1
0
mirror of https://gitlab.com/animath/si/plateforme.git synced 2024-12-24 18:22:24 +00:00

Add protected pages to view authorizations

This commit is contained in:
Yohann D'ANELLO 2020-12-30 11:03:12 +01:00
parent 6611c1c896
commit e2e2c97584
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
3 changed files with 54 additions and 5 deletions

View File

@ -298,7 +298,7 @@ class TestRegistration(TestCase):
self.assertTrue(getattr(self.student.registration, auth_type)) self.assertTrue(getattr(self.student.registration, auth_type))
response = self.client.get(reverse( response = self.client.get(reverse(
auth_type, args=(self.student.registration.photo_authorization.name.split('/')[-1],))) auth_type, args=(getattr(self.student.registration, auth_type).name.split('/')[-1],)))
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
from participation.models import Team from participation.models import Team

View File

@ -21,7 +21,7 @@ from tfjm.views import AdminMixin, UserMixin
from .forms import CoachRegistrationForm, HealthSheetForm, ParentalAuthorizationForm, PhotoAuthorizationForm,\ from .forms import CoachRegistrationForm, HealthSheetForm, ParentalAuthorizationForm, PhotoAuthorizationForm,\
SignupForm, StudentRegistrationForm, UserForm SignupForm, StudentRegistrationForm, UserForm
from .models import Registration, StudentRegistration from .models import Registration, StudentRegistration, ParticipantRegistration
from .tables import RegistrationTable from .tables import RegistrationTable
@ -284,7 +284,7 @@ class PhotoAuthorizationView(LoginRequiredMixin, View):
path = f"media/authorization/photo/{filename}" path = f"media/authorization/photo/{filename}"
if not os.path.exists(path): if not os.path.exists(path):
raise Http404 raise Http404
student = StudentRegistration.objects.get(photo_authorization__endswith=filename) student = ParticipantRegistration.objects.get(photo_authorization__endswith=filename)
user = request.user user = request.user
if not user.registration.is_admin and user.pk != student.user.pk: if not user.registration.is_admin and user.pk != student.user.pk:
raise PermissionDenied raise PermissionDenied
@ -297,6 +297,50 @@ class PhotoAuthorizationView(LoginRequiredMixin, View):
return FileResponse(open(path, "rb"), content_type=mime_type, filename=true_file_name) return FileResponse(open(path, "rb"), content_type=mime_type, filename=true_file_name)
class HealthSheetView(LoginRequiredMixin, View):
"""
Display the sent health sheet.
"""
def get(self, request, *args, **kwargs):
filename = kwargs["filename"]
path = f"media/authorization/health/{filename}"
if not os.path.exists(path):
raise Http404
student = ParticipantRegistration.objects.get(health_sheet__endswith=filename)
user = request.user
if not user.registration.is_admin and user.pk != student.user.pk:
raise PermissionDenied
# Guess mime type of the file
mime = Magic(mime=True)
mime_type = mime.from_file(path)
ext = mime_type.split("/")[1].replace("jpeg", "jpg")
# Replace file name
true_file_name = _("Health sheet of {student}.{ext}").format(student=str(student), ext=ext)
return FileResponse(open(path, "rb"), content_type=mime_type, filename=true_file_name)
class ParentalAuthorizationView(LoginRequiredMixin, View):
"""
Display the sent parental authorization.
"""
def get(self, request, *args, **kwargs):
filename = kwargs["filename"]
path = f"media/authorization/parental/{filename}"
if not os.path.exists(path):
raise Http404
student = StudentRegistration.objects.get(parental_authorization__endswith=filename)
user = request.user
if not user.registration.is_admin and user.pk != student.user.pk:
raise PermissionDenied
# Guess mime type of the file
mime = Magic(mime=True)
mime_type = mime.from_file(path)
ext = mime_type.split("/")[1].replace("jpeg", "jpg")
# Replace file name
true_file_name = _("Parental authorization of {student}.{ext}").format(student=str(student), ext=ext)
return FileResponse(open(path, "rb"), content_type=mime_type, filename=true_file_name)
class UserImpersonateView(LoginRequiredMixin, RedirectView): class UserImpersonateView(LoginRequiredMixin, RedirectView):
""" """
An administrator can log in through this page as someone else, and act as this other person. An administrator can log in through this page as someone else, and act as this other person.

View File

@ -21,7 +21,7 @@ from django.contrib import admin
from django.urls import include, path from django.urls import include, path
from django.views.defaults import bad_request, page_not_found, permission_denied, server_error from django.views.defaults import bad_request, page_not_found, permission_denied, server_error
from django.views.generic import TemplateView from django.views.generic import TemplateView
from registration.views import PhotoAuthorizationView from registration.views import HealthSheetView, ParentalAuthorizationView, PhotoAuthorizationView
from .views import AdminSearchView from .views import AdminSearchView
@ -38,7 +38,12 @@ urlpatterns = [
path('participation/', include('participation.urls')), path('participation/', include('participation.urls')),
path('registration/', include('registration.urls')), path('registration/', include('registration.urls')),
path('media/authorization/photo/<str:filename>/', PhotoAuthorizationView.as_view(), name='photo_authorization'), path('media/authorization/photo/<str:filename>/', PhotoAuthorizationView.as_view(),
name='photo_authorization'),
path('media/authorization/health/<str:filename>/', HealthSheetView.as_view(),
name='health_sheet'),
path('media/authorization/parental/<str:filename>/', ParentalAuthorizationView.as_view(),
name='parental_authorization'),
path('', include('eastereggs.urls')), path('', include('eastereggs.urls')),
] ]