Fix the permission to see a user page

This commit is contained in:
Yohann D'ANELLO 2021-01-23 11:02:26 +01:00
parent 0cd7ff512f
commit ea38c06631
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
3 changed files with 14 additions and 30 deletions

View File

@ -25,7 +25,7 @@ from django_tables2 import SingleTableView
from magic import Magic
from participation.models import Passage, Solution, Synthesis, Tournament
from tfjm.tokens import email_validation_token
from tfjm.views import AdminMixin, UserMixin, VolunteerMixin
from tfjm.views import AdminMixin, UserMixin, UserRegistrationMixin, VolunteerMixin
from .forms import AddOrganizerForm, AdminRegistrationForm, CoachRegistrationForm, HealthSheetForm, \
ParentalAuthorizationForm, PaymentForm, PhotoAuthorizationForm, SignupForm, StudentRegistrationForm, UserForm, \
@ -226,7 +226,7 @@ class MyAccountDetailView(LoginRequiredMixin, RedirectView):
return reverse_lazy("registration:user_detail", args=(self.request.user.pk,))
class UserDetailView(UserMixin, DetailView):
class UserDetailView(LoginRequiredMixin, DetailView):
"""
Display the detail about a user.
"""
@ -271,12 +271,6 @@ class UserUpdateView(UserMixin, UpdateView):
form_class = UserForm
template_name = "registration/update_user.html"
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object():
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
user = self.get_object()
@ -309,7 +303,7 @@ class UserUpdateView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.pk,))
class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
class UserUploadPhotoAuthorizationView(UserRegistrationMixin, UpdateView):
"""
A participant can send its photo authorization.
"""
@ -318,12 +312,6 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
template_name = "registration/upload_photo_authorization.html"
extra_context = dict(title=_("Upload photo authorization"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -336,7 +324,7 @@ class UserUploadPhotoAuthorizationView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
class UserUploadHealthSheetView(UserMixin, UpdateView):
class UserUploadHealthSheetView(UserRegistrationMixin, UpdateView):
"""
A participant can send its health sheet.
"""
@ -345,12 +333,6 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
template_name = "registration/upload_health_sheet.html"
extra_context = dict(title=_("Upload health sheet"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -363,7 +345,7 @@ class UserUploadHealthSheetView(UserMixin, UpdateView):
return reverse_lazy("registration:user_detail", args=(self.object.user.pk,))
class UserUploadParentalAuthorizationView(UserMixin, UpdateView):
class UserUploadParentalAuthorizationView(UserRegistrationMixin, UpdateView):
"""
A participant can send its parental authorization.
"""
@ -372,12 +354,6 @@ class UserUploadParentalAuthorizationView(UserMixin, UpdateView):
template_name = "registration/upload_parental_authorization.html"
extra_context = dict(title=_("Upload parental authorization"))
def dispatch(self, request, *args, **kwargs):
if not self.request.user.is_authenticated or \
not self.request.user.registration.is_admin and self.request.user != self.get_object().user:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@transaction.atomic
def form_valid(self, form):
old_instance = StudentRegistration.objects.get(pk=self.object.pk)

View File

@ -790,7 +790,7 @@ msgstr "Remplacer"
#: apps/participation/templates/participation/team_detail.html:104
msgid "Download all authorizations"
msgstr "Télécharger toutes les authorisations"
msgstr "Télécharger toutes les autorisations"
#: apps/participation/templates/participation/team_detail.html:111
#: apps/participation/templates/participation/team_detail.html:178

View File

@ -20,6 +20,14 @@ class VolunteerMixin(LoginRequiredMixin):
class UserMixin(LoginRequiredMixin):
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_authenticated and not user.registration.is_admin and user.pk != kwargs["pk"]:
self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
class UserRegistrationMixin(LoginRequiredMixin):
def dispatch(self, request, *args, **kwargs):
user = request.user
if user.is_authenticated and not user.registration.is_admin and user.registration.pk != kwargs["pk"]: