Merge branch 'subscriptions' into 'master'

Some selected club members can now make people subscribe and fix major security …

Le bdf m'as demandé si c'était possible pour eux de faire des cotisations pour les nouveaux
Je retire WIP quand j'ai la confirmation du bureau que je peux faire ça
Par contre il j'y ai patché une grosse faille de sécurité : se mettre curieux à l'AE suffit à avoir tous les droits de board_member

See merge request !91
This commit is contained in:
Skia 2017-07-26 20:48:01 +02:00
commit e4e4eae11b
5 changed files with 26 additions and 7 deletions

View File

@ -139,10 +139,7 @@ class Club(models.Model):
"""
Method to see if that object can be edited by the given user
"""
ms = self.get_membership_for(user)
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
return True
return False
return self.has_rights_in_club(user)
def can_be_viewed_by(self, user):
"""
@ -170,6 +167,10 @@ class Club(models.Model):
Club._memberships[self.id][user.id] = m
return m
def has_rights_in_club(self, user):
m = self.get_membership_for(user)
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
class Membership(models.Model):
"""

View File

@ -300,7 +300,15 @@ class User(AbstractBaseUser):
@cached_property
def is_board_member(self):
from club.models import Club
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
@cached_property
def can_create_subscription(self):
from club.models import Club
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
if club.has_rights_in_club(self):
return True
return False
@cached_property
def is_launderette_manager(self):
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
def __init__(self, request):
super(AnonymousUser, self).__init__()
@property
def can_create_subscription(self):
return False
@property
def was_subscribed(self):
return False

View File

@ -14,8 +14,10 @@
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
{% endif %}
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
{% if user.can_create_subscription or user.is_root %}
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
{% endif %}
{% if user.is_board_member or user.is_root %}
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
{% endif %}

View File

@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
SITH_PRODUCTTYPE_SUBSCRIPTION = 2
SITH_CAN_CREATE_SUBSCRIPTIONS = [
1,
]
# Subscription durations are in semestres
# Be careful, modifying this parameter will need a migration to be applied
SITH_SUBSCRIPTIONS = {

View File

@ -106,7 +106,7 @@ class NewSubscription(CreateView):
def dispatch(self, request, *arg, **kwargs):
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
if request.user.can_create_subscription:
return res
raise PermissionDenied