diff --git a/club/views.py b/club/views.py index 893da684..65760f38 100644 --- a/club/views.py +++ b/club/views.py @@ -9,6 +9,7 @@ from django.core.urlresolvers import reverse from django.utils import timezone from django.utils.translation import ugettext as _ from django.conf import settings +from ajax_select.fields import AutoCompleteSelectField from datetime import timedelta @@ -98,20 +99,7 @@ class ClubMemberForm(forms.ModelForm): class Meta: model = Membership fields = ['user', 'role', 'description'] - - def clean(self): - """ - Validates the permissions - e.g.: the president can add anyone anywhere, but a member can not make someone become president - """ - ret = super(ClubMemberForm, self).clean() - ms = self.instance.club.get_membership_for(self._user) - if (self.cleaned_data['role'] <= SITH_MAXIMUM_FREE_ROLE or - (ms is not None and ms.role >= self.cleaned_data['role']) or - self._user.is_in_group(SITH_MAIN_BOARD_GROUP) or - self._user.is_superuser): - return ret - raise ValidationError("You do not have the permission to do that") + user = AutoCompleteSelectField('users', required=True, label=_("Select user"), help_text=None) def save(self, *args, **kwargs): """ @@ -140,10 +128,28 @@ class ClubMembersView(ClubTabsMixin, CanViewMixin, UpdateView): form.instance = Membership.objects.filter(club=self.object).filter(user=form.data.get('user')).filter(end_date=None).first() if form.instance is None: # Instanciate a new membership form.instance = Membership(club=self.object, user=self.request.user) - form.initial = {'user': self.request.user} - form._user = self.request.user + # form.initial = {'user': self.request.user} + # form._user = self.request.user return form + def post(self, request, *args, **kwargs): + """ + Check user rights + """ + self.object = self.get_object() + form = self.get_form() + if form.is_valid(): + ms = self.object.get_membership_for(request.user) + if (form.cleaned_data['role'] <= SITH_MAXIMUM_FREE_ROLE or + (ms is not None and ms.role >= form.cleaned_data['role']) or + request.user.is_board_member or + request.user.is_root): + return self.form_valid(form) + else: + return self.form_invalid(form) + else: + return self.form_invalid(form) + class ClubOldMembersView(ClubTabsMixin, CanViewMixin, DetailView): """ Old members of a club diff --git a/core/lookups.py b/core/lookups.py index 691cc2f2..43c20e7a 100644 --- a/core/lookups.py +++ b/core/lookups.py @@ -7,9 +7,14 @@ from club.models import Club from counter.models import Product, Counter from accounting.models import ClubAccount, Company +def check_token(request): + return ('counter_token' in request.session.keys() and + request.session['counter_token'] and + Counter.objects.filter(token=request.session['counter_token']).exists()) + class RightManagedLookupChannel(LookupChannel): def check_auth(self, request): - if not request.user.subscribed: + if not request.user.subscribed and not check_token(request): raise PermissionDenied @register('users')