Regle des acl sur can_view_all

2024-11-04 17:06:27 +00:00 · 2017-12-28 16:10:34 +01:00 · 2017-12-28 16:10:34 +01:00 · 375f3038da
commit 375f3038da
parent 63948821d3
2 changed files with 23 additions and 18 deletions
--- a/users/models.py
+++ b/users/models.py
@ -909,6 +909,19 @@ class Club(User):
        related_name='club_members'
    )

+    def can_view_all(user_request, *args, **kwargs):
+        """Check if an user can access to the list of every user objects
+
+        :param user_request: The user who wants to view the list.
+        :return: True if the user can view the list and an explanation message.
+        """
+        if user_request.has_perms(('cableur',)):
+            return True, None
+        if user_request.is_class_adherent:
+            if user_request.adherent.club_administrator.all() or user_request.adherent.club_members.all():
+                return True, None
+        return False, u"Vous n'avez pas accès à la liste des utilisateurs."
+
    def get_instance(clubid, *args, **kwargs):
        """Try to find an instance of `Club` with the given id.

@ -1427,7 +1440,8 @@ class Ban(models.Model):
        :param user_request: The user who wants to view the list.
        :return: True if the user can view the list and an explanation message.
        """
-        return True, None
+        return user_request.has_perms(('bofh',)), u"Vous n'avez pas le droit\
+            de voir tous les bannissements"

    def can_view(self, user_request, *args, **kwargs):
        """Check if an user can view a Ban object.
@ -1527,7 +1541,8 @@ class Whitelist(models.Model):
        :param user_request: The user who wants to view the list.
        :return: True if the user can view the list and an explanation message.
        """
-        return True, None
+        return user_request.has_perms(('cableur',)), u"Vous n'avez pas le\
+            droit de voir les accès gracieux"

    def can_view(self, user_request, *args, **kwargs):
        """Check if an user can view a Whitelist object.
--- a/users/views.py
+++ b/users/views.py
@ -189,16 +189,10 @@ def select_user_edit_form(request, user):
        - droit
        - type d'object
    """
-    if not request.user.has_perms(('cableur',)):
-        if user.is_class_adherent:
-            user = AdherentForm(request.POST or None, instance=user.adherent)
-        elif user.is_class_club:
-            user = ClubForm(request.POST or None, instance=user.club)
-    else:
-        if user.is_class_adherent:
-            user = FullAdherentForm(request.POST or None, instance=user.adherent)
-        elif user.is_class_club:
-            user = FullClubForm(request.POST or None, instance=user.club)
+    if user.is_class_adherent:
+        user = AdherentForm(request.POST or None, instance=user.adherent)
+    elif user.is_class_club:
+        user = ClubForm(request.POST or None, instance=user.club)
    return user


@ -641,16 +635,12 @@ def index(request):


@login_required
+@can_view_all(Club)
 def index_clubs(request):
    """ Affiche l'ensemble des clubs, need droit cableur """
    options, _created = GeneralOption.objects.get_or_create()
    pagination_number = options.pagination_number
-    if not request.user.has_perms(('cableur',)):
-        clubs_list = Club.objects.filter(
-            Q(administrators=request.user.adherent) | Q(members=request.user.adherent)
-        ).distinct().select_related('room')
-    else:
-        clubs_list = Club.objects.select_related('room')
+    clubs_list = Club.objects.select_related('room')
    clubs_list = SortTable.sort(
        clubs_list,
        request.GET.get('col'),