diff --git a/counter/models.py b/counter/models.py index 693b277b..bcc9388e 100644 --- a/counter/models.py +++ b/counter/models.py @@ -87,14 +87,6 @@ class Customer(models.Model): letter = random.choice(string.ascii_lowercase) return number + letter - def add_student_card(self, uid, request, counter=None): - """ - Add a new student card on the customer account - """ - if not StudentCard.check_creation_permission(request, self, counter): - raise PermissionDenied - StudentCard(customer=self, uid=uid).save() - def save(self, allow_negative=False, is_selling=False, *args, **kwargs): """ is_selling : tell if the current action is a selling @@ -756,34 +748,18 @@ class StudentCard(models.Model): @staticmethod def is_valid(uid): - return len(uid) == StudentCard.UID_SIZE - - @staticmethod - def __comming_from_right_counter(request, counter): return ( - counter.type == "BAR" - and "counter_token" in request.session.keys() - and request.session["counter_token"] == counter.token - and len(counter.get_barmen_list()) > 0 + len(uid) == StudentCard.UID_SIZE + and not StudentCard.objects.filter(uid=uid).exists() ) @staticmethod - def __user_has_rights(customer, user): + def can_create(customer, user): return user.pk == customer.user.pk or user.is_board_member or user.is_root - @staticmethod - def check_creation_permission(request, customer, counter=None): - """ - If you are comming from a counter, only your connection to the counter is checked, not your right on the user to avoid wierd conflicts - If you are not comming from a counter, your permissions are checked - """ - if counter: - return StudentCard.__comming_from_right_counter(request, counter) - return StudentCard.__user_has_rights(customer, request.user) - def can_edit(self, obj): if isinstance(obj, User): - return StudentCard.__user_has_rights(self.customer, obj) + return StudentCard.can_create(self.customer, obj) return False uid = models.CharField( diff --git a/counter/views.py b/counter/views.py index 10a12eec..2f3a653d 100644 --- a/counter/views.py +++ b/counter/views.py @@ -119,7 +119,7 @@ class StudentCardForm(forms.ModelForm): return cleaned_data -class StudentCardDeleteView(DeleteView): +class StudentCardDeleteView(DeleteView, CanEditMixin): """ View used to delete a card from a user """ @@ -130,8 +130,6 @@ class StudentCardDeleteView(DeleteView): def dispatch(self, request, *args, **kwargs): self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"]) - if not self.get_object().can_edit(self.customer.user): - raise PermissionDenied return super(StudentCardDeleteView, self).dispatch(request, *args, **kwargs) def get_success_url(self, **kwargs): @@ -580,7 +578,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView): request.session["not_valid_student_card_uid"] = True return False - self.customer.add_student_card(uid, request, self.object) + if not ( + self.object.type == "BAR" + and "counter_token" in request.session.keys() + and request.session["counter_token"] == self.object.token + and len(self.object.get_barmen_list()) > 0 + ): + raise PermissionDenied + + StudentCard(customer=self.customer, uid=uid).save() return True def del_product(self, request): @@ -1842,12 +1848,14 @@ class StudentCardFormView(FormView): def dispatch(self, request, *args, **kwargs): self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"]) + if not StudentCard.can_create(self.customer, request.user): + raise PermissionDenied return super(StudentCardFormView, self).dispatch(request, *args, **kwargs) def form_valid(self, form): data = form.clean() res = super(FormView, self).form_valid(form) - self.customer.add_student_card(data["uid"], self.request) + StudentCard(customer=self.customer, uid=data["uid"]).save() return res def get_success_url(self, **kwargs):