Some selected club members can now make people subscribe and fix major security hole in board_member verification

core/models.py

@@ -300,7 +300,15 @@ class User(AbstractBaseUser):
     @cached_property
     def is_board_member(self):
         from club.models import Club
-        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
+        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
+
+    @cached_property
+    def can_create_subscription(self):
+        from club.models import Club
+        for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
+            if club.has_rights_in_club(self):
+                return True
+        return False
 
     @cached_property
     def is_launderette_manager(self):
@@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
     def __init__(self, request):
         super(AnonymousUser, self).__init__()
 
+    @property
+    def can_create_subscription(self):
+        return False
+
     @property
     def was_subscribed(self):
         return False

core/templates/core/user_tools.jinja

@@ -14,8 +14,10 @@
     <li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
     <li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
     {% endif %}
-    {% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
+    {% if user.can_create_subscription or user.is_root %}
     <li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
+    {% endif %}
+    {% if user.is_board_member or user.is_root %}
     <li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
     <li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
     {% endif %}