Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53

2025-06-21 01:48:21 +02:00 · 2020-08-13 15:20:15 +02:00
parent 71f6436d06
commit c466715e8a
15 changed files with 584 additions and 173 deletions
--- a/apps/treasury/views.py
+++ b/apps/treasury/views.py
@ -8,28 +8,28 @@ from tempfile import mkdtemp

 from crispy_forms.helper import FormHelper
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, PermissionDenied
 from django.db.models import Q
 from django.forms import Form
 from django.http import HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse_lazy
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import CreateView, UpdateView, DetailView
+from django.views.generic import UpdateView, DetailView
 from django.views.generic.base import View, TemplateView
 from django.views.generic.edit import BaseFormView, DeleteView
 from django_tables2 import SingleTableView
 from note.models import SpecialTransaction, NoteSpecial, Alias
 from note_kfet.settings.base import BASE_DIR
 from permission.backends import PermissionBackend
-from permission.views import ProtectQuerysetMixin
+from permission.views import ProtectQuerysetMixin, ProtectedCreateView

 from .forms import InvoiceForm, ProductFormSet, ProductFormSetHelper, RemittanceForm, LinkTransactionToRemittanceForm
 from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeCredit
 from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable


-class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
+class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
    """
    Create Invoice
    """
@ -37,6 +37,15 @@ class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
    form_class = InvoiceForm
    extra_context = {"title": _("Create new invoice")}

+    def get_sample_object(self):
+        return Invoice(
+            id=0,
+            object="",
+            description="",
+            name="",
+            address="",
+        )
+
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)

@ -72,7 +81,7 @@ class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
        return reverse_lazy('treasury:invoice_list')


-class InvoiceListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
+class InvoiceListView(LoginRequiredMixin, SingleTableView):
    """
    List existing Invoices
    """
@ -80,6 +89,18 @@ class InvoiceListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView)
    table_class = InvoiceTable
    extra_context = {"title": _("Invoices list")}

+    def dispatch(self, request, *args, **kwargs):
+        sample_invoice = Invoice(
+            id=0,
+            object="",
+            description="",
+            name="",
+            address="",
+        )
+        if not PermissionBackend.check_perm(self.request.user, "treasury.add_invoice", sample_invoice):
+            raise PermissionDenied(_("You are not able to see the treasury interface."))
+        return super().dispatch(request, *args, **kwargs)
+

 class InvoiceUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
    """
@ -194,7 +215,7 @@ class InvoiceRenderView(LoginRequiredMixin, View):
        return response


-class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
+class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
    """
    Create Remittance
    """
@ -202,6 +223,12 @@ class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView)
    form_class = RemittanceForm
    extra_context = {"title": _("Create a new remittance")}

+    def get_sample_object(self):
+        return Remittance(
+            remittance_type_id=1,
+            comment="",
+        )
+
    def get_success_url(self):
        return reverse_lazy('treasury:remittance_list')

@ -223,6 +250,15 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
    template_name = "treasury/remittance_list.html"
    extra_context = {"title": _("Remittances list")}

+    def dispatch(self, request, *args, **kwargs):
+        sample_remittance = Remittance(
+            remittance_type_id=1,
+            comment="",
+        )
+        if not PermissionBackend.check_perm(self.request.user, "treasury.add_remittance", sample_remittance):
+            raise PermissionDenied(_("You are not able to see the treasury interface."))
+        return super().dispatch(request, *args, **kwargs)
+
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)

@ -340,6 +376,11 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
    table_class = SogeCreditTable
    extra_context = {"title": _("List of credits from the Société générale")}

+    def dispatch(self, request, *args, **kwargs):
+        if not self.get_queryset().exists():
+            raise PermissionDenied(_("You are not able to see the treasury interface."))
+        return super().dispatch(request, *args, **kwargs)
+
    def get_queryset(self, **kwargs):
        """
        Filter the table with the given parameter.