mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-25 18:44:23 +00:00
Add token to counter to see pictures and to prevend misuses
This commit is contained in:
parent
37072e1640
commit
a4ad7f0e85
@ -27,7 +27,12 @@ def send_file(request, file_id):
|
|||||||
f = SithFile.objects.filter(id=file_id).first()
|
f = SithFile.objects.filter(id=file_id).first()
|
||||||
if f is None or f.is_folder:
|
if f is None or f.is_folder:
|
||||||
return not_found(request)
|
return not_found(request)
|
||||||
if not can_view(f, request.user):
|
from counter.models import Counter
|
||||||
|
if not (can_view(f, request.user) or
|
||||||
|
('counter_token' in request.session.keys() and
|
||||||
|
request.session['counter_token'] and # check if not null for counters that have no token set
|
||||||
|
Counter.objects.filter(token=request.session['counter_token']).exists())
|
||||||
|
):
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
name = f.file.name
|
name = f.file.name
|
||||||
with open(settings.MEDIA_ROOT + name, 'rb') as filename:
|
with open(settings.MEDIA_ROOT + name, 'rb') as filename:
|
||||||
|
19
counter/migrations/0008_counter_token.py
Normal file
19
counter/migrations/0008_counter_token.py
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
('counter', '0007_product_archived'),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AddField(
|
||||||
|
model_name='counter',
|
||||||
|
name='token',
|
||||||
|
field=models.CharField(blank=True, max_length=30, verbose_name='token', null=True),
|
||||||
|
),
|
||||||
|
]
|
@ -126,6 +126,7 @@ class Counter(models.Model):
|
|||||||
sellers = models.ManyToManyField(Subscriber, verbose_name=_('sellers'), related_name='counters', blank=True)
|
sellers = models.ManyToManyField(Subscriber, verbose_name=_('sellers'), related_name='counters', blank=True)
|
||||||
edit_groups = models.ManyToManyField(Group, related_name="editable_counters", blank=True)
|
edit_groups = models.ManyToManyField(Group, related_name="editable_counters", blank=True)
|
||||||
view_groups = models.ManyToManyField(Group, related_name="viewable_counters", blank=True)
|
view_groups = models.ManyToManyField(Group, related_name="viewable_counters", blank=True)
|
||||||
|
token = models.CharField(_('token'), max_length=30, null=True, blank=True)
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
verbose_name = _('counter')
|
verbose_name = _('counter')
|
||||||
@ -155,6 +156,11 @@ class Counter(models.Model):
|
|||||||
sub = get_subscriber(request.user)
|
sub = get_subscriber(request.user)
|
||||||
return user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or sub in self.sellers
|
return user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or sub in self.sellers
|
||||||
|
|
||||||
|
def gen_token(self):
|
||||||
|
"""Generate a new token for this counter"""
|
||||||
|
self.token = ''.join(random.choice(string.ascii_letters + string.digits) for x in range(30))
|
||||||
|
self.save()
|
||||||
|
|
||||||
def add_barman(self, user):
|
def add_barman(self, user):
|
||||||
"""
|
"""
|
||||||
Logs a barman in to the given counter
|
Logs a barman in to the given counter
|
||||||
|
@ -31,6 +31,7 @@
|
|||||||
<p>{% trans %}Enter client code:{% endtrans %}</p>
|
<p>{% trans %}Enter client code:{% endtrans %}</p>
|
||||||
<form method="post" action="">
|
<form method="post" action="">
|
||||||
{% csrf_token %}
|
{% csrf_token %}
|
||||||
|
<input type="hidden" name="counter_token" value="{{ counter.token }}" />
|
||||||
{{ form.as_p() }}
|
{{ form.as_p() }}
|
||||||
<p><input type="submit" value="{% trans %}validate{% endtrans %}" /></p>
|
<p><input type="submit" value="{% trans %}validate{% endtrans %}" /></p>
|
||||||
</form>
|
</form>
|
||||||
|
@ -62,7 +62,14 @@ class RefillForm(forms.ModelForm):
|
|||||||
model = Refilling
|
model = Refilling
|
||||||
fields = ['amount', 'payment_method', 'bank']
|
fields = ['amount', 'payment_method', 'bank']
|
||||||
|
|
||||||
class CounterMain(DetailView, ProcessFormView, FormMixin):
|
class CheckTokenMixin:
|
||||||
|
def post(self, request, *args, **kwargs):
|
||||||
|
if not ('counter_token' in self.request.session.keys() and self.request.session['counter_token'] == self.object.token):
|
||||||
|
return HttpResponseRedirect(reverse_lazy('counter:details', args=self.args,
|
||||||
|
kwargs={'counter_id': self.object.id})+'?bad_location')
|
||||||
|
return super(CheckTokenMixin, self).post(request, *args, **kwargs)
|
||||||
|
|
||||||
|
class CounterMain(DetailView, CheckTokenMixin, ProcessFormView, FormMixin):
|
||||||
"""
|
"""
|
||||||
The public (barman) view
|
The public (barman) view
|
||||||
"""
|
"""
|
||||||
@ -71,6 +78,14 @@ class CounterMain(DetailView, ProcessFormView, FormMixin):
|
|||||||
