From 17b483bd2102ca74ea006e73ecc4cc8ef106723f Mon Sep 17 00:00:00 2001 From: klmp200 Date: Tue, 27 Sep 2016 21:05:57 +0200 Subject: [PATCH 1/4] AutoCompleteSelectField on clubs --- club/views.py | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/club/views.py b/club/views.py index 893da684..2108e1ee 100644 --- a/club/views.py +++ b/club/views.py @@ -9,6 +9,7 @@ from django.core.urlresolvers import reverse from django.utils import timezone from django.utils.translation import ugettext as _ from django.conf import settings +from ajax_select.fields import AutoCompleteSelectField from datetime import timedelta @@ -98,20 +99,7 @@ class ClubMemberForm(forms.ModelForm): class Meta: model = Membership fields = ['user', 'role', 'description'] - - def clean(self): - """ - Validates the permissions - e.g.: the president can add anyone anywhere, but a member can not make someone become president - """ - ret = super(ClubMemberForm, self).clean() - ms = self.instance.club.get_membership_for(self._user) - if (self.cleaned_data['role'] <= SITH_MAXIMUM_FREE_ROLE or - (ms is not None and ms.role >= self.cleaned_data['role']) or - self._user.is_in_group(SITH_MAIN_BOARD_GROUP) or - self._user.is_superuser): - return ret - raise ValidationError("You do not have the permission to do that") + user = AutoCompleteSelectField('users', required=True, label=_("Select user"), help_text=None) def save(self, *args, **kwargs): """ @@ -140,10 +128,28 @@ class ClubMembersView(ClubTabsMixin, CanViewMixin, UpdateView): form.instance = Membership.objects.filter(club=self.object).filter(user=form.data.get('user')).filter(end_date=None).first() if form.instance is None: # Instanciate a new membership form.instance = Membership(club=self.object, user=self.request.user) - form.initial = {'user': self.request.user} - form._user = self.request.user + # form.initial = {'user': self.request.user} + # form._user = self.request.user return form + def post(self, request, *args, **kwargs): + """ + Check user rights + """ + self.object = self.get_object() + form = self.get_form() + if form.is_valid(): + ms = self.object.get_membership_for(request.user) + if (form.cleaned_data['role'] <= SITH_MAXIMUM_FREE_ROLE or + (ms is not None and ms.role >= form.cleaned_data['role']) or + request.user.is_in_group(SITH_MAIN_BOARD_GROUP) or + request.user.is_root or request.user.is_board_member): + return self.form_valid(form) + else: + return self.form_invalid(form) + else: + return self.form_invalid(form) + class ClubOldMembersView(ClubTabsMixin, CanViewMixin, DetailView): """ Old members of a club From 17b098ca2a8437166265a6a53cab080cb4e79235 Mon Sep 17 00:00:00 2001 From: klmp200 Date: Tue, 27 Sep 2016 22:57:06 +0200 Subject: [PATCH 2/4] Fixed lookup for loged barmen --- core/lookups.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/core/lookups.py b/core/lookups.py index 691cc2f2..9a4b3d2c 100644 --- a/core/lookups.py +++ b/core/lookups.py @@ -7,9 +7,14 @@ from club.models import Club from counter.models import Product, Counter from accounting.models import ClubAccount, Company +def is_token(request): + return ('counter_token' in request.session.keys() and + request.session['counter_token'] and + Counter.objects.filter(token=request.session['counter_token']).exists()) + class RightManagedLookupChannel(LookupChannel): def check_auth(self, request): - if not request.user.subscribed: + if not request.user.subscribed and not is_token(request): raise PermissionDenied @register('users') From 1c6df0909b4a39adb63de25622bc7336ce3ab9db Mon Sep 17 00:00:00 2001 From: klmp200 Date: Wed, 28 Sep 2016 10:46:06 +0200 Subject: [PATCH 3/4] Fixes double check on board member in club view --- club/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/club/views.py b/club/views.py index 2108e1ee..65760f38 100644 --- a/club/views.py +++ b/club/views.py @@ -142,8 +142,8 @@ class ClubMembersView(ClubTabsMixin, CanViewMixin, UpdateView): ms = self.object.get_membership_for(request.user) if (form.cleaned_data['role'] <= SITH_MAXIMUM_FREE_ROLE or (ms is not None and ms.role >= form.cleaned_data['role']) or - request.user.is_in_group(SITH_MAIN_BOARD_GROUP) or - request.user.is_root or request.user.is_board_member): + request.user.is_board_member or + request.user.is_root): return self.form_valid(form) else: return self.form_invalid(form) From 8ef45bf03cdde3dc8c323b48bf06b0b8519f52c8 Mon Sep 17 00:00:00 2001 From: klmp200 Date: Wed, 28 Sep 2016 10:53:27 +0200 Subject: [PATCH 4/4] Rename is_token to check_token --- core/lookups.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/lookups.py b/core/lookups.py index 9a4b3d2c..43c20e7a 100644 --- a/core/lookups.py +++ b/core/lookups.py @@ -7,14 +7,14 @@ from club.models import Club from counter.models import Product, Counter from accounting.models import ClubAccount, Company -def is_token(request): +def check_token(request): return ('counter_token' in request.session.keys() and request.session['counter_token'] and Counter.objects.filter(token=request.session['counter_token']).exists()) class RightManagedLookupChannel(LookupChannel): def check_auth(self, request): - if not request.user.subscribed and not is_token(request): + if not request.user.subscribed and not check_token(request): raise PermissionDenied @register('users')