From 08e50ffc221a48d5b84af7aed886e71e44ee95ce Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Fri, 23 Oct 2020 18:19:21 +0200 Subject: [PATCH 1/5] Credit form didn't raise an error when the data didn't validate --- apps/member/views.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/member/views.py b/apps/member/views.py index 9a585ede..19be50ec 100644 --- a/apps/member/views.py +++ b/apps/member/views.py @@ -677,11 +677,13 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView): if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"): if not last_name: form.add_error('last_name', _("This field is required.")) + error = True if not first_name: form.add_error('first_name', _("This field is required.")) + error = True if not bank and credit_type.special_type == "Chèque": form.add_error('bank', _("This field is required.")) - return self.form_invalid(form) + error = True return not error From 6e80016b38b5d9e05fb87df7951f0c700ff643f6 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 25 Oct 2020 21:08:36 +0100 Subject: [PATCH 2/5] Don't delete object when checking an add permission: this is useless since we rollback to the initial DB state --- apps/permission/models.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apps/permission/models.py b/apps/permission/models.py index 17214894..9c1b2e6c 100644 --- a/apps/permission/models.py +++ b/apps/permission/models.py @@ -45,6 +45,7 @@ class InstancedPermission: with transaction.atomic(): sid = transaction.savepoint() for o in self.model.model_class().objects.filter(pk=0).all(): + o._no_signal = True o._force_delete = True Model.delete(o) # An object with pk 0 wouldn't deleted. That's not normal, we alert admins. @@ -62,10 +63,6 @@ class InstancedPermission: obj._no_signal = True Model.save(obj, force_insert=True) ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists() - # Delete testing object - obj._no_signal = True - obj._force_delete = True - Model.delete(obj) transaction.savepoint_rollback(sid) return ret From fe4363b83de2f459d1048a0e7276f49b8b55697b Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 25 Oct 2020 21:29:44 +0100 Subject: [PATCH 3/5] Don't display too much detail when a user has no right to see a profile --- apps/member/tables.py | 16 ++++++++++ .../member/includes/profile_info.html | 30 ++++++++++--------- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/apps/member/tables.py b/apps/member/tables.py index bc40368c..a9676928 100644 --- a/apps/member/tables.py +++ b/apps/member/tables.py @@ -43,8 +43,24 @@ class UserTable(tables.Table): section = tables.Column(accessor='profile__section') + # Override the column to let replace the URL + email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email)) + balance = tables.Column(accessor='note__balance', verbose_name=_("Balance")) + def render_email(self, record, value): + # Replace the email by a dash if the user can't see the profile detail + # Replace also the URL + if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile): + value = "—" + record.email = value + return value + + def render_section(self, record, value): + return value \ + if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \ + else "—" + def render_balance(self, record, value): return pretty_money(value)\ if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—" diff --git a/apps/member/templates/member/includes/profile_info.html b/apps/member/templates/member/includes/profile_info.html index b7f2fe70..e008ec6a 100644 --- a/apps/member/templates/member/includes/profile_info.html +++ b/apps/member/templates/member/includes/profile_info.html @@ -25,25 +25,27 @@ -
{% trans 'section'|capfirst %}
-
{{ user_object.profile.section }}
+ {% if "member.view_profile"|has_perm:user_object.profile %} +
{% trans 'section'|capfirst %}
+
{{ user_object.profile.section }}
-
{% trans 'email'|capfirst %}
-
{{ user_object.email }}
+
{% trans 'email'|capfirst %}
+
{{ user_object.email }}
-
{% trans 'phone number'|capfirst %}
-
{{ user_object.profile.phone_number }} -
+
{% trans 'phone number'|capfirst %}
+
{{ user_object.profile.phone_number }} +
-
{% trans 'address'|capfirst %}
-
{{ user_object.profile.address }}
+
{% trans 'address'|capfirst %}
+
{{ user_object.profile.address }}
- {% if user_object.note and "note.view_note"|has_perm:user_object.note %} -
{% trans 'balance'|capfirst %}
-
{{ user_object.note.balance | pretty_money }}
+ {% if user_object.note and "note.view_note"|has_perm:user_object.note %} +
{% trans 'balance'|capfirst %}
+
{{ user_object.note.balance | pretty_money }}
-
{% trans 'paid'|capfirst %}
-
{{ user_object.profile.paid|yesno }}
+
{% trans 'paid'|capfirst %}
+
{{ user_object.profile.paid|yesno }}
+ {% endif %} {% endif %} From 0e7390b669db57eb9bf21c74d3243b158e4a0c7d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 25 Oct 2020 21:38:04 +0100 Subject: [PATCH 4/5] PC Kfet can see limited user information and clubs. It can create memberships but not see them --- apps/permission/fixtures/initial.json | 32 +++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/apps/permission/fixtures/initial.json b/apps/permission/fixtures/initial.json index 8c7ec9bc..7700f3e8 100644 --- a/apps/permission/fixtures/initial.json +++ b/apps/permission/fixtures/initial.json @@ -2839,6 +2839,22 @@ "description": "Voir n'importe quel profil non encore inscrit" } }, + { + "model": "permission.permission", + "pk": 182, + "fields": { + "model": [ + "auth", + "user" + ], + "query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}", + "type": "view", + "mask": 2, + "field": "", + "permanent": false, + "description": "Voir n'importe quel utilisateur qui est adhérent BDE" + } + }, { "model": "permission.role", "pk": 1, @@ -2971,14 +2987,14 @@ 62, 127, 133, - 135, 136, 141, 142, 150, 166, 167, - 168 + 168, + 182 ] } }, @@ -3271,7 +3287,12 @@ 170, 171, 176, - 177 + 177, + 178, + 179, + 180, + 181, + 182 ] } }, @@ -3466,7 +3487,9 @@ 56, 57, 58, + 137, 143, + 147, 150, 166, 167, @@ -3474,7 +3497,8 @@ 176, 177, 180, - 181 + 181, + 182 ] } }, From 051591cb7a711ac7c9fd87ce1faea05d0e248599 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 25 Oct 2020 21:49:16 +0100 Subject: [PATCH 5/5] Don't see user detail in update form --- apps/member/views.py | 9 +++++---- apps/permission/views.py | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apps/member/views.py b/apps/member/views.py index 19be50ec..73569c89 100644 --- a/apps/member/views.py +++ b/apps/member/views.py @@ -70,10 +70,11 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView): form.fields['email'].required = True form.fields['email'].help_text = _("This address must be valid.") - context['profile_form'] = self.profile_form(instance=context['user_object'].profile, - data=self.request.POST if self.request.POST else None) - if not self.object.profile.report_frequency: - del context['profile_form'].fields["last_report"] + if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile): + context['profile_form'] = self.profile_form(instance=context['user_object'].profile, + data=self.request.POST if self.request.POST else None) + if not self.object.profile.report_frequency: + del context['profile_form'].fields["last_report"] return context diff --git a/apps/permission/views.py b/apps/permission/views.py index d76a2351..d77133d6 100644 --- a/apps/permission/views.py +++ b/apps/permission/views.py @@ -51,8 +51,10 @@ class ProtectQuerysetMixin: # No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make # a custom request. # We could also delete the field, but some views might be affected. + meta = form.instance._meta for key in form.base_fields: - if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object): + if not PermissionBackend.check_perm(self.request.user, + f"{meta.app_label}.change_{meta.model_name}_" + key, self.object): form.fields[key].widget = HiddenInput() return form