch 'beta' into 'master'

Permissions PC Kfet

See merge request bde/nk20!138
This commit is contained in:
ynerant 2020-10-25 22:08:00 +01:00
commit e5e94c52f2
6 changed files with 72 additions and 28 deletions

View File

@ -43,8 +43,24 @@ class UserTable(tables.Table):
section = tables.Column(accessor='profile__section') section = tables.Column(accessor='profile__section')
# Override the column to let replace the URL
email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
balance = tables.Column(accessor='note__balance', verbose_name=_("Balance")) balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
def render_email(self, record, value):
# Replace the email by a dash if the user can't see the profile detail
# Replace also the URL
if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
value = ""
record.email = value
return value
def render_section(self, record, value):
return value \
if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
else ""
def render_balance(self, record, value): def render_balance(self, record, value):
return pretty_money(value)\ return pretty_money(value)\
if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "" if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else ""

View File

@ -25,6 +25,7 @@
</a> </a>
</dd> </dd>
{% if "member.view_profile"|has_perm:user_object.profile %}
<dt class="col-xl-6">{% trans 'section'|capfirst %}</dt> <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
<dd class="col-xl-6">{{ user_object.profile.section }}</dd> <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
@ -45,6 +46,7 @@
<dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt> <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
<dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd> <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
{% endif %} {% endif %}
{% endif %}
</dl> </dl>
{% if user_object.pk == user.pk %} {% if user_object.pk == user.pk %}

View File

@ -70,6 +70,7 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
form.fields['email'].required = True form.fields['email'].required = True
form.fields['email'].help_text = _("This address must be valid.") form.fields['email'].help_text = _("This address must be valid.")
if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
context['profile_form'] = self.profile_form(instance=context['user_object'].profile, context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
data=self.request.POST if self.request.POST else None) data=self.request.POST if self.request.POST else None)
if not self.object.profile.report_frequency: if not self.object.profile.report_frequency:
@ -677,11 +678,13 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"): if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
if not last_name: if not last_name:
form.add_error('last_name', _("This field is required.")) form.add_error('last_name', _("This field is required."))
error = True
if not first_name: if not first_name:
form.add_error('first_name', _("This field is required.")) form.add_error('first_name', _("This field is required."))
error = True
if not bank and credit_type.special_type == "Chèque": if not bank and credit_type.special_type == "Chèque":
form.add_error('bank', _("This field is required.")) form.add_error('bank', _("This field is required."))
return self.form_invalid(form) error = True
return not error return not error

View File

@ -2839,6 +2839,22 @@
"description": "Voir n'importe quel profil non encore inscrit" "description": "Voir n'importe quel profil non encore inscrit"
} }
}, },
{
"model": "permission.permission",
"pk": 182,
"fields": {
"model": [
"auth",
"user"
],
"query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}",
"type": "view",
"mask": 2,
"field": "",
"permanent": false,
"description": "Voir n'importe quel utilisateur qui est adhérent BDE"
}
},
{ {
"model": "permission.role", "model": "permission.role",
"pk": 1, "pk": 1,
@ -2971,14 +2987,14 @@
62, 62,
127, 127,
133, 133,
135,
136, 136,
141, 141,
142, 142,
150, 150,
166, 166,
167, 167,
168 168,
182
] ]
} }
}, },
@ -3271,7 +3287,12 @@
170, 170,
171, 171,
176, 176,
177 177,
178,
179,
180,
181,
182
] ]
} }
}, },
@ -3466,7 +3487,9 @@
56, 56,
57, 57,
58, 58,
137,
143, 143,
147,
150, 150,
166, 166,
167, 167,
@ -3474,7 +3497,8 @@
176, 176,
177, 177,
180, 180,
181 181,
182
] ]
} }
}, },

View File

@ -45,6 +45,7 @@ class InstancedPermission:
with transaction.atomic(): with transaction.atomic():
sid = transaction.savepoint() sid = transaction.savepoint()
for o in self.model.model_class().objects.filter(pk=0).all(): for o in self.model.model_class().objects.filter(pk=0).all():
o._no_signal = True
o._force_delete = True o._force_delete = True
Model.delete(o) Model.delete(o)
# An object with pk 0 wouldn't deleted. That's not normal, we alert admins. # An object with pk 0 wouldn't deleted. That's not normal, we alert admins.
@ -62,10 +63,6 @@ class InstancedPermission:
obj._no_signal = True obj._no_signal = True
Model.save(obj, force_insert=True) Model.save(obj, force_insert=True)
ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists() ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
# Delete testing object
obj._no_signal = True
obj._force_delete = True
Model.delete(obj)
transaction.savepoint_rollback(sid) transaction.savepoint_rollback(sid)
return ret return ret

View File

@ -51,8 +51,10 @@ class ProtectQuerysetMixin:
# No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make # No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
# a custom request. # a custom request.
# We could also delete the field, but some views might be affected. # We could also delete the field, but some views might be affected.
meta = form.instance._meta
for key in form.base_fields: for key in form.base_fields:
if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object): if not PermissionBackend.check_perm(self.request.user,
f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
form.fields[key].widget = HiddenInput() form.fields[key].widget = HiddenInput()
return form return form