Only staff with good permission mask can visit Django Admin

2025-06-20 17:41:55 +02:00 · 2020-07-29 11:38:59 +02:00
parent d455c5c533
commit b8a88eeda4
13 changed files with 196 additions and 162 deletions
--- a/apps/member/admin.py
+++ b/apps/member/admin.py
@ -5,6 +5,7 @@ from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin
 from django.contrib.auth.models import User

+from note_kfet.admin import admin_site
 from .forms import ProfileForm
 from .models import Club, Membership, Profile

@ -33,9 +34,8 @@ class CustomUserAdmin(UserAdmin):


 # Update Django User with profile
-admin.site.unregister(User)
-admin.site.register(User, CustomUserAdmin)
+admin_site.register(User, CustomUserAdmin)

 # Add other models
-admin.site.register(Club)
-admin.site.register(Membership)
+admin_site.register(Club)
+admin_site.register(Membership)
--- a/apps/note/admin.py
+++ b/apps/note/admin.py
@ -6,6 +6,8 @@ from django.utils.translation import gettext_lazy as _
 from polymorphic.admin import PolymorphicChildModelAdmin, \
    PolymorphicChildModelFilter, PolymorphicParentModelAdmin

+from note_kfet.admin import admin_site
+
 from .models.notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
 from .models.transactions import Transaction, TemplateCategory, TransactionTemplate, \
    RecurrentTransaction, MembershipTransaction, SpecialTransaction
@ -19,7 +21,7 @@ class AliasInlines(admin.TabularInline):
    model = Alias


-@admin.register(Note)
+@admin.register(Note, site=admin_site)
 class NoteAdmin(PolymorphicParentModelAdmin):
    """
    Parent regrouping all note types as children
@ -42,7 +44,7 @@ class NoteAdmin(PolymorphicParentModelAdmin):
    search_fields = ['alias__name']


-@admin.register(NoteClub)
+@admin.register(NoteClub, site=admin_site)
 class NoteClubAdmin(PolymorphicChildModelAdmin):
    """
    Child for a club note, see NoteAdmin
@ -66,7 +68,7 @@ class NoteClubAdmin(PolymorphicChildModelAdmin):
        return False


-@admin.register(NoteSpecial)
+@admin.register(NoteSpecial, site=admin_site)
 class NoteSpecialAdmin(PolymorphicChildModelAdmin):
    """
    Child for a special note, see NoteAdmin
@ -74,7 +76,7 @@ class NoteSpecialAdmin(PolymorphicChildModelAdmin):
    readonly_fields = ('balance',)


-@admin.register(NoteUser)
+@admin.register(NoteUser, site=admin_site)
 class NoteUserAdmin(PolymorphicChildModelAdmin):
    """
    Child for an user note, see NoteAdmin
@ -97,7 +99,7 @@ class NoteUserAdmin(PolymorphicChildModelAdmin):
        return False


-@admin.register(Transaction)
+@admin.register(Transaction, site=admin_site)
 class TransactionAdmin(PolymorphicParentModelAdmin):
    """
    Admin customisation for Transaction
@ -138,21 +140,21 @@ class TransactionAdmin(PolymorphicParentModelAdmin):
        return []


-@admin.register(MembershipTransaction)
+@admin.register(MembershipTransaction, site=admin_site)
 class MembershipTransactionAdmin(PolymorphicChildModelAdmin):
    """
    Admin customisation for MembershipTransaction
    """


-@admin.register(SpecialTransaction)
+@admin.register(SpecialTransaction, site=admin_site)
 class SpecialTransactionAdmin(PolymorphicChildModelAdmin):
    """
    Admin customisation for SpecialTransaction
    """


-@admin.register(TransactionTemplate)
+@admin.register(TransactionTemplate, site=admin_site)
 class TransactionTemplateAdmin(admin.ModelAdmin):
    """
    Admin customisation for TransactionTemplate
@ -170,7 +172,7 @@ class TransactionTemplateAdmin(admin.ModelAdmin):
    poly_destination.short_description = _('destination')


-@admin.register(TemplateCategory)
+@admin.register(TemplateCategory, site=admin_site)
 class TemplateCategoryAdmin(admin.ModelAdmin):
    """
    Admin customisation for TransactionTemplate
--- a/apps/permission/admin.py
+++ b/apps/permission/admin.py
@ -3,10 +3,11 @@

 from django.contrib import admin

+from note_kfet.admin import admin_site
 from .models import Permission, PermissionMask, Role


-@admin.register(PermissionMask)
+@admin.register(PermissionMask, site=admin_site)
 class PermissionMaskAdmin(admin.ModelAdmin):
    """
    Admin customisation for PermissionMask
@ -14,7 +15,7 @@ class PermissionMaskAdmin(admin.ModelAdmin):
    list_display = ('description', 'rank', )


