fix office counter click access

2025-07-10 03:49:24 +00:00 · 2025-01-23 13:32:13 +01:00
parent c555d5c78c
commit 14ed43aaa5
2 changed files with 24 additions and 7 deletions
--- a/counter/views/click.py
+++ b/counter/views/click.py
@ -142,15 +142,16 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
    """

    model = Counter
-    queryset = Counter.objects.annotate_is_open()
+    queryset = (
+        Counter.objects.exclude(type="EBOUTIC")
+        .annotate_is_open()
+        .select_related("club")
+    )
    form_class = BasketForm
    template_name = "counter/counter_click.jinja"
    pk_url_kwarg = "counter_id"
    current_tab = "counter"

-    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open()
-
    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
        kwargs["form_kwargs"] = {
@ -168,9 +169,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
            return redirect(obj)  # Redirect to counter

        if obj.type == "OFFICE" and (
-            obj.sellers.filter(pk=request.user.pk).exists()
-            or not obj.club.has_rights_in_club(request.user)
+            request.user.is_anonymous
+            or not (
+                obj.sellers.contains(request.user)
+                or obj.club.has_rights_in_club(request.user)
+            )
        ):
+            # To be able to click on an office counter,
+            # a user must either be in the board of the club that own the counter
+            # or a seller of this counter.
            raise PermissionDenied

        if obj.type == "BAR" and (