Merge branch 'subscriptions' into 'master'

Some selected club members can now make people subscribe and fix major security … Le bdf m'as demandé si c'était possible pour eux de faire des cotisations pour les nouveaux Je retire WIP quand j'ai la confirmation du bureau que je peux faire ça Par contre il j'y ai patché une grosse faille de sécurité : se mettre curieux à l'AE suffit à avoir tous les droits de board_member See merge request !91
2025-05-25 11:47:36 +00:00 · 2017-07-26 20:48:01 +02:00 · 2017-07-26 20:48:01 +02:00 · e4e4eae11b
commit e4e4eae11b
parent b99bbc385a c56094eaaf
5 changed files with 26 additions and 7 deletions
--- a/club/models.py
+++ b/club/models.py
@ -139,10 +139,7 @@ class Club(models.Model):
        """
        Method to see if that object can be edited by the given user
        """
-        ms = self.get_membership_for(user)
-        if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
-            return True
-        return False
+        return self.has_rights_in_club(user)

    def can_be_viewed_by(self, user):
        """
@ -170,6 +167,10 @@ class Club(models.Model):
                Club._memberships[self.id][user.id] = m
            return m

+    def has_rights_in_club(self, user):
+        m = self.get_membership_for(user)
+        return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
+

 class Membership(models.Model):
    """
--- a/core/models.py
+++ b/core/models.py
@ -300,7 +300,15 @@ class User(AbstractBaseUser):
    @cached_property
    def is_board_member(self):
        from club.models import Club
-        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
+        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
+
+    @cached_property
+    def can_create_subscription(self):
+        from club.models import Club
+        for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
+            if club.has_rights_in_club(self):
+                return True
+        return False

    @cached_property
    def is_launderette_manager(self):
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
    def __init__(self, request):
        super(AnonymousUser, self).__init__()

+    @property
+    def can_create_subscription(self):
+        return False
+
    @property
    def was_subscribed(self):
        return False
--- a/core/templates/core/user_tools.jinja
+++ b/core/templates/core/user_tools.jinja
@ -14,8 +14,10 @@
    <li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
    <li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
    {% endif %}
-    {% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
+    {% if user.can_create_subscription or user.is_root %}
    <li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
+    {% endif %}
+    {% if user.is_board_member or user.is_root %}
    <li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
    <li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
    {% endif %}
--- a/sith/settings.py
+++ b/sith/settings.py
@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
 SITH_PRODUCTTYPE_SUBSCRIPTION = 2

+SITH_CAN_CREATE_SUBSCRIPTIONS = [
+    1,
+]
+
 # Subscription durations are in semestres
 # Be careful, modifying this parameter will need a migration to be applied
 SITH_SUBSCRIPTIONS = {
--- a/subscription/views.py
+++ b/subscription/views.py
@ -106,7 +106,7 @@ class NewSubscription(CreateView):

    def dispatch(self, request, *arg, **kwargs):
        res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
-        if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
+        if request.user.can_create_subscription:
            return res
        raise PermissionDenied