From 375f3038da81c5a80a081edc4df3223c5758ae0c Mon Sep 17 00:00:00 2001
From: Gabriel Detraz <detraz@crans.org>
Date: Thu, 28 Dec 2017 16:10:34 +0100
Subject: [PATCH] Regle des acl sur can_view_all

---
 users/models.py | 19 +++++++++++++++++--
 users/views.py  | 22 ++++++----------------
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/users/models.py b/users/models.py
index 31343494..dd3c73cf 100644
--- a/users/models.py
+++ b/users/models.py
@@ -909,6 +909,19 @@ class Club(User):
         related_name='club_members'
     )
 
+    def can_view_all(user_request, *args, **kwargs):
+        """Check if an user can access to the list of every user objects
+
+        :param user_request: The user who wants to view the list.
+        :return: True if the user can view the list and an explanation message.
+        """
+        if user_request.has_perms(('cableur',)):
+            return True, None
+        if user_request.is_class_adherent:
+            if user_request.adherent.club_administrator.all() or user_request.adherent.club_members.all():
+                return True, None
+        return False, u"Vous n'avez pas accès à la liste des utilisateurs."
+
     def get_instance(clubid, *args, **kwargs):
         """Try to find an instance of `Club` with the given id.
 
@@ -1427,7 +1440,8 @@ class Ban(models.Model):
         :param user_request: The user who wants to view the list.
         :return: True if the user can view the list and an explanation message.
         """
-        return True, None
+        return user_request.has_perms(('bofh',)), u"Vous n'avez pas le droit\
+            de voir tous les bannissements"
 
     def can_view(self, user_request, *args, **kwargs):
         """Check if an user can view a Ban object.
@@ -1527,7 +1541,8 @@ class Whitelist(models.Model):
         :param user_request: The user who wants to view the list.
         :return: True if the user can view the list and an explanation message.
         """
-        return True, None
+        return user_request.has_perms(('cableur',)), u"Vous n'avez pas le\
+            droit de voir les accès gracieux"
 
     def can_view(self, user_request, *args, **kwargs):
         """Check if an user can view a Whitelist object.
diff --git a/users/views.py b/users/views.py
index d6ad91e3..4b89b9a3 100644
--- a/users/views.py
+++ b/users/views.py
@@ -189,16 +189,10 @@ def select_user_edit_form(request, user):
         - droit
         - type d'object
     """
-    if not request.user.has_perms(('cableur',)):
-        if user.is_class_adherent:
-            user = AdherentForm(request.POST or None, instance=user.adherent)
-        elif user.is_class_club:
-            user = ClubForm(request.POST or None, instance=user.club)
-    else:
-        if user.is_class_adherent:
-            user = FullAdherentForm(request.POST or None, instance=user.adherent)
-        elif user.is_class_club:
-            user = FullClubForm(request.POST or None, instance=user.club)
+    if user.is_class_adherent:
+        user = AdherentForm(request.POST or None, instance=user.adherent)
+    elif user.is_class_club:
+        user = ClubForm(request.POST or None, instance=user.club)
     return user
 
 
@@ -641,16 +635,12 @@ def index(request):
 
 
 @login_required
+@can_view_all(Club)
 def index_clubs(request):
     """ Affiche l'ensemble des clubs, need droit cableur """
     options, _created = GeneralOption.objects.get_or_create()
     pagination_number = options.pagination_number
-    if not request.user.has_perms(('cableur',)):
-        clubs_list = Club.objects.filter(
-            Q(administrators=request.user.adherent) | Q(members=request.user.adherent)
-        ).distinct().select_related('room')
-    else:
-        clubs_list = Club.objects.select_related('room')
+    clubs_list = Club.objects.select_related('room')
     clubs_list = SortTable.sort(
         clubs_list,
         request.GET.get('col'),