Merge branch 'dev' into 'master'

Fix the permission to see a user page

See merge request animath/si/plateforme-tfjm!10

apps/registration/views.py

@@ -25,7 +25,7 @@ from django_tables2 import SingleTableView
 from magic import Magic
 from participation.models import Passage, Solution, Synthesis, Tournament
 from tfjm.tokens import email_validation_token
-from tfjm.views import AdminMixin, UserMixin, VolunteerMixin
+from tfjm.views import AdminMixin, UserMixin, UserRegistrationMixin, VolunteerMixin
 
 from .forms import AddOrganizerForm, AdminRegistrationForm, CoachRegistrationForm, HealthSheetForm, \
     ParentalAuthorizationForm, PaymentForm, PhotoAuthorizationForm, SignupForm, StudentRegistrationForm, UserForm, \
@@ -226,7 +226,7 @@ class MyAccountDetailView(LoginRequiredMixin, RedirectView):
         return reverse_lazy("registration:user_detail", args=(self.request.user.pk,))
 
 
-class UserDetailView(UserMixin, DetailView):
+class UserDetailView(LoginRequiredMixin, DetailView):
     """
     Display the detail about a user.
     """
@@ -271,12 +271,6 @@ class UserUpdateView(UserMixin, UpdateView):
     form_class = UserForm
     template_name = "registration/update_user.html"
 
-    def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated or \
-                not self.request.user.registration.is_admin and self.request.user != self.get_object():
-            return self.handle_no_permission()
-        return super().dispatch(request, *args, **kwargs)
-
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         user = self.get_object()
@@ -309,7 +303,7 @@ class UserUpdateView(UserMixin, UpdateView):
         return reverse_lazy("registration:user_detail", args=(self.object.pk,))
 
 
-class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
+class UserUploadPhotoAuthorizationView(UserRegistrationMixin, UpdateView):
     """
     A participant can send its photo authorization.
     """
@@ -318,12 +312,6 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
     template_name = "registration/upload_photo_authorization.html"
     extra_context = dict(title=_("Upload photo authorization"))
 
-    def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated or \
-                not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
-            return self.handle_no_permission()
-        return super().dispatch(request, *args, **kwargs)
-
     @transaction.atomic
     def form_valid(self, form):
         old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@@ -336,7 +324,7 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
         return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
 
 
-class UserUploadHealthSheetView(UserMixin, UpdateView):
+class UserUploadHealthSheetView(UserRegistrationMixin, UpdateView):
     """
     A participant can send its health sheet.
     """
@@ -345,12 +333,6 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
     template_name = "registration/upload_health_sheet.html"
     extra_context = dict(title=_("Upload health sheet"))
 
-    def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated or \
-                not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
-            return self.handle_no_permission()
-        return super().dispatch(request, *args, **kwargs)
-
     @transaction.atomic
     def form_valid(self, form):
         old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@@ -363,7 +345,7 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
         return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
 
 
-class UserUploadParentalAuthorizationView(UserMixin, UpdateView):
+class UserUploadParentalAuthorizationView(UserRegistrationMixin, UpdateView):
     """
     A participant can send its parental authorization.
     """
@@ -372,12 +354,6 @@ class UserUploadParentalAuthorizationView(UserMixin, UpdateView):
     template_name = "registration/upload_parental_authorization.html"
     extra_context = dict(title=_("Upload parental authorization"))
 
-    def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated or \
-                not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
-            return self.handle_no_permission()
-        return super().dispatch(request, *args, **kwargs)
-
     @transaction.atomic
     def form_valid(self, form):
         old_instance = StudentRegistration.objects.get(pk=self.object.pk)

locale/fr/LC_MESSAGES/django.po

@@ -790,7 +790,7 @@ msgstr "Remplacer"
 
 #: apps/participation/templates/participation/team_detail.html:104
 msgid "Download all authorizations"
-msgstr "Télécharger toutes les authorisations"
+msgstr "Télécharger toutes les autorisations"
 
 #: apps/participation/templates/participation/team_detail.html:111
 #: apps/participation/templates/participation/team_detail.html:178

tfjm/views.py

@@ -20,6 +20,14 @@ class VolunteerMixin(LoginRequiredMixin):
 
 
 class UserMixin(LoginRequiredMixin):
+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if user.is_authenticated and not user.registration.is_admin and user.pk != kwargs["pk"]:
+            self.handle_no_permission()
+        return super().dispatch(request, *args, **kwargs)
+
+
+class UserRegistrationMixin(LoginRequiredMixin):
     def dispatch(self, request, *args, **kwargs):
         user = request.user
         if user.is_authenticated and not user.registration.is_admin and user.registration.pk != kwargs["pk"]: