Protect some pages

apps/registration/models.py

@@ -59,6 +59,10 @@ class Registration(PolymorphicModel):
     def participates(self):
         return isinstance(self, StudentRegistration) or isinstance(self, CoachRegistration)
 
+    @property
+    def is_admin(self):
+        return isinstance(self, AdminRegistration) or self.user.is_superuser
+
     def __str__(self):
         return f"{self.user.first_name} {self.user.last_name}"
 

apps/registration/templates/registration/user_detail.html

@@ -21,6 +21,16 @@
             <dd class="col-sm-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a>
                 {% if not user_object.registration.email_confirmed %} (<em>{% trans "Not confirmed" %}, <a href="{% url "registration:email_validation_resend" pk=user_object.pk %}">{% trans "resend the validation link" %}</a></em>){% endif %}</dd>
 
+            {% if user_object.registration.participates or True %}
+                <dt class="col-sm-6 text-right">{% trans "Team:" %}</dt>
+                {% trans "any" as any %}
+                <dd class="col-sm-6">
+                    <a href="{% if user_object.registration.team %}{% url "participation:team_detail" pk=user_object.registration.team.pk %}{% else %}#{% endif %}">
+                        {{ user_object.registration.team|default:any }}
+                    </a>
+                </dd>
+            {% endif %}
+
             {% if user_object.registration.studentregistration %}
                 <dt class="col-sm-6 text-right">{% trans "Student class:" %}</dt>
                 <dd class="col-sm-6">{{ user_object.registration.get_student_class_display }}</dd>
@@ -32,7 +42,10 @@
                 <dd class="col-sm-6">
                     {% if user_object.registration.photo_authorization %}
                         <a href="{{ user_object.registration.photo_authorization.url }}" data-turbolinks="false">{% trans "Download" %}</a>
-                    {% endif %} <button class="btn btn-primary" data-toggle="modal" data-target="#uploadPhotoAuthorizationModal">{% trans "Replace" %}</button>
+                    {% endif %}
+                    {% if user_object.pk == user.pk %}
+                        <button class="btn btn-primary" data-toggle="modal" data-target="#uploadPhotoAuthorizationModal">{% trans "Replace" %}</button>
+                    {% endif %}
                 </dd>
             {% elif user_object.registration.coachregistration %}
                 <dt class="col-sm-6 text-right">{% trans "Profesional activity:" %}</dt>
@@ -46,9 +59,11 @@
             <dd class="col-sm-6">{{ user_object.registration.give_contact_to_animath|yesno }}</dd>
         </dl>
     </div>
-    <div class="card-footer text-center">
-        <button class="btn btn-primary" data-toggle="modal" data-target="#updateUserModal">{% trans "Update" %}</button>
-    </div>
+    {% if user.pk == user_object.pk or user.registration.is_admin %}
+        <div class="card-footer text-center">
+            <button class="btn btn-primary" data-toggle="modal" data-target="#updateUserModal">{% trans "Update" %}</button>
+        </div>
+    {% endif %}
     </div>
 
     {% trans "Update user" as modal_title %}

apps/registration/views.py

@@ -4,7 +4,7 @@ from corres2math.tokens import email_validation_token
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.models import User
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, PermissionDenied
 from django.db import transaction
 from django.http import FileResponse, Http404
 from django.shortcuts import redirect, resolve_url
@@ -135,12 +135,24 @@ class UserDetailView(LoginRequiredMixin, DetailView):
     context_object_name = "user_object"
     template_name = "registration/user_detail.html"
 
+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
 
 class UserUpdateView(LoginRequiredMixin, UpdateView):
     model = User
     form_class = UserForm
     template_name = "registration/update_user.html"
 
+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         user = self.get_object()
@@ -168,6 +180,12 @@ class UserUploadPhotoAuthorizationView(LoginRequiredMixin, UpdateView):
     form_class = PhotoAuthorizationForm
     template_name = "registration/upload_photo_authorization.html"
 
+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.registration.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
     @transaction.atomic
     def form_valid(self, form):
         old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@@ -186,6 +204,9 @@ class PhotoAuthorizationView(LoginRequiredMixin, View):
         if not os.path.exists(path):
             raise Http404
         student = StudentRegistration.objects.get(photo_authorization__endswith=filename)
+        user = request.user
+        if not user.registration.is_admin and user.pk != student.user.pk:
+            raise PermissionDenied
         mime = Magic(mime=True)
         mime_type = mime.from_file(path)
         ext = mime_type.split("/")[1].replace("jpeg", "jpg")