pk_url_kwarg = "counter_id"
|
pk_url_kwarg = "counter_id"
|
||||||
form_class = GetUserForm # Form to enter a client code and get the corresponding user id
|
form_class = GetUserForm # Form to enter a client code and get the corresponding user id
|
||||||
|
|
||||||
|
def post(self, request, *args, **kwargs):
|
||||||
|
self.object = self.get_object()
|
||||||
|
if self.object.type == "BAR" and not ('counter_token' in self.request.session.keys() and
|
||||||
|
self.request.session['counter_token'] == self.object.token): # Check the token to avoid the bar to be stolen
|
||||||
|
return HttpResponseRedirect(reverse_lazy('counter:details', args=self.args,
|
||||||
|
kwargs={'counter_id': self.object.id})+'?bad_location')
|
||||||
|
return super(CounterMain, self).post(request, *args, **kwargs)
|
||||||
|
|
||||||
def get_context_data(self, **kwargs):
|
def get_context_data(self, **kwargs):
|
||||||
"""
|
"""
|
||||||
We handle here the login form for the barman
|
We handle here the login form for the barman
|
||||||
@ -87,6 +102,9 @@ class CounterMain(DetailView, ProcessFormView, FormMixin):
|
|||||||
if "sellers" in self.request.GET:
|
if "sellers" in self.request.GET:
|
||||||
kwargs['login_form'].add_error(None, _("User is not barman"))
|
kwargs['login_form'].add_error(None, _("User is not barman"))
|
||||||
kwargs['form'] = self.get_form()
|
kwargs['form'] = self.get_form()
|
||||||
|
kwargs['form'].cleaned_data = {} # same as above
|
||||||
|
if "bad_location" in self.request.GET:
|
||||||
|
kwargs['form'].add_error(None, _("Bad location"))
|
||||||
if self.object.type == 'BAR':
|
if self.object.type == 'BAR':
|
||||||
kwargs['barmen'] = self.object.get_barmen_list()
|
kwargs['barmen'] = self.object.get_barmen_list()
|
||||||
elif self.request.user.is_authenticated():
|
elif self.request.user.is_authenticated():
|
||||||
@ -108,7 +126,7 @@ class CounterMain(DetailView, ProcessFormView, FormMixin):
|
|||||||
def get_success_url(self):
|
def get_success_url(self):
|
||||||
return reverse_lazy('counter:click', args=self.args, kwargs=self.kwargs)
|
return reverse_lazy('counter:click', args=self.args, kwargs=self.kwargs)
|
||||||
|
|
||||||
class CounterClick(DetailView):
|
class CounterClick(DetailView, CheckTokenMixin):
|
||||||
"""
|
"""
|
||||||
The click view
|
The click view
|
||||||
This is a detail view not to have to worry about loading the counter
|
This is a detail view not to have to worry about loading the counter
|
||||||
@ -145,6 +163,10 @@ class CounterClick(DetailView):
|
|||||||
(self.object.type == "BAR" and
|
(self.object.type == "BAR" and
|
||||||
len(self.object.get_barmen_list()) < 1)): # Check that at least one barman is logged in
|
len(self.object.get_barmen_list()) < 1)): # Check that at least one barman is logged in
|
||||||
return self.cancel(request)
|
return self.cancel(request)
|
||||||
|
if self.object.type == "BAR" and not ('counter_token' in self.request.session.keys() and
|
||||||
|
self.request.session['counter_token'] == self.object.token): # Also check the token to avoid the bar to be stolen
|
||||||
|
return HttpResponseRedirect(reverse_lazy('counter:details', args=self.args,
|
||||||
|
kwargs={'counter_id': self.object.id})+'?bad_location')
|
||||||
if 'basket' not in request.session.keys():
|
if 'basket' not in request.session.keys():
|
||||||
request.session['basket'] = {}
|
request.session['basket'] = {}
|
||||||
request.session['basket_total'] = 0
|
request.session['basket_total'] = 0
|
||||||
@ -346,7 +368,7 @@ class CounterLogin(RedirectView):
|
|||||||
"""
|
"""
|
||||||
Handle the login of a barman
|
Handle the login of a barman
|
||||||
|
|
||||||
Logged barmen are stored in the class-wide variable 'barmen_session', in the Counter model
|
Logged barmen are stored in the Permanency model
|
||||||
"""
|
"""
|
||||||
permanent = False
|
permanent = False
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
@ -360,6 +382,9 @@ class CounterLogin(RedirectView):
|
|||||||
if form.is_valid():
|
if form.is_valid():
|
||||||
user = User.objects.filter(username=form.cleaned_data['username']).first()
|
user = User.objects.filter(username=form.cleaned_data['username']).first()
|
||||||
if user in self.counter.sellers.all() and not user in self.counter.get_barmen_list():
|
if user in self.counter.sellers.all() and not user in self.counter.get_barmen_list():
|
||||||
|
if len(self.counter.get_barmen_list()) <= 0:
|
||||||
|
self.counter.gen_token()
|
||||||
|
request.session['counter_token'] = self.counter.token
|
||||||
self.counter.add_barman(user)
|
self.counter.add_barman(user)
|
||||||
else:
|
else:
|
||||||
self.errors += ["sellers"]
|
self.errors += ["sellers"]
|
||||||
|
Loading…
Reference in New Issue
Block a user