From 52219277172192b2738043a8458f77bffd23cd69 Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Tue, 21 Nov 2017 05:24:39 +0100 Subject: [PATCH] =?UTF-8?q?Acl=20g=C3=A9r=C3=A9es=20cot=C3=A9e=20models,?= =?UTF-8?q?=20can=5Fedit=20et=20can=5Fview=20(vers=20les=20acl=20django...?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- users/models.py | 15 +++++++++++++ users/templates/users/sidebar.html | 13 +++++++----- users/views.py | 34 ++++++++++++++---------------- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/users/models.py b/users/models.py index fae011d6..110531d3 100644 --- a/users/models.py +++ b/users/models.py @@ -758,6 +758,21 @@ class User(AbstractBaseUser): num += 1 return composed_pseudo(num) + def can_edit(self, user): + if self.is_class_club and user.is_class_adherent: + return self == user or user.has_perms(('cableur',))or\ + user.adherent in self.club.administrators.all() + else: + return self == user or user.has_perms(('cableur',)) + + def can_view(self, user): + if self.is_class_club and user.is_class_adherent: + return self == user or user.has_perms(('cableur',))or\ + user.adherent in self.club.administrators.all() or\ + user.adherent in self.club.members.all() + else: + return self == user or user.has_perms(('cableur',)) + def __str__(self): return self.pseudo diff --git a/users/templates/users/sidebar.html b/users/templates/users/sidebar.html index 9a4312ff..7c5f05f5 100644 --- a/users/templates/users/sidebar.html +++ b/users/templates/users/sidebar.html @@ -25,7 +25,7 @@ with this program; if not, write to the Free Software Foundation, Inc., {% block sidebar %} - {% if is_cableur %} + {% if is_cableur %} Créer un adhérent @@ -34,14 +34,17 @@ with this program; if not, write to the Free Software Foundation, Inc., Créer un club/association + {% endif %} + {% if is_cableur %} + + + Clubs et assos + + Adherents - - - Clubs - Bannissements diff --git a/users/views.py b/users/views.py index 9aa51b5e..6250db75 100644 --- a/users/views.py +++ b/users/views.py @@ -40,7 +40,7 @@ from django.shortcuts import get_object_or_404, render, redirect from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger from django.contrib import messages from django.contrib.auth.decorators import login_required, permission_required -from django.db.models import ProtectedError +from django.db.models import ProtectedError, Q from django.db import IntegrityError from django.utils import timezone from django.db import transaction @@ -163,8 +163,7 @@ def edit_club_admin_members(request, clubid): except Club.DoesNotExist: messages.error(request, "Club inexistant") return redirect(reverse('users:index')) - if not request.user.has_perms(('cableur',))\ - and not request.user in club_instance.administrators.all(): + if not club_instance.can_edit(request.user): messages.error(request, "Vous ne pouvez pas accéder à ce menu") return redirect(reverse( 'users:profil', @@ -214,9 +213,8 @@ def edit_info(request, userid): except User.DoesNotExist: messages.error(request, "Utilisateur inexistant") return redirect(reverse('users:index')) - if not request.user.has_perms(('cableur',)) and user != request.user: - messages.error(request, "Vous ne pouvez pas modifier un autre\ - user que vous sans droit cableur") + if not user.can_edit(request.user): + messages.error(request, "Vous ne pouvez pas accéder à ce menu") return redirect(reverse( 'users:profil', kwargs={'userid':str(request.user.id)} @@ -279,9 +277,8 @@ def password(request, userid): except User.DoesNotExist: messages.error(request, "Utilisateur inexistant") return redirect(reverse('users')) - if not request.user.has_perms(('cableur',)) and user != request.user: - messages.error(request, "Vous ne pouvez pas modifier un\ - autre user que vous sans droit cableur") + if not user.can_edit(request.user): + messages.error(request, "Vous ne pouvez pas accéder à ce menu") return redirect(reverse( 'users:profil', kwargs={'userid':str(request.user.id)} @@ -722,12 +719,16 @@ def index(request): @login_required -@permission_required('cableur') def index_clubs(request): """ Affiche l'ensemble des clubs, need droit cableur """ options, _created = GeneralOption.objects.get_or_create() pagination_number = options.pagination_number - clubs_list = Club.objects.select_related('room') + if not request.user.has_perms(('cableur',)): + clubs_list = Club.objects.filter( + Q(administrators=request.user.adherent) | Q(members=request.user.adherent) + ).distinct().select_related('room') + else: + clubs_list = Club.objects.select_related('room') clubs_list = SortTable.sort( clubs_list, request.GET.get('col'), @@ -853,10 +854,8 @@ def history(request, object_name, object_id): except User.DoesNotExist: messages.error(request, "Utilisateur inexistant") return redirect(reverse('users:index')) - if not request.user.has_perms(('cableur',)) and\ - object_instance != request.user: - messages.error(request, "Vous ne pouvez pas afficher\ - l'historique d'un autre user que vous sans droit cableur") + if not object_instance.can_view(request.user): + messages.error(request, "Vous ne pouvez pas afficher ce menu") return redirect(reverse( 'users:profil', kwargs={'userid':str(request.user.id)} @@ -947,9 +946,8 @@ def profil(request, userid): except User.DoesNotExist: messages.error(request, "Utilisateur inexistant") return redirect(reverse('users:index')) - if not request.user.has_perms(('cableur',)) and users != request.user: - messages.error(request, "Vous ne pouvez pas afficher un autre user\ - que vous sans droit cableur") + if not users.can_view(request.user): + messages.error(request, "Vous ne pouvez pas accéder à ce menu") return redirect(reverse( 'users:profil', kwargs={'userid':str(request.user.id)}