ynerant
/
plateforme-tfjm2
mirror of https://gitlab.com/animath/si/plateforme.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix the permission to see a user page

This commit is contained in:
Yohann D'ANELLO 2021-01-23 11:02:26 +01:00
parent 0cd7ff512f
commit ea38c06631
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
3 changed files with 14 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
apps/registration/views.py
View File

@ -25,7 +25,7 @@ from django_tables2 import SingleTableView
from magic import Magic from magic import Magic
from participation.models import Passage, Solution, Synthesis, Tournament from participation.models import Passage, Solution, Synthesis, Tournament
from tfjm.tokens import email_validation_token from tfjm.tokens import email_validation_token
from tfjm.views import AdminMixin, UserMixin, VolunteerMixin from tfjm.views import AdminMixin, UserMixin, UserRegistrationMixin, VolunteerMixin
from .forms import AddOrganizerForm, AdminRegistrationForm, CoachRegistrationForm, HealthSheetForm, \ from .forms import AddOrganizerForm, AdminRegistrationForm, CoachRegistrationForm, HealthSheetForm, \
ParentalAuthorizationForm, PaymentForm, PhotoAuthorizationForm, SignupForm, StudentRegistrationForm, UserForm, \ ParentalAuthorizationForm, PaymentForm, PhotoAuthorizationForm, SignupForm, StudentRegistrationForm, UserForm, \
@ -226,7 +226,7 @@ class MyAccountDetailView(LoginRequiredMixin, RedirectView):
return reverse_lazy("registration:user_detail", args=(self.request.user.pk,)) return reverse_lazy("registration:user_detail", args=(self.request.user.pk,))
class UserDetailView(UserMixin, DetailView): class UserDetailView(LoginRequiredMixin, DetailView):
""" """
Display the detail about a user. Display the detail about a user.
""" """
@ -271,12 +271,6 @@ class UserUpdateView(UserMixin, UpdateView):
form_class = UserForm form_class = UserForm
template_name = "registration/update_user.html" template_name = "registration/update_user.html"
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object():
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs) context = super().get_context_data(**kwargs)
user = self.get_object() user = self.get_object()
@ -309,7 +303,7 @@ class UserUpdateView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.pk,)) return reverse_lazy("registration:user_detail", args=(self.object.pk,))
class UserUploadPhotoAuthorizationView(UserMixin, UpdateView): class UserUploadPhotoAuthorizationView(UserRegistrationMixin, UpdateView):
""" """
A participant can send its photo authorization. A participant can send its photo authorization.
""" """
@ -318,12 +312,6 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
template_name = "registration/upload_photo_authorization.html" template_name = "registration/upload_photo_authorization.html"
extra_context = dict(title=_("Upload photo authorization")) extra_context = dict(title=_("Upload photo authorization"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic @transaction.atomic
def form_valid(self, form): def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk) old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -336,7 +324,7 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.user.pk,)) return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
class UserUploadHealthSheetView(UserMixin, UpdateView): class UserUploadHealthSheetView(UserRegistrationMixin, UpdateView):
""" """
A participant can send its health sheet. A participant can send its health sheet.
""" """
@ -345,12 +333,6 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
template_name = "registration/upload_health_sheet.html" template_name = "registration/upload_health_sheet.html"
extra_context = dict(title=_("Upload health sheet")) extra_context = dict(title=_("Upload health sheet"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic @transaction.atomic
def form_valid(self, form): def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk) old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -363,7 +345,7 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.user.pk,)) return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
class UserUploadParentalAuthorizationView(UserMixin, UpdateView): class UserUploadParentalAuthorizationView(UserRegistrationMixin, UpdateView):
""" """
A participant can send its parental authorization. A participant can send its parental authorization.
""" """
@ -372,12 +354,6 @@ class UserUploadParentalAuthorizationView(UserMixin, UpdateView):
template_name = "registration/upload_parental_authorization.html" template_name = "registration/upload_parental_authorization.html"
extra_context = dict(title=_("Upload parental authorization")) extra_context = dict(title=_("Upload parental authorization"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic @transaction.atomic
def form_valid(self, form): def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk) old_instance = StudentRegistration.objects.get(pk=self.object.pk)

2
locale/fr/LC_MESSAGES/django.po
View File

@ -790,7 +790,7 @@ msgstr "Remplacer"
#: apps/participation/templates/participation/team_detail.html:104 #: apps/participation/templates/participation/team_detail.html:104
msgid "Download all authorizations" msgid "Download all authorizations"
msgstr "Télécharger toutes les authorisations" msgstr "Télécharger toutes les autorisations"
#: apps/participation/templates/participation/team_detail.html:111 #: apps/participation/templates/participation/team_detail.html:111
#: apps/participation/templates/participation/team_detail.html:178 #: apps/participation/templates/participation/team_detail.html:178

8
tfjm/views.py
View File

@ -20,6 +20,14 @@ class VolunteerMixin(LoginRequiredMixin):
class UserMixin(LoginRequiredMixin): class UserMixin(LoginRequiredMixin):
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_authenticated and not user.registration.is_admin and user.pk != kwargs["pk"]:
self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
class UserRegistrationMixin(LoginRequiredMixin):
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
user = request.user user = request.user
if user.is_authenticated and not user.registration.is_admin and user.registration.pk != kwargs["pk"]: if user.is_authenticated and not user.registration.is_admin and user.registration.pk != kwargs["pk"]: