Fix some permission issues regarding villages.

This commit is contained in:
Víðir Valberg Guðmundsson 2016-07-16 11:15:26 +02:00
parent 178be1deb0
commit 11fd8ca0fd

View file

@ -1,11 +1,13 @@
from django.http import Http404
from django.contrib.auth.mixins import LoginRequiredMixin
from django.core.urlresolvers import reverse_lazy from django.core.urlresolvers import reverse_lazy
from django.http import HttpResponseRedirect from django.http import HttpResponseRedirect
from django.views.generic import ( from django.views.generic import (
ListView, DetailView, CreateView, UpdateView, DeleteView ListView, DetailView, CreateView, UpdateView, DeleteView
) )
from .models import ( from django.views.generic.detail import SingleObjectMixin
Village,
) from .models import Village
class VillageListView(ListView): class VillageListView(ListView):
@ -20,7 +22,7 @@ class VillageDetailView(DetailView):
context_object_name = 'village' context_object_name = 'village'
class VillageCreateView(CreateView): class VillageCreateView(LoginRequiredMixin, CreateView):
model = Village model = Village
template_name = 'village_form.html' template_name = 'village_form.html'
fields = ['name', 'description', 'private'] fields = ['name', 'description', 'private']
@ -33,7 +35,21 @@ class VillageCreateView(CreateView):
return HttpResponseRedirect(village.get_absolute_url()) return HttpResponseRedirect(village.get_absolute_url())
class VillageUpdateView(UpdateView): class EnsureUserOwnsVillageMixin(SingleObjectMixin):
model = Village
def dispatch(self, request, *args, **kwargs):
# If the user is not contact for this village OR is not staff
if not request.user.is_staff:
if self.get_object().contact != request.user:
raise Http404("Village not found")
return super(EnsureUserOwnsVillageMixin, self).dispatch(
request, *args, **kwargs
)
class VillageUpdateView(EnsureUserOwnsVillageMixin, LoginRequiredMixin, UpdateView):
model = Village model = Village
queryset = Village.objects.not_deleted() queryset = Village.objects.not_deleted()
template_name = 'village_form.html' template_name = 'village_form.html'
@ -43,7 +59,7 @@ class VillageUpdateView(UpdateView):
return self.get_object().get_absolute_url() return self.get_object().get_absolute_url()
class VillageDeleteView(DeleteView): class VillageDeleteView(EnsureUserOwnsVillageMixin, LoginRequiredMixin, DeleteView):
model = Village model = Village
success_url = reverse_lazy('villages:list') success_url = reverse_lazy('villages:list')
template_name = 'village_confirm_delete.html' template_name = 'village_confirm_delete.html'