mirror of
https://gitlab.crans.org/bde/nk20
synced 2025-10-24 13:53:04 +02:00
Compare commits
19 Commits
v1.0.2
...
6d976f32bf
Author | SHA1 | Date | |
---|---|---|---|
|
6d976f32bf | ||
|
7bd895c1df | ||
|
051591cb7a | ||
|
0e7390b669 | ||
|
fe4363b83d | ||
|
6e80016b38 | ||
|
08e50ffc22 | ||
|
224a0fdd8c | ||
|
6dc7604e90 | ||
|
cb7f3c9f18 | ||
|
f910feca9e | ||
|
91f784872c | ||
|
58aa4983e3 | ||
|
6cc3cf4174 | ||
|
2097e67321 | ||
|
d773303d18 | ||
|
bf29efda0a | ||
|
3eced33082 | ||
|
acb3fb4a91 |
@@ -0,0 +1,50 @@
|
||||
import sys
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
def give_note_account_permissions(apps, schema_editor):
|
||||
"""
|
||||
Automatically manage the membership of the Note account.
|
||||
"""
|
||||
User = apps.get_model("auth", "user")
|
||||
Membership = apps.get_model("member", "membership")
|
||||
Role = apps.get_model("permission", "role")
|
||||
|
||||
note = User.objects.filter(username="note")
|
||||
if not note.exists():
|
||||
# We are in a test environment, don't log error message
|
||||
if len(sys.argv) > 1 and sys.argv[1] == 'test':
|
||||
return
|
||||
print("Warning: Note account was not found. The note account was not imported.")
|
||||
print("Make sure you have imported the NK15 database. The new import script handles correctly the permissions.")
|
||||
print("This migration will be ignored, you can re-run it if you forgot the note account or ignore it if you "
|
||||
"don't want this account.")
|
||||
return
|
||||
|
||||
note = note.get()
|
||||
|
||||
# Set for the two clubs a large expiration date and the correct role.
|
||||
for m in Membership.objects.filter(user_id=note.id).all():
|
||||
m.date_end = "3142-12-12"
|
||||
m.roles.set(Role.objects.filter(name="PC Kfet").all())
|
||||
m.save()
|
||||
# By default, the note account is only authorized to be logged from localhost.
|
||||
note.password = "ipbased$127.0.0.1"
|
||||
note.is_active = True
|
||||
note.save()
|
||||
# Ensure that the note of the account is disabled
|
||||
note.note.inactivity_reason = 'forced'
|
||||
note.note.is_active = False
|
||||
note.save()
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
('member', '0005_remove_null_tag_on_charfields'),
|
||||
('permission', '0001_initial'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.RunPython(give_note_account_permissions),
|
||||
]
|
@@ -43,8 +43,24 @@ class UserTable(tables.Table):
|
||||
|
||||
section = tables.Column(accessor='profile__section')
|
||||
|
||||
# Override the column to let replace the URL
|
||||
email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
|
||||
|
||||
balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
|
||||
|
||||
def render_email(self, record, value):
|
||||
# Replace the email by a dash if the user can't see the profile detail
|
||||
# Replace also the URL
|
||||
if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
|
||||
value = "—"
|
||||
record.email = value
|
||||
return value
|
||||
|
||||
def render_section(self, record, value):
|
||||
return value \
|
||||
if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
|
||||
else "—"
|
||||
|
||||
def render_balance(self, record, value):
|
||||
return pretty_money(value)\
|
||||
if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
|
||||
|
@@ -25,6 +25,7 @@
|
||||
</a>
|
||||
</dd>
|
||||
|
||||
{% if "member.view_profile"|has_perm:user_object.profile %}
|
||||
<dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
|
||||
<dd class="col-xl-6">{{ user_object.profile.section }}</dd>
|
||||
|
||||
@@ -45,6 +46,7 @@
|
||||
<dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
|
||||
<dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
</dl>
|
||||
|
||||
{% if user_object.pk == user.pk %}
|
||||
|
@@ -5,7 +5,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
|
||||
{% load i18n perms %}
|
||||
|
||||
{% block content %}
|
||||
{% if "member.change_profile_registration_valid"|has_perm:user %}
|
||||
{% if can_manage_registrations %}
|
||||
<a class="btn btn-block btn-secondary mb-3" href="{% url 'registration:future_user_list' %}">
|
||||
<i class="fa fa-user-plus"></i> {% trans "Registrations" %}
|
||||
</a>
|
||||
|
@@ -70,6 +70,7 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
|
||||
form.fields['email'].required = True
|
||||
form.fields['email'].help_text = _("This address must be valid.")
|
||||
|
||||
if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
|
||||
context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
|
||||
data=self.request.POST if self.request.POST else None)
|
||||
if not self.object.profile.report_frequency:
|
||||
@@ -234,6 +235,13 @@ class UserListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
|
||||
|
||||
return qs
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
context = super().get_context_data(**kwargs)
|
||||
pre_registered_users = User.objects.filter(PermissionBackend.filter_queryset(self.request.user, User, "view"))\
|
||||
.filter(profile__registration_valid=False)
|
||||
context["can_manage_registrations"] = pre_registered_users.exists()
|
||||
return context
|
||||
|
||||
|
||||
class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
|
||||
"""
|
||||
@@ -247,8 +255,8 @@ class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
|
||||
def get_context_data(self, **kwargs):
|
||||
context = super().get_context_data(**kwargs)
|
||||
note = context['object'].note
|
||||
context["aliases"] = AliasTable(note.alias_set.filter(PermissionBackend
|
||||
.filter_queryset(self.request.user, Alias, "view")).all())
|
||||
context["aliases"] = AliasTable(
|
||||
note.alias_set.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
|
||||
context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
|
||||
note=context["object"].note,
|
||||
name="",
|
||||
@@ -450,8 +458,8 @@ class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
|
||||
def get_context_data(self, **kwargs):
|
||||
context = super().get_context_data(**kwargs)
|
||||
note = context['object'].note
|
||||
context["aliases"] = AliasTable(note.alias_set.filter(PermissionBackend
|
||||
.filter_queryset(self.request.user, Alias, "view")).all())
|
||||
context["aliases"] = AliasTable(note.alias_set.filter(
|
||||
PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
|
||||
context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
|
||||
note=context["object"].note,
|
||||
name="",
|
||||
@@ -670,11 +678,13 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
|
||||
if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
|
||||
if not last_name:
|
||||
form.add_error('last_name', _("This field is required."))
|
||||
error = True
|
||||
if not first_name:
|
||||
form.add_error('first_name', _("This field is required."))
|
||||
error = True
|
||||
if not bank and credit_type.special_type == "Chèque":
|
||||
form.add_error('bank', _("This field is required."))
|
||||
return self.form_invalid(form)
|
||||
error = True
|
||||
|
||||
return not error
|
||||
|
||||
|
@@ -799,12 +799,12 @@
|
||||
"member",
|
||||
"membership"
|
||||
],
|
||||
"query": "{\"club\": [\"club\"]}",
|
||||
"query": "{}",
|
||||
"type": "change",
|
||||
"mask": 3,
|
||||
"field": "roles",
|
||||
"permanent": false,
|
||||
"description": "Modifier les rôles d'un adhérent d'un club"
|
||||
"description": "Modifier les rôles d'une adhésion"
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -2081,7 +2081,7 @@
|
||||
],
|
||||
"query": "{}",
|
||||
"type": "change",
|
||||
"mask": 1,
|
||||
"mask": 2,
|
||||
"field": "invalidity_reason",
|
||||
"permanent": false,
|
||||
"description": "Modifier la raison d'invalidité d'une transaction"
|
||||
@@ -2807,6 +2807,70 @@
|
||||
"description": "Voir ses propres alias, pour toujours"
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.permission",
|
||||
"pk": 180,
|
||||
"fields": {
|
||||
"model": [
|
||||
"auth",
|
||||
"user"
|
||||
],
|
||||
"query": "{\"profile__registration_valid\": false}",
|
||||
"type": "view",
|
||||
"mask": 2,
|
||||
"field": "",
|
||||
"permanent": false,
|
||||
"description": "Voir n'importe quel utilisateur non encore inscrit"
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.permission",
|
||||
"pk": 181,
|
||||
"fields": {
|
||||
"model": [
|
||||
"member",
|
||||
"profile"
|
||||
],
|
||||
"query": "{\"registration_valid\": false}",
|
||||
"type": "view",
|
||||
"mask": 2,
|
||||
"field": "",
|
||||
"permanent": false,
|
||||
"description": "Voir n'importe quel profil non encore inscrit"
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.permission",
|
||||
"pk": 182,
|
||||
"fields": {
|
||||
"model": [
|
||||
"auth",
|
||||
"user"
|
||||
],
|
||||
"query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}",
|
||||
"type": "view",
|
||||
"mask": 2,
|
||||
"field": "",
|
||||
"permanent": false,
|
||||
"description": "Voir n'importe quel utilisateur qui est adhérent BDE"
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.permission",
|
||||
"pk": 183,
|
||||
"fields": {
|
||||
"model": [
|
||||
"note",
|
||||
"note"
|
||||
],
|
||||
"query": "{}",
|
||||
"type": "change",
|
||||
"mask": 1,
|
||||
"field": "display_image",
|
||||
"permanent": false,
|
||||
"description": "Changer l'image de n'importe quelle note"
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.role",
|
||||
"pk": 1,
|
||||
@@ -2939,14 +3003,14 @@
|
||||
62,
|
||||
127,
|
||||
133,
|
||||
135,
|
||||
136,
|
||||
141,
|
||||
142,
|
||||
150,
|
||||
166,
|
||||
167,
|
||||
168
|
||||
168,
|
||||
182
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -3022,7 +3086,8 @@
|
||||
175,
|
||||
176,
|
||||
177,
|
||||
178
|
||||
178,
|
||||
183
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -3205,7 +3270,12 @@
|
||||
175,
|
||||
176,
|
||||
177,
|
||||
178
|
||||
178,
|
||||
179,
|
||||
180,
|
||||
181,
|
||||
182,
|
||||
183
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -3239,7 +3309,12 @@
|
||||
170,
|
||||
171,
|
||||
176,
|
||||
177
|
||||
177,
|
||||
178,
|
||||
179,
|
||||
180,
|
||||
181,
|
||||
182
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -3402,7 +3477,6 @@
|
||||
135,
|
||||
136,
|
||||
137,
|
||||
138,
|
||||
139,
|
||||
140,
|
||||
143,
|
||||
@@ -3415,6 +3489,41 @@
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "permission.role",
|
||||
"pk": 20,
|
||||
"fields": {
|
||||
"for_club": 2,
|
||||
"name": "PC Kfet",
|
||||
"permissions": [
|
||||
6,
|
||||
22,
|
||||
24,
|
||||
25,
|
||||
26,
|
||||
27,
|
||||
30,
|
||||
49,
|
||||
50,
|
||||
55,
|
||||
56,
|
||||
57,
|
||||
58,
|
||||
137,
|
||||
143,
|
||||
147,
|
||||
150,
|
||||
166,
|
||||
167,
|
||||
168,
|
||||
176,
|
||||
177,
|
||||
180,
|
||||
181,
|
||||
182
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"model": "wei.weirole",
|
||||
"pk": 12,
|
||||
|
@@ -45,6 +45,7 @@ class InstancedPermission:
|
||||
with transaction.atomic():
|
||||
sid = transaction.savepoint()
|
||||
for o in self.model.model_class().objects.filter(pk=0).all():
|
||||
o._no_signal = True
|
||||
o._force_delete = True
|
||||
Model.delete(o)
|
||||
# An object with pk 0 wouldn't deleted. That's not normal, we alert admins.
|
||||
@@ -62,10 +63,6 @@ class InstancedPermission:
|
||||
obj._no_signal = True
|
||||
Model.save(obj, force_insert=True)
|
||||
ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
|
||||
# Delete testing object
|
||||
obj._no_signal = True
|
||||
obj._force_delete = True
|
||||
Model.delete(obj)
|
||||
transaction.savepoint_rollback(sid)
|
||||
|
||||
return ret
|
||||
|
@@ -51,8 +51,10 @@ class ProtectQuerysetMixin:
|
||||
# No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
|
||||
# a custom request.
|
||||
# We could also delete the field, but some views might be affected.
|
||||
meta = form.instance._meta
|
||||
for key in form.base_fields:
|
||||
if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object):
|
||||
if not PermissionBackend.check_perm(self.request.user,
|
||||
f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
|
||||
form.fields[key].widget = HiddenInput()
|
||||
|
||||
return form
|
||||
|
@@ -4,6 +4,8 @@
|
||||
import django_tables2 as tables
|
||||
from django.contrib.auth.models import User
|
||||
|
||||
from treasury.models import SogeCredit
|
||||
|
||||
|
||||
class FutureUserTable(tables.Table):
|
||||
"""
|
||||
@@ -21,6 +23,7 @@ class FutureUserTable(tables.Table):
|
||||
fields = ('last_name', 'first_name', 'username', 'email', )
|
||||
model = User
|
||||
row_attrs = {
|
||||
'class': 'table-row',
|
||||
'class': lambda record: 'table-row'
|
||||
+ (' bg-warning' if SogeCredit.objects.filter(user=record).exists() else ''),
|
||||
'data-href': lambda record: record.pk
|
||||
}
|
||||
|
@@ -235,7 +235,7 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
|
||||
fee += 8000
|
||||
ctx["total_fee"] = "{:.02f}".format(fee / 100, )
|
||||
|
||||
ctx["declare_soge_account"] = True
|
||||
ctx["declare_soge_account"] = SogeCredit.objects.filter(user=user).exists()
|
||||
|
||||
return ctx
|
||||
|
||||
|
Submodule apps/scripts updated: 7e27c3b71b...654492f9e9
@@ -28,6 +28,8 @@ class TreasuryConfig(AppConfig):
|
||||
source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
|
||||
specialtransactionproxy=None,
|
||||
):
|
||||
SpecialTransactionProxy.objects.create(transaction=transaction, remittance=None)
|
||||
proxy = SpecialTransactionProxy(transaction=transaction, remittance=None)
|
||||
proxy._force_save = True
|
||||
proxy.save()
|
||||
|
||||
post_migrate.connect(setup_specialtransactions_proxies, sender=SpecialTransactionProxy)
|
||||
|
@@ -10,9 +10,8 @@ def save_special_transaction(instance, created, **kwargs):
|
||||
"""
|
||||
|
||||
if not hasattr(instance, "_no_signal"):
|
||||
if instance.is_credit():
|
||||
if created and RemittanceType.objects.filter(note=instance.source).exists():
|
||||
SpecialTransactionProxy.objects.create(transaction=instance, remittance=None).save()
|
||||
else:
|
||||
if created and RemittanceType.objects.filter(note=instance.destination).exists():
|
||||
SpecialTransactionProxy.objects.create(transaction=instance, remittance=None).save()
|
||||
if created and RemittanceType.objects.filter(
|
||||
note=instance.source if instance.is_credit() else instance.destination).exists():
|
||||
proxy = SpecialTransactionProxy(transaction=instance, remittance=None)
|
||||
proxy._force_save = True
|
||||
proxy.save()
|
||||
|
@@ -147,4 +147,4 @@ class SogeCreditTable(tables.Table):
|
||||
|
||||
class Meta:
|
||||
model = SogeCredit
|
||||
fields = ('user', 'amount', 'valid', )
|
||||
fields = ('user', 'user__last_name', 'user__first_name', 'amount', 'valid', )
|
||||
|
@@ -11,8 +11,14 @@ SPDX-License-Identifier: GPL-3.0-or-later
|
||||
</div>
|
||||
<div class="card-body">
|
||||
<dl class="row">
|
||||
<dt class="col-xl-6 text-right">{% trans 'user'|capfirst %}</dt>
|
||||
<dd class="col-xl-6"><a href="{% url 'member:user_detail' pk=object.user.pk %}">{{ object.user }}</a></dd>
|
||||
<dt class="col-xl-6 text-right">{% trans 'last name'|capfirst %}</dt>
|
||||
<dd class="col-xl-6">{{ object.user.last_name }}</dd>
|
||||
|
||||
<dt class="col-xl-6 text-right">{% trans 'first name'|capfirst %}</dt>
|
||||
<dd class="col-xl-6">{{ object.user.first_name }}</dd>
|
||||
|
||||
<dt class="col-xl-6 text-right">{% trans 'username'|capfirst %}</dt>
|
||||
<dd class="col-xl-6"><a href="{% url 'member:user_detail' pk=object.user.pk %}">{{ object.user.username }}</a></dd>
|
||||
|
||||
{% if "note.view_note_balance"|has_perm:object.user.note %}
|
||||
<dt class="col-xl-6 text-right">{% trans 'balance'|capfirst %}</dt>
|
||||
|
@@ -2,12 +2,12 @@
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.auth import login
|
||||
from django.contrib.auth.models import AnonymousUser, User
|
||||
from django.contrib.sessions.backends.db import SessionStore
|
||||
|
||||
from threading import local
|
||||
|
||||
from django.contrib.sessions.backends.db import SessionStore
|
||||
|
||||
USER_ATTR_NAME = getattr(settings, 'LOCAL_USER_ATTR_NAME', '_current_user')
|
||||
SESSION_ATTR_NAME = getattr(settings, 'LOCAL_SESSION_ATTR_NAME', '_current_session')
|
||||
IP_ATTR_NAME = getattr(settings, 'LOCAL_IP_ATTR_NAME', '_current_ip')
|
||||
@@ -78,6 +78,41 @@ class SessionMiddleware(object):
|
||||
return response
|
||||
|
||||
|
||||
class LoginByIPMiddleware(object):
|
||||
"""
|
||||
Allow some users to be authenticated based on their IP address.
|
||||
For example, the "note" account should not be used elsewhere than the Kfet computer,
|
||||
and should not have any password.
|
||||
The password that is stored in database should be on the form "ipbased$my.public.ip.address".
|
||||
"""
|
||||
|
||||
def __init__(self, get_response):
|
||||
self.get_response = get_response
|
||||
|
||||
def __call__(self, request):
|
||||
"""
|
||||
If the user is not authenticated, get the used IP address
|
||||
and check if an user is authorized to be automatically logged with this address.
|
||||
If it is the case, the logging is performed with the full rights.
|
||||
"""
|
||||
if not request.user.is_authenticated:
|
||||
if 'HTTP_X_REAL_IP' in request.META:
|
||||
ip = request.META.get('HTTP_X_REAL_IP')
|
||||
elif 'HTTP_X_FORWARDED_FOR' in request.META:
|
||||
ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
|
||||
else:
|
||||
ip = request.META.get('REMOTE_ADDR')
|
||||
|
||||
qs = User.objects.filter(password=f"ipbased${ip}")
|
||||
if qs.exists():
|
||||
login(request, qs.get())
|
||||
session = request.session
|
||||
session["permission_mask"] = 42
|
||||
session.save()
|
||||
|
||||
return self.get_response(request)
|
||||
|
||||
|
||||
class TurbolinksMiddleware(object):
|
||||
"""
|
||||
Send the `Turbolinks-Location` header in response to a visit that was redirected,
|
||||
|
@@ -49,9 +49,6 @@ try:
|
||||
except ImportError:
|
||||
pass
|
||||
|
||||
if "logs" in INSTALLED_APPS:
|
||||
MIDDLEWARE += ('note_kfet.middlewares.SessionMiddleware',)
|
||||
|
||||
if DEBUG:
|
||||
PASSWORD_HASHERS += ['member.hashers.DebugSuperuserBackdoor']
|
||||
if "debug_toolbar" in INSTALLED_APPS:
|
||||
|
@@ -79,6 +79,8 @@ MIDDLEWARE = [
|
||||
'django.middleware.locale.LocaleMiddleware',
|
||||
'django.contrib.sites.middleware.CurrentSiteMiddleware',
|
||||
'django_htcpcp_tea.middleware.HTCPCPTeaMiddleware',
|
||||
'note_kfet.middlewares.SessionMiddleware',
|
||||
'note_kfet.middlewares.LoginByIPMiddleware',
|
||||
'note_kfet.middlewares.TurbolinksMiddleware',
|
||||
]
|
||||
|
||||
|
@@ -7,7 +7,7 @@ django-extensions~=2.1.4
|
||||
django-filter~=2.1.0
|
||||
django-htcpcp-tea~=0.3.1
|
||||
django-mailer~=2.0.1
|
||||
django-oauth-toolkit~=1.1.2
|
||||
django-oauth-toolkit~=1.3.3
|
||||
django-phonenumber-field~=5.0.0
|
||||
django-polymorphic~=2.0.3
|
||||
djangorestframework~=3.9.0
|
||||
|
Reference in New Issue
Block a user