From ea38c0663146711b661442acb0e9b938ee2956a4 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sat, 23 Jan 2021 11:02:26 +0100 Subject: [PATCH] Fix the permission to see a user page --- apps/registration/views.py | 34 +++++---------------------------- locale/fr/LC_MESSAGES/django.po | 2 +- tfjm/views.py | 8 ++++++++ 3 files changed, 14 insertions(+), 30 deletions(-) diff --git a/apps/registration/views.py b/apps/registration/views.py index 0610eee..00a3616 100644 --- a/apps/registration/views.py +++ b/apps/registration/views.py @@ -25,7 +25,7 @@ from django_tables2 import SingleTableView from magic import Magic from participation.models import Passage, Solution, Synthesis, Tournament from tfjm.tokens import email_validation_token -from tfjm.views import AdminMixin, UserMixin, VolunteerMixin +from tfjm.views import AdminMixin, UserMixin, UserRegistrationMixin, VolunteerMixin from .forms import AddOrganizerForm, AdminRegistrationForm, CoachRegistrationForm, HealthSheetForm, \ ParentalAuthorizationForm, PaymentForm, PhotoAuthorizationForm, SignupForm, StudentRegistrationForm, UserForm, \ @@ -226,7 +226,7 @@ class MyAccountDetailView(LoginRequiredMixin, RedirectView): return reverse_lazy("registration:user_detail", args=(self.request.user.pk,)) -class UserDetailView(UserMixin, DetailView): +class UserDetailView(LoginRequiredMixin, DetailView): """ Display the detail about a user. """ @@ -271,12 +271,6 @@ class UserUpdateView(UserMixin, UpdateView): form_class = UserForm template_name = "registration/update_user.html" - def dispatch(self, request, *args, **kwargs): - if not self.request.user.is_authenticated or \ - not self.request.user.registration.is_admin and self.request.user != self.get_object(): - return self.handle_no_permission() - return super().dispatch(request, *args, **kwargs) - def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) user = self.get_object() @@ -309,7 +303,7 @@ class UserUpdateView(UserMixin, UpdateView): return reverse_lazy("registration:user_detail", args=(self.object.pk,)) -class UserUploadPhotoAuthorizationView(UserMixin, UpdateView): +class UserUploadPhotoAuthorizationView(UserRegistrationMixin, UpdateView): """ A participant can send its photo authorization. """ @@ -318,12 +312,6 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView): template_name = "registration/upload_photo_authorization.html" extra_context = dict(title=_("Upload photo authorization")) - def dispatch(self, request, *args, **kwargs): - if not self.request.user.is_authenticated or \ - not self.request.user.registration.is_admin and self.request.user != self.get_object().user: - return self.handle_no_permission() - return super().dispatch(request, *args, **kwargs) - @transaction.atomic def form_valid(self, form): old_instance = StudentRegistration.objects.get(pk=self.object.pk) @@ -336,7 +324,7 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView): return reverse_lazy("registration:user_detail", args=(self.object.user.pk,)) -class UserUploadHealthSheetView(UserMixin, UpdateView): +class UserUploadHealthSheetView(UserRegistrationMixin, UpdateView): """ A participant can send its health sheet. """ @@ -345,12 +333,6 @@ class UserUploadHealthSheetView(UserMixin, UpdateView): template_name = "registration/upload_health_sheet.html" extra_context = dict(title=_("Upload health sheet")) - def dispatch(self, request, *args, **kwargs): - if not self.request.user.is_authenticated or \ - not self.request.user.registration.is_admin and self.request.user != self.get_object().user: - return self.handle_no_permission() - return super().dispatch(request, *args, **kwargs) - @transaction.atomic def form_valid(self, form): old_instance = StudentRegistration.objects.get(pk=self.object.pk) @@ -363,7 +345,7 @@ class UserUploadHealthSheetView(UserMixin, UpdateView): return reverse_lazy("registration:user_detail", args=(self.object.user.pk,)) -class UserUploadParentalAuthorizationView(UserMixin, UpdateView): +class UserUploadParentalAuthorizationView(UserRegistrationMixin, UpdateView): """ A participant can send its parental authorization. """ @@ -372,12 +354,6 @@ class UserUploadParentalAuthorizationView(UserMixin, UpdateView): template_name = "registration/upload_parental_authorization.html" extra_context = dict(title=_("Upload parental authorization")) - def dispatch(self, request, *args, **kwargs): - if not self.request.user.is_authenticated or \ - not self.request.user.registration.is_admin and self.request.user != self.get_object().user: - return self.handle_no_permission() - return super().dispatch(request, *args, **kwargs) - @transaction.atomic def form_valid(self, form): old_instance = StudentRegistration.objects.get(pk=self.object.pk) diff --git a/locale/fr/LC_MESSAGES/django.po b/locale/fr/LC_MESSAGES/django.po index fec210a..7d7ccf6 100644 --- a/locale/fr/LC_MESSAGES/django.po +++ b/locale/fr/LC_MESSAGES/django.po @@ -790,7 +790,7 @@ msgstr "Remplacer" #: apps/participation/templates/participation/team_detail.html:104 msgid "Download all authorizations" -msgstr "Télécharger toutes les authorisations" +msgstr "Télécharger toutes les autorisations" #: apps/participation/templates/participation/team_detail.html:111 #: apps/participation/templates/participation/team_detail.html:178 diff --git a/tfjm/views.py b/tfjm/views.py index 5160bd9..39bca65 100644 --- a/tfjm/views.py +++ b/tfjm/views.py @@ -20,6 +20,14 @@ class VolunteerMixin(LoginRequiredMixin): class UserMixin(LoginRequiredMixin): + def dispatch(self, request, *args, **kwargs): + user = request.user + if user.is_authenticated and not user.registration.is_admin and user.pk != kwargs["pk"]: + self.handle_no_permission() + return super().dispatch(request, *args, **kwargs) + + +class UserRegistrationMixin(LoginRequiredMixin): def dispatch(self, request, *args, **kwargs): user = request.user if user.is_authenticated and not user.registration.is_admin and user.registration.pk != kwargs["pk"]: