Protect some pages

2025-07-04 19:44:05 +02:00 · 2020-09-27 16:35:31 +02:00
parent 56193dbecf
commit 88c4a6b218
5 changed files with 136 additions and 65 deletions
--- a/apps/registration/views.py
+++ b/apps/registration/views.py
@ -4,7 +4,7 @@ from corres2math.tokens import email_validation_token
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.models import User
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, PermissionDenied
 from django.db import transaction
 from django.http import FileResponse, Http404
 from django.shortcuts import redirect, resolve_url
@ -135,12 +135,24 @@ class UserDetailView(LoginRequiredMixin, DetailView):
    context_object_name = "user_object"
    template_name = "registration/user_detail.html"

+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+

 class UserUpdateView(LoginRequiredMixin, UpdateView):
    model = User
    form_class = UserForm
    template_name = "registration/update_user.html"

+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        user = self.get_object()
@ -168,6 +180,12 @@ class UserUploadPhotoAuthorizationView(LoginRequiredMixin, UpdateView):
    form_class = PhotoAuthorizationForm
    template_name = "registration/upload_photo_authorization.html"

+    def dispatch(self, request, *args, **kwargs):
+        user = request.user
+        if not user.registration.is_admin and user.registration.pk != kwargs["pk"]:
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
    @transaction.atomic
    def form_valid(self, form):
        old_instance = StudentRegistration.objects.get(pk=self.object.pk)
@ -186,6 +204,9 @@ class PhotoAuthorizationView(LoginRequiredMixin, View):
        if not os.path.exists(path):
            raise Http404
        student = StudentRegistration.objects.get(photo_authorization__endswith=filename)
+        user = request.user
+        if not user.registration.is_admin and user.pk != student.user.pk:
+            raise PermissionDenied
        mime = Magic(mime=True)
        mime_type = mime.from_file(path)
        ext = mime_type.split("/")[1].replace("jpeg", "jpg")