From 6e587c7d94526c6d4dfe5c01de4daebdd239268e Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Sat, 9 Jul 2016 18:26:39 +0200 Subject: [PATCH] Verouille toutes les vues avec des acl, un user sans droit peut uniquement se modifier lui et ses machines --- machines/views.py | 9 +++++++++ users/views.py | 14 +++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/machines/views.py b/machines/views.py index 57d8ba5d..bd60fe1f 100644 --- a/machines/views.py +++ b/machines/views.py @@ -55,6 +55,9 @@ def new_machine(request, userid): except User.DoesNotExist: messages.error(request, u"Utilisateur inexistant" ) return redirect("/machines/") + if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas ajouter une machine à un autre user que vous sans droit") + return redirect("/users/profil/" + str(request.user.id)) machine = NewMachineForm(request.POST or None) interface = AddInterfaceForm(request.POST or None) if machine.is_valid() and interface.is_valid(): @@ -79,6 +82,9 @@ def edit_machine(request, interfaceid): except Interface.DoesNotExist: messages.error(request, u"Interface inexistante" ) return redirect("/machines") + if not request.user.has_perms(('cableur',)) and str(interface.machine.user.id)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas éditer une machine d'un autre user que vous sans droit") + return redirect("/users/profil/" + str(request.user.id)) machine_form = EditMachineForm(request.POST or None, instance=interface.machine) interface_form = EditInterfaceForm(request.POST or None, instance=interface) if machine_form.is_valid() and interface_form.is_valid(): @@ -95,6 +101,9 @@ def new_interface(request, machineid): except Machine.DoesNotExist: messages.error(request, u"Machine inexistante" ) return redirect("/machines") + if not request.user.has_perms(('cableur',)) and str(machine.user.id)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas ajouter une interface à une machine d'un autre user que vous sans droit") + return redirect("/users/profil/" + str(request.user.id)) interface_form = AddInterfaceForm(request.POST or None) machine_form = EditMachineForm(request.POST or None, instance=machine) if interface_form.is_valid() and machine_form.is_valid(): diff --git a/users/views.py b/users/views.py index 6360ff3b..a0611348 100644 --- a/users/views.py +++ b/users/views.py @@ -104,6 +104,9 @@ def new_user(request): @login_required def edit_info(request, userid): + if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur") + return redirect("/users/profil/" + str(request.user.id)) try: user = User.objects.get(pk=userid) except User.DoesNotExist: @@ -137,13 +140,18 @@ def state(request, userid): return form({'userform': state}, 'users/user.html', request) @login_required -@permission_required('bureau') def password(request, userid): + if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur") + return redirect("/users/profil/" + str(request.user.id)) try: user = User.objects.get(pk=userid) except User.DoesNotExist: messages.error(request, "Utilisateur inexistant") return redirect("/users/") + if not request.user.has_perms(('bureau',)) and str(userid)!=str(request.user.id) and Right.objects.filter(user=user): + messages.error(request, "Il faut les droits bureau pour modifier le mot de passe d'un membre actif") + return redirect("/users/profil/" + str(request.user.id)) u_form = PassForm(request.POST or None) if u_form.is_valid(): if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']: @@ -303,6 +311,7 @@ def del_school(request): return form({'userform': school}, 'users/user.html', request) @login_required +@permission_required('cableur') def index(request): users_list = User.objects.order_by('pk') connexion = [] @@ -340,6 +349,9 @@ def index_school(request): @login_required def profil(request, userid): + if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id): + messages.error(request, "Vous ne pouvez pas afficher un autre user que vous sans droit cableur") + return redirect("/users/profil/" + str(request.user.id)) try: users = User.objects.get(pk=userid) except User.DoesNotExist: