ynerant/plateforme-corres2math
1
0
Fork 0
mirror of https://gitlab.com/animath/si/plateforme-corres2math.git synced 2025-06-23 15:16:35 +02:00
Code Issues Releases Wiki Activity

Protect some pages

Browse Source
This commit is contained in:
Yohann D'ANELLO
2020-09-27 16:35:31 +02:00
parent 56193dbecf
commit 88c4a6b218
5 changed files with 136 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
apps/participation/views.py
View File

@ -15,18 +15,20 @@ class CreateTeamView(LoginRequiredMixin, CreateView):
extra_context = dict(title=_("Create team"))
template_name = "participation/create_team.html"
@transaction.atomic
def form_valid(self, form):
user = self.request.user
def dispatch(self, request, *args, **kwargs):
user = request.user
registration = user.registration
if not registration.participates:
form.add_error(None, _("You don't participate, so you can't create a team."))
return self.form_invalid(form)
raise PermissionDenied(_("You don't participate, so you can't create a team."))
elif registration.team:
form.add_error(None, _("You are already in a team."))
return self.form_invalid(form)
raise PermissionDenied(_("You are already in a team."))
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
ret = super().form_valid(form)
user = self.request.user
registration = user.registration
registration.team = form.instance
registration.save()
return ret
@ -41,19 +43,21 @@ class JoinTeamView(LoginRequiredMixin, FormView):
extra_context = dict(title=_("Join team"))
template_name = "participation/create_team.html"
@transaction.atomic
def form_valid(self, form):
user = self.request.user
def dispatch(self, request, *args, **kwargs):
user = request.user
registration = user.registration
if not registration.participates:
form.add_error(None, _("You don't participate, so you can't create a team."))
return self.form_invalid(form)
raise PermissionDenied(_("You don't participate, so you can't create a team."))
elif registration.team:
form.add_error(None, _("You are already in a team."))
return self.form_invalid(form)
raise PermissionDenied(_("You are already in a team."))
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
self.object = form.instance
ret = super().form_valid(form)
user = self.request.user
registration = user.registration
registration.team = form.instance
registration.save()
return ret
@ -76,12 +80,24 @@ class MyTeamDetailView(LoginRequiredMixin, RedirectView):
class TeamDetailView(LoginRequiredMixin, DetailView):
model = Team
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_admin or user.registration.participates and user.registration.team.pk == kwargs["pk"]:
return super().dispatch(request, *args, **kwargs)
raise PermissionDenied
class TeamUpdateView(LoginRequiredMixin, UpdateView):
model = Team
form_class = TeamForm
template_name = "participation/update_team.html"
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_admin or user.registration.participates and user.registration.team.pk == kwargs["pk"]:
return super().dispatch(request, *args, **kwargs)
raise PermissionDenied
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context["participation_form"] = ParticipationForm(data=self.request.POST or None,
@ -115,11 +131,24 @@ class MyParticipationDetailView(LoginRequiredMixin, RedirectView):
class ParticipationDetailView(LoginRequiredMixin, DetailView):
model = Participation
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_admin or user.registration.participates and user.registration.team.participation.pk == kwargs["pk"]:
return super().dispatch(request, *args, **kwargs)
raise PermissionDenied
class UploadVideoView(LoginRequiredMixin, UpdateView):
model = Video
form_class = UploadVideoForm
template_name = "participation/upload_video.html"
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_admin or user.registration.participates\
and user.registration.team.participation.pk == self.object.participation.pk:
return super().dispatch(request, *args, **kwargs)
raise PermissionDenied
def get_success_url(self):
return reverse_lazy("participation:participation_detail", args=(self.object.participation.pk,))

4
apps/registration/models.py
View File

@ -59,6 +59,10 @@ class Registration(PolymorphicModel):
def participates(self):
return isinstance(self, StudentRegistration) or isinstance(self, CoachRegistration)
@property
def is_admin(self):
return isinstance(self, AdminRegistration) or self.user.is_superuser
def __str__(self):
return f"{self.user.first_name} {self.user.last_name}"

23
apps/registration/templates/registration/user_detail.html
View File

@ -21,6 +21,16 @@
<dd class="col-sm-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a>
{% if not user_object.registration.email_confirmed %} (<em>{% trans "Not confirmed" %}, <a href="{% url "registration:email_validation_resend" pk=user_object.pk %}">{% trans "resend the validation link" %}</a></em>){% endif %}</dd>
{% if user_object.registration.participates or True %}
<dt class="col-sm-6 text-right">{% trans "Team:" %}</dt>
{% trans "any" as any %}
<dd class="col-sm-6">
<a href="{% if user_object.registration.team %}{% url "participation:team_detail" pk=user_object.registration.team.pk %}{% else %}#{% endif %}">
{{ user_object.registration.team|default:any }}
</a>
</dd>
{% endif %}
{% if user_object.registration.studentregistration %}
<dt class="col-sm-6 text-right">{% trans "Student class:" %}</dt>
<dd class="col-sm-6">{{ user_object.registration.get_student_class_display }}</dd>
@ -32,7 +42,10 @@
<dd class="col-sm-6">
{% if user_object.registration.photo_authorization %}
<a href="{{ user_object.registration.photo_authorization.url }}" data-turbolinks="false">{% trans "Download" %}</a>
{% endif %} <button class="btn btn-primary" data-toggle="modal" data-target="#uploadPhotoAuthorizationModal">{% trans "Replace" %}</button>
{% endif %}
{% if user_object.pk == user.pk %}
<button class="btn btn-primary" data-toggle="modal" data-target="#uploadPhotoAuthorizationModal">{% trans "Replace" %}</button>
{% endif %}
</dd>
{% elif user_object.registration.coachregistration %}
<dt class="col-sm-6 text-right">{% trans "Profesional activity:" %}</dt>
@ -46,9 +59,11 @@
<dd class="col-sm-6">{{ user_object.registration.give_contact_to_animath|yesno }}</dd>
</dl>
</div>
<div class="card-footer text-center">
<button class="btn btn-primary" data-toggle="modal" data-target="#updateUserModal">{% trans "Update" %}</button>
</div>
{% if user.pk == user_object.pk or user.registration.is_admin %}
<div class="card-footer text-center">
<button class="btn btn-primary" data-toggle="modal" data-target="#updateUserModal">{% trans "Update" %}</button>
</div>
{% endif %}
</div>
{% trans "Update user" as modal_title %}

23
apps/registration/views.py
View File

@ -4,7 +4,7 @@ from corres2math.tokens import email_validation_token
from django.conf import settings
from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.auth.models import User
from django.core.exceptions import ValidationError
from django.core.exceptions import ValidationError, PermissionDenied
from django.db import transaction
from django.http import FileResponse, Http404
from django.shortcuts import redirect, resolve_url
@ -135,12 +135,24 @@ class UserDetailView(LoginRequiredMixin, DetailView):
context_object_name = "user_object"
template_name = "registration/user_detail.html"
def dispatch(self, request, *args, **kwargs):
user = request.user
if not user.registration.is_admin and user.pk != kwargs["pk"]:
raise PermissionDenied
return super().dispatch(request, *args, **kwargs)
class UserUpdateView(LoginRequiredMixin, UpdateView):
model = User
form_class = UserForm
template_name = "registration/update_user.html"
def dispatch(self, request, *args, **kwargs):
user = request.user
if not user.registration.is_admin and user.pk != kwargs["pk"]:
raise PermissionDenied
return super().dispatch(request, *args, **kwargs)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
user = self.get_object()
@ -168,6 +180,12 @@ class UserUploadPhotoAuthorizationView(LoginRequiredMixin, UpdateView):
form_class = PhotoAuthorizationForm
template_name = "registration/upload_photo_authorization.html"
def dispatch(self, request, *args, **kwargs):
user = request.user
if not user.registration.is_admin and user.registration.pk != kwargs["pk"]:
raise PermissionDenied
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -186,6 +204,9 @@ class PhotoAuthorizationView(LoginRequiredMixin, View):
if not os.path.exists(path):
raise Http404
student = StudentRegistration.objects.get(photo_authorization__endswith=filename)
user = request.user
if not user.registration.is_admin and user.pk != student.user.pk:
raise PermissionDenied
mime = Magic(mime=True)
mime_type = mime.from_file(path)
ext = mime_type.split("/")[1].replace("jpeg", "jpg")