mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-22 06:03:20 +00:00
Better handling of user rights for studentcards
This commit is contained in:
parent
616b7ccfc8
commit
0ba0df0f29
@ -87,14 +87,6 @@ class Customer(models.Model):
|
||||
letter = random.choice(string.ascii_lowercase)
|
||||
return number + letter
|
||||
|
||||
def add_student_card(self, uid, request, counter=None):
|
||||
"""
|
||||
Add a new student card on the customer account
|
||||
"""
|
||||
if not StudentCard.check_creation_permission(request, self, counter):
|
||||
raise PermissionDenied
|
||||
StudentCard(customer=self, uid=uid).save()
|
||||
|
||||
def save(self, allow_negative=False, is_selling=False, *args, **kwargs):
|
||||
"""
|
||||
is_selling : tell if the current action is a selling
|
||||
@ -756,34 +748,18 @@ class StudentCard(models.Model):
|
||||
|
||||
@staticmethod
|
||||
def is_valid(uid):
|
||||
return len(uid) == StudentCard.UID_SIZE
|
||||
|
||||
@staticmethod
|
||||
def __comming_from_right_counter(request, counter):
|
||||
return (
|
||||
counter.type == "BAR"
|
||||
and "counter_token" in request.session.keys()
|
||||
and request.session["counter_token"] == counter.token
|
||||
and len(counter.get_barmen_list()) > 0
|
||||
len(uid) == StudentCard.UID_SIZE
|
||||
and not StudentCard.objects.filter(uid=uid).exists()
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def __user_has_rights(customer, user):
|
||||
def can_create(customer, user):
|
||||
return user.pk == customer.user.pk or user.is_board_member or user.is_root
|
||||
|
||||
@staticmethod
|
||||
def check_creation_permission(request, customer, counter=None):
|
||||
"""
|
||||
If you are comming from a counter, only your connection to the counter is checked, not your right on the user to avoid wierd conflicts
|
||||
If you are not comming from a counter, your permissions are checked
|
||||
"""
|
||||
if counter:
|
||||
return StudentCard.__comming_from_right_counter(request, counter)
|
||||
return StudentCard.__user_has_rights(customer, request.user)
|
||||
|
||||
def can_edit(self, obj):
|
||||
if isinstance(obj, User):
|
||||
return StudentCard.__user_has_rights(self.customer, obj)
|
||||
return StudentCard.can_create(self.customer, obj)
|
||||
return False
|
||||
|
||||
uid = models.CharField(
|
||||
|
@ -119,7 +119,7 @@ class StudentCardForm(forms.ModelForm):
|
||||
return cleaned_data
|
||||
|
||||
|
||||
class StudentCardDeleteView(DeleteView):
|
||||
class StudentCardDeleteView(DeleteView, CanEditMixin):
|
||||
"""
|
||||
View used to delete a card from a user
|
||||
"""
|
||||
@ -130,8 +130,6 @@ class StudentCardDeleteView(DeleteView):
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
|
||||
if not self.get_object().can_edit(self.customer.user):
|
||||
raise PermissionDenied
|
||||
return super(StudentCardDeleteView, self).dispatch(request, *args, **kwargs)
|
||||
|
||||
def get_success_url(self, **kwargs):
|
||||
@ -580,7 +578,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
|
||||
request.session["not_valid_student_card_uid"] = True
|
||||
return False
|
||||
|
||||
self.customer.add_student_card(uid, request, self.object)
|
||||
if not (
|
||||
self.object.type == "BAR"
|
||||
and "counter_token" in request.session.keys()
|
||||
and request.session["counter_token"] == self.object.token
|
||||
and len(self.object.get_barmen_list()) > 0
|
||||
):
|
||||
raise PermissionDenied
|
||||
|
||||
StudentCard(customer=self.customer, uid=uid).save()
|
||||
return True
|
||||
|
||||
def del_product(self, request):
|
||||
@ -1842,12 +1848,14 @@ class StudentCardFormView(FormView):
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
|
||||
if not StudentCard.can_create(self.customer, request.user):
|
||||
raise PermissionDenied
|
||||
return super(StudentCardFormView, self).dispatch(request, *args, **kwargs)
|
||||
|
||||
def form_valid(self, form):
|
||||
data = form.clean()
|
||||
res = super(FormView, self).form_valid(form)
|
||||
self.customer.add_student_card(data["uid"], self.request)
|
||||
StudentCard(customer=self.customer, uid=data["uid"]).save()
|
||||
return res
|
||||
|
||||
def get_success_url(self, **kwargs):
|
||||
|
Loading…
Reference in New Issue
Block a user