8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-12-27 01:13:46 +00:00

Verouille toutes les vues avec des acl, un user sans droit peut uniquement se modifier lui et ses machines

This commit is contained in:
Gabriel Detraz 2016-07-09 18:26:39 +02:00
parent 2076051635
commit 6e587c7d94
2 changed files with 22 additions and 1 deletions

View file

@ -55,6 +55,9 @@ def new_machine(request, userid):
except User.DoesNotExist: except User.DoesNotExist:
messages.error(request, u"Utilisateur inexistant" ) messages.error(request, u"Utilisateur inexistant" )
return redirect("/machines/") return redirect("/machines/")
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une machine à un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine = NewMachineForm(request.POST or None) machine = NewMachineForm(request.POST or None)
interface = AddInterfaceForm(request.POST or None) interface = AddInterfaceForm(request.POST or None)
if machine.is_valid() and interface.is_valid(): if machine.is_valid() and interface.is_valid():
@ -79,6 +82,9 @@ def edit_machine(request, interfaceid):
except Interface.DoesNotExist: except Interface.DoesNotExist:
messages.error(request, u"Interface inexistante" ) messages.error(request, u"Interface inexistante" )
return redirect("/machines") return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(interface.machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas éditer une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine_form = EditMachineForm(request.POST or None, instance=interface.machine) machine_form = EditMachineForm(request.POST or None, instance=interface.machine)
interface_form = EditInterfaceForm(request.POST or None, instance=interface) interface_form = EditInterfaceForm(request.POST or None, instance=interface)
if machine_form.is_valid() and interface_form.is_valid(): if machine_form.is_valid() and interface_form.is_valid():
@ -95,6 +101,9 @@ def new_interface(request, machineid):
except Machine.DoesNotExist: except Machine.DoesNotExist:
messages.error(request, u"Machine inexistante" ) messages.error(request, u"Machine inexistante" )
return redirect("/machines") return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une interface à une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
interface_form = AddInterfaceForm(request.POST or None) interface_form = AddInterfaceForm(request.POST or None)
machine_form = EditMachineForm(request.POST or None, instance=machine) machine_form = EditMachineForm(request.POST or None, instance=machine)
if interface_form.is_valid() and machine_form.is_valid(): if interface_form.is_valid() and machine_form.is_valid():

View file

@ -104,6 +104,9 @@ def new_user(request):
@login_required @login_required
def edit_info(request, userid): def edit_info(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
user = User.objects.get(pk=userid) user = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist:
@ -137,13 +140,18 @@ def state(request, userid):
return form({'userform': state}, 'users/user.html', request) return form({'userform': state}, 'users/user.html', request)
@login_required @login_required
@permission_required('bureau')
def password(request, userid): def password(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
user = User.objects.get(pk=userid) user = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist:
messages.error(request, "Utilisateur inexistant") messages.error(request, "Utilisateur inexistant")
return redirect("/users/") return redirect("/users/")
if not request.user.has_perms(('bureau',)) and str(userid)!=str(request.user.id) and Right.objects.filter(user=user):
messages.error(request, "Il faut les droits bureau pour modifier le mot de passe d'un membre actif")
return redirect("/users/profil/" + str(request.user.id))
u_form = PassForm(request.POST or None) u_form = PassForm(request.POST or None)
if u_form.is_valid(): if u_form.is_valid():
if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']: if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']:
@ -303,6 +311,7 @@ def del_school(request):
return form({'userform': school}, 'users/user.html', request) return form({'userform': school}, 'users/user.html', request)
@login_required @login_required
@permission_required('cableur')
def index(request): def index(request):
users_list = User.objects.order_by('pk') users_list = User.objects.order_by('pk')
connexion = [] connexion = []
@ -340,6 +349,9 @@ def index_school(request):
@login_required @login_required
def profil(request, userid): def profil(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas afficher un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
users = User.objects.get(pk=userid) users = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist: