Don't display too much detail when a user has no right to see a profile

2020-10-25 21:29:44 +01:00 · 2020-10-25 21:29:44 +01:00 · fe4363b83d
parent 6e80016b38
commit fe4363b83d
2 changed files with 32 additions and 14 deletions
--- a/apps/member/tables.py
+++ b/apps/member/tables.py
@ -43,8 +43,24 @@ class UserTable(tables.Table):
    section = tables.Column(accessor='profile__section')
    # Override the column to let replace the URL
    email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
    balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
    def render_email(self, record, value):
        # Replace the email by a dash if the user can't see the profile detail
        # Replace also the URL
        if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
            value = "—"
            record.email = value
        return value
    def render_section(self, record, value):
        return value \
            if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
            else "—"
    def render_balance(self, record, value):
        return pretty_money(value)\
            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
--- a/apps/member/templates/member/includes/profile_info.html
+++ b/apps/member/templates/member/includes/profile_info.html
@ -25,25 +25,27 @@
        </a>
    </dd>
-    <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
+    {% if "member.view_profile"|has_perm:user_object.profile %}
-    <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
+        <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
        <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
-    <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
+        <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
+        <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
-    <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
+        <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+        <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
-    </dd>
+        </dd>
-    <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
+        <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+        <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
-    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+        {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
-    <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
-    <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
        {% endif %}
    {% endif %}
 </dl>