Check permissions per request instead of per user

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2025-06-21 09:58:23 +02:00 · 2021-06-15 14:40:32 +02:00
parent 5e9f36ef1a
commit ea092803d7
25 changed files with 207 additions and 203 deletions
--- a/apps/registration/views.py
+++ b/apps/registration/views.py
@ -66,9 +66,11 @@ class UserCreateView(CreateView):
        profile_form.instance.user = user
        profile = profile_form.save(commit=False)
        user.profile = profile
+        user._force_save = True
        user.save()
        user.refresh_from_db()
        profile.user = user
+        profile._force_save = True
        profile.save()

        user.profile.send_email_validation_link()
@ -110,7 +112,9 @@ class UserValidateView(TemplateView):
            self.validlink = True
            user.is_active = user.profile.registration_valid or user.is_superuser
            user.profile.email_confirmed = True
+            user._force_save = True
            user.save()
+            user.profile._force_save = True
            user.profile.save()
        return self.render_to_response(self.get_context_data(), status=200 if self.validlink else 400)

@ -384,7 +388,7 @@ class FutureUserInvalidateView(ProtectQuerysetMixin, LoginRequiredMixin, View):
        Delete the pre-registered user which id is given in the URL.
        """
        user = User.objects.filter(profile__registration_valid=False)\
-            .filter(PermissionBackend.filter_queryset(request.user, User, "change", "is_valid"))\
+            .filter(PermissionBackend.filter_queryset(request, User, "change", "is_valid"))\
            .get(pk=self.kwargs["pk"])
        # Delete associated soge credits before
        SogeCredit.objects.filter(user=user).delete()