From 25f0e561660d2d9baff79163fea32c1ffdf40ac8 Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Thu, 28 Dec 2017 14:04:14 +0100 Subject: [PATCH] =?UTF-8?q?Utilisation=20nouveau=20syst=C3=A8me=20d'acl=20?= =?UTF-8?q?sur=20password=20et=20control?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cotisations/models.py | 6 +++--- cotisations/views.py | 4 ++-- re2o/field_permissions.py | 2 +- users/models.py | 18 ++++++++++++++++++ users/views.py | 26 +++++++++++++------------- 5 files changed, 37 insertions(+), 19 deletions(-) diff --git a/cotisations/models.py b/cotisations/models.py index 7bef2bcd..e3b7aece 100644 --- a/cotisations/models.py +++ b/cotisations/models.py @@ -149,11 +149,11 @@ class Facture(FieldPermissionModelMixin, models.Model): else: return True, None - def can_change_control(user, *args, **kwargs): + def can_change_control(self, user, *args, **kwargs): return user.has_perms(('tresorier',)), "Vous ne pouvez pas éditer le controle sans droit trésorier" - def can_change_pdf(user_request, *args, **kwargs): - return user_request.has_perms(('tresorier',)), "Vous ne pouvez pas éditer une facture sans droit trésorier" + def can_change_pdf(self, user, *args, **kwargs): + return user.has_perms(('tresorier',)), "Vous ne pouvez pas éditer une facture sans droit trésorier" field_permissions = { 'control': can_change_control, diff --git a/cotisations/views.py b/cotisations/views.py index e9ba2b9c..876c7eb3 100644 --- a/cotisations/views.py +++ b/cotisations/views.py @@ -168,7 +168,7 @@ def new_facture(request, user, userid): @login_required -@can_change(Facture, ['pdf']) +@can_change(Facture, 'pdf') def new_facture_pdf(request): """Permet de générer un pdf d'une facture. Réservée au trésorier, permet d'emettre des factures sans objet @@ -488,7 +488,7 @@ def del_banque(request, instances): @login_required @can_view_all(Facture) -@can_change(Facture, ['control']) +@can_change(Facture, 'control') def control(request): """Pour le trésorier, vue pour controler en masse les factures.Case à cocher, pratique""" diff --git a/re2o/field_permissions.py b/re2o/field_permissions.py index c3eb10be..62a2b50d 100644 --- a/re2o/field_permissions.py +++ b/re2o/field_permissions.py @@ -48,7 +48,7 @@ class FieldPermissionModelMixin: # Try to find a user setting that qualifies them for permission. for perm in checks: if callable(perm): - result, plop = perm(user=user) + result, reason = perm(self, user=user) if result is not None: return result else: diff --git a/users/models.py b/users/models.py index db7e3da5..31343494 100644 --- a/users/models.py +++ b/users/models.py @@ -805,6 +805,24 @@ class User(AbstractBaseUser): else: return False, u"Vous ne pouvez éditer un autre utilisateur que vous même" + def can_change_password(self, user_request, *args, **kwargs): + if self.is_class_club and user_request.is_class_adherent: + if self == user_request or user_request.has_perms(('cableur',)) or\ + user_request.adherent in self.club.administrators.all(): + return True, None + else: + return False, u"Vous n'avez pas le droit d'éditer ce club" + else: + if self == user_request or user_request.has_perms(('bureau',)): + return True, None + elif user_request.has_perms(('cableur',)) and not Right.objects.filter(user=self): + return True, None + else: + return False, u"Vous ne pouvez éditer un autre utilisateur que vous même" + + def can_change_state(self, user_request, *args, **kwargs): + return user_request.has_perms(('bureau',)), "Droit bureau requis pour changer l'état" + def can_delete(self, user_request, *args, **kwargs): """Check if an user can delete an user object. diff --git a/users/views.py b/users/views.py index 81ccc5d0..d6ad91e3 100644 --- a/users/views.py +++ b/users/views.py @@ -93,7 +93,15 @@ from preferences.models import OptionalUser, GeneralOption from re2o.views import form from re2o.utils import ( - all_has_access, SortTable, can_create, can_edit, can_delete_set, can_delete, can_view, can_view_all + all_has_access, + SortTable, + can_create, + can_edit, + can_delete_set, + can_delete, + can_view, + can_view_all, + can_change ) def password_change_action(u_form, user, request, req=False): @@ -217,8 +225,7 @@ def edit_info(request, user, userid): @login_required -@permission_required('bureau') -@can_edit(User) +@can_edit(User, 'state') def state(request, user, userid): """ Changer l'etat actif/desactivé/archivé d'un user, need droit bureau """ @@ -245,19 +252,11 @@ def state(request, user, userid): @login_required -@can_edit(User) +@can_edit(User, 'password') def password(request, user, userid): """ Reinitialisation d'un mot de passe à partir de l'userid, pour self par défaut, pour tous sans droit si droit cableur, pour tous si droit bureau """ - if not request.user.has_perms(('bureau',)) and user != request.user\ - and Right.objects.filter(user=user): - messages.error(request, "Il faut les droits bureau pour modifier le\ - mot de passe d'un membre actif") - return redirect(reverse( - 'users:profil', - kwargs={'userid':str(request.user.id)} - )) u_form = PassForm(request.POST or None) if u_form.is_valid(): return password_change_action(u_form, user, request) @@ -585,7 +584,8 @@ def del_listright(request, instances): @login_required -@permission_required('bureau') +@can_view_all(User) +@can_change(User, 'state') def mass_archive(request): """ Permet l'archivage massif""" to_archive_date = MassArchiveForm(request.POST or None)