-@admin.register(Permission)
+@admin.register(Permission, site=admin_site)
 class PermissionAdmin(admin.ModelAdmin):
    """
    Admin customisation for Permission
@ -22,7 +23,7 @@ class PermissionAdmin(admin.ModelAdmin):
    list_display = ('type', 'model', 'field', 'mask', 'description', )


-@admin.register(Role)
+@admin.register(Role, site=admin_site)
 class RoleAdmin(admin.ModelAdmin):
    """
    Admin customisation for Role
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@ -42,7 +42,7 @@ class PermissionBackend(ModelBackend):

        for membership in memberships:
            for role in membership.roles.all():
-                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", 42)).all():
+                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
                    if not perm.permanent:
                        if membership.date_start > timezone.now().date() or membership.date_end < timezone.now().date():
                            continue
@ -101,7 +101,7 @@ class PermissionBackend(ModelBackend):
            # Anonymous users can't do anything
            return Q(pk=-1)

-        if user.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
+        if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            # Superusers have all rights
            return Q()

@ -137,7 +137,7 @@ class PermissionBackend(ModelBackend):
        if sess is not None and sess.session_key is None:
            return False

-        if user_obj.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
+        if user_obj.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            return True

        if obj is None:
--- a/apps/permission/templatetags/perms.py
+++ b/apps/permission/templatetags/perms.py
@ -1,6 +1,7 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

+from django.contrib.auth.models import AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.template.defaultfilters import stringfilter
 from django import template
@ -16,9 +17,9 @@ def not_empty_model_list(model_name):
    """
    user = get_current_authenticated_user()
    session = get_current_session()
-    if user is None:
+    if user is None or isinstance(user, AnonymousUser):
        return False
-    elif user.is_superuser and session.get("permission_mask", 0) >= 42:
+    elif user.is_superuser and session.get("permission_mask", -1) >= 42:
        return True
    qs = model_list(model_name)
    return qs.exists()
@ -31,9 +32,9 @@ def not_empty_model_change_list(model_name):
    """
    user = get_current_authenticated_user()
    session = get_current_session()
-    if user is None:
+    if user is None or isinstance(user, AnonymousUser):
        return False
-    elif user.is_superuser and session.get("permission_mask", 0) >= 42:
+    elif user.is_superuser and session.get("permission_mask", -1) >= 42:
        return True
    qs = model_list(model_name, "change")
    return qs.exists()
@ -45,11 +46,11 @@ def model_list(model_name, t="view", fetch=True):
    Return the queryset of all visible instances of the given model.
    """
    user = get_current_authenticated_user()
-    if user is None:
-        return False
    spl = model_name.split(".")
    ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
    qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(user, ct, t))
+    if user is None or isinstance(user, AnonymousUser):
+        return qs.none()
    if fetch:
        qs = qs.all()
    return qs
@ -73,9 +74,9 @@ def can_create_transaction():
    """
    user = get_current_authenticated_user()
    session = get_current_session()
-    if user is None:
+    if user is None or isinstance(user, AnonymousUser):
        return False
-    elif user.is_superuser and session.get("permission_mask", 0) >= 42:
+    elif user.is_superuser and session.get("permission_mask", -1) >= 42:
        return True
    if session.get("can_create_transaction", None):
        return session.get("can_create_transaction", None) == 1
--- a/apps/treasury/admin.py
+++ b/apps/treasury/admin.py
@ -3,10 +3,11 @@

 from django.contrib import admin

+from note_kfet.admin import admin_site
 from .models import RemittanceType, Remittance, SogeCredit


-@admin.register(RemittanceType)
+@admin.register(RemittanceType, site=admin_site)
 class RemittanceTypeAdmin(admin.ModelAdmin):
    """
    Admin customisation for RemiitanceType
@ -14,7 +15,7 @@ class RemittanceTypeAdmin(admin.ModelAdmin):
    list_display = ('note', )


-@admin.register(Remittance)
+@admin.register(Remittance, site=admin_site)
 class RemittanceAdmin(admin.ModelAdmin):
    """
    Admin customisation for Remittance
@ -27,4 +28,4 @@ class RemittanceAdmin(admin.ModelAdmin):
        return not obj.closed and super().has_change_permission(request, obj)


-admin.site.register(SogeCredit)
+admin_site.register(SogeCredit)
--- a/apps/wei/admin.py
+++ b/apps/wei/admin.py
@ -1,13 +1,12 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from django.contrib import admin
-
+from note_kfet.admin import admin_site
 from .models import WEIClub, WEIRegistration, WEIMembership, WEIRole, Bus, BusTeam

-admin.site.register(WEIClub)
-admin.site.register(WEIRegistration)
-admin.site.register(WEIMembership)
-admin.site.register(WEIRole)
-admin.site.register(Bus)
-admin.site.register(BusTeam)
+admin_site.register(WEIClub)
+admin_site.register(WEIRegistration)
+admin_site.register(WEIMembership)
+admin_site.register(WEIRole)
+admin_site.register(Bus)
+admin_site.register(BusTeam)