klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2025-01-31 03:11:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1012 from ae-utbm/fix-counter-access

Browse Source 
Fix office counter access
This commit is contained in:
thomas girod 2025-01-23 14:37:32 +01:00 committed by GitHub
commit 18967cf3d6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
counter/tests/test_counter.py
View File

@ -937,13 +937,23 @@ class TestClubCounterClickAccess(TestCase):
assert res.status_code == 403 assert res.status_code == 403
def test_board_member(self): def test_board_member(self):
"""By default, board members should be able to click on office counters"""
baker.make(Membership, club=self.counter.club, user=self.user, role=3) baker.make(Membership, club=self.counter.club, user=self.user, role=3)
self.client.force_login(self.user) self.client.force_login(self.user)
res = self.client.get(self.click_url) res = self.client.get(self.click_url)
assert res.status_code == 200 assert res.status_code == 200
def test_barman(self): def test_barman(self):
"""Sellers should be able to click on office counters"""
self.counter.sellers.add(self.user) self.counter.sellers.add(self.user)
self.client.force_login(self.user) self.client.force_login(self.user)
res = self.client.get(self.click_url) res = self.client.get(self.click_url)
assert res.status_code == 403 assert res.status_code == 200
def test_both_barman_and_board_member(self):
"""If the user is barman and board member, he should be authorized as well."""
self.counter.sellers.add(self.user)
baker.make(Membership, club=self.counter.club, user=self.user, role=3)
self.client.force_login(self.user)
res = self.client.get(self.click_url)
assert res.status_code == 200

19
counter/views/click.py
View File

@ -142,15 +142,16 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
""" """
model = Counter model = Counter
queryset = Counter.objects.annotate_is_open() queryset = (
Counter.objects.exclude(type="EBOUTIC")
.annotate_is_open()
.select_related("club")
)
form_class = BasketForm form_class = BasketForm
template_name = "counter/counter_click.jinja" template_name = "counter/counter_click.jinja"
pk_url_kwarg = "counter_id" pk_url_kwarg = "counter_id"
current_tab = "counter" current_tab = "counter"
def get_queryset(self):
return super().get_queryset().exclude(type="EBOUTIC").annotate_is_open()
def get_form_kwargs(self): def get_form_kwargs(self):
kwargs = super().get_form_kwargs() kwargs = super().get_form_kwargs()
kwargs["form_kwargs"] = { kwargs["form_kwargs"] = {
@ -168,9 +169,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, SingleObjectMixin, FormView):
return redirect(obj) # Redirect to counter return redirect(obj) # Redirect to counter
if obj.type == "OFFICE" and ( if obj.type == "OFFICE" and (
obj.sellers.filter(pk=request.user.pk).exists() request.user.is_anonymous
or not obj.club.has_rights_in_club(request.user) or not (
obj.sellers.contains(request.user)
or obj.club.has_rights_in_club(request.user)
)
): ):
# To be able to click on an office counter,
# a user must either be in the board of the club that own the counter
# or a seller of this counter.
raise PermissionDenied raise PermissionDenied
if obj.type == "BAR" and ( if obj.type == "BAR" and (