From d61b03b8223f4cb82c2bc23dcb0578410ccf9119 Mon Sep 17 00:00:00 2001 From: Thomas Steen Rasmussen Date: Tue, 11 Aug 2020 03:26:30 +0200 Subject: [PATCH] fix permissions stuff maybe --- src/backoffice/mixins.py | 15 +++++++++++---- src/backoffice/views.py | 20 ++++++++------------ 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/src/backoffice/mixins.py b/src/backoffice/mixins.py index b3aca3b4..8daf1d97 100644 --- a/src/backoffice/mixins.py +++ b/src/backoffice/mixins.py @@ -1,4 +1,5 @@ from camps.mixins import CampViewMixin +from django.contrib.auth.mixins import UserPassesTestMixin from django.core.exceptions import PermissionDenied from django.shortcuts import get_object_or_404 from economy.models import Pos @@ -43,7 +44,7 @@ class ContentTeamPermissionMixin(RaisePermissionRequiredMixin): ) -class PosViewMixin(CampViewMixin): +class PosViewMixin(CampViewMixin, UserPassesTestMixin): """A mixin to set self.pos based on pos_slug in url kwargs.""" def setup(self, *args, **kwargs): @@ -52,14 +53,20 @@ class PosViewMixin(CampViewMixin): Pos, team__camp=self.camp, slug=self.kwargs["pos_slug"] ) - def get_permission_required(self): + def test_func(self): """ This view requires two permissions, camps.backoffice_permission and the permission_set for the team in question. """ if not self.pos.team.permission_set: raise PermissionDenied("No permissions set defined for this team") - perms = ["camps.backoffice_permission"] - return perms + if not self.request.user.has_perm("camps.backoffice_permission"): + raise PermissionDenied("User has no backoffice permission") + + if not self.request.user.has_perm( + "camps.orgateam_permission" + ) and not self.request.user.has_perm("camps." + self.pos.team.permission_set): + raise PermissionDenied("User has no permission for this Pos") + return True def get_context_data(self, *args, **kwargs): context = super().get_context_data(*args, **kwargs) diff --git a/src/backoffice/views.py b/src/backoffice/views.py index 702e2a66..47604822 100644 --- a/src/backoffice/views.py +++ b/src/backoffice/views.py @@ -1978,7 +1978,7 @@ class PosListView(CampViewMixin, RaisePermissionRequiredMixin, ListView): template_name = "pos_list.html" -class PosDetailView(PosViewMixin, RaisePermissionRequiredMixin, DetailView): +class PosDetailView(PosViewMixin, DetailView): """Show details for a Pos.""" model = Pos @@ -2029,7 +2029,7 @@ class PosDeleteView(CampViewMixin, OrgaTeamPermissionMixin, DeleteView): return reverse("backoffice:pos_list", kwargs={"camp_slug": self.camp.slug}) -class PosReportCreateView(PosViewMixin, RaisePermissionRequiredMixin, CreateView): +class PosReportCreateView(PosViewMixin, CreateView): """Use this view to create new PosReports.""" model = PosReport @@ -2066,7 +2066,7 @@ class PosReportCreateView(PosViewMixin, RaisePermissionRequiredMixin, CreateView ) -class PosReportUpdateView(PosViewMixin, RaisePermissionRequiredMixin, UpdateView): +class PosReportUpdateView(PosViewMixin, UpdateView): """Use this view to update PosReports.""" model = PosReport @@ -2085,7 +2085,7 @@ class PosReportUpdateView(PosViewMixin, RaisePermissionRequiredMixin, UpdateView return context -class PosReportDetailView(PosViewMixin, RaisePermissionRequiredMixin, DetailView): +class PosReportDetailView(PosViewMixin, DetailView): """Show details for a PosReport.""" model = PosReport @@ -2093,9 +2093,7 @@ class PosReportDetailView(PosViewMixin, RaisePermissionRequiredMixin, DetailView pk_url_kwarg = "posreport_uuid" -class PosReportBankCountStartView( - PosViewMixin, RaisePermissionRequiredMixin, UpdateView -): +class PosReportBankCountStartView(PosViewMixin, UpdateView): """The bank responsible for a PosReport uses this view to add day-start HAX and DKK counts to a PosReport.""" model = PosReport @@ -2116,7 +2114,7 @@ class PosReportBankCountStartView( raise PermissionDenied("Only the bank responsible can do this") -class PosReportBankCountEndView(PosViewMixin, RaisePermissionRequiredMixin, UpdateView): +class PosReportBankCountEndView(PosViewMixin, UpdateView): """The bank responsible for a PosReport uses this view to add day-end HAX and DKK counts to a PosReport.""" model = PosReport @@ -2137,9 +2135,7 @@ class PosReportBankCountEndView(PosViewMixin, RaisePermissionRequiredMixin, Upda raise PermissionDenied("Only the bank responsible can do this") -class PosReportPosCountStartView( - PosViewMixin, RaisePermissionRequiredMixin, UpdateView -): +class PosReportPosCountStartView(PosViewMixin, UpdateView): """The Pos responsible for a PosReport uses this view to add day-start HAX and DKK counts to a PosReport.""" model = PosReport @@ -2160,7 +2156,7 @@ class PosReportPosCountStartView( raise PermissionDenied("Only the Pos responsible can do this") -class PosReportPosCountEndView(PosViewMixin, RaisePermissionRequiredMixin, UpdateView): +class PosReportPosCountEndView(PosViewMixin, UpdateView): """The Pos responsible for a PosReport uses this view to add day-end HAX and DKK counts to a PosReport.""" model = PosReport