rezometz/re2o
8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-11-05 01:16:27 +00:00
Code Issues Releases Wiki Activity

Verouille toutes les vues avec des acl, un user sans droit peut uniquement se modifier lui et ses machines

Browse source
This commit is contained in:
chirac 2016-07-09 18:26:39 +02:00
parent 8af94c8536
commit 61126e0173
2 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
machines/views.py
View file

@ -55,6 +55,9 @@ def new_machine(request, userid):
except User.DoesNotExist:
messages.error(request, u"Utilisateur inexistant" )
return redirect("/machines/")
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une machine à un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine = NewMachineForm(request.POST or None)
interface = AddInterfaceForm(request.POST or None)
if machine.is_valid() and interface.is_valid():
@ -79,6 +82,9 @@ def edit_machine(request, interfaceid):
except Interface.DoesNotExist:
messages.error(request, u"Interface inexistante" )
return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(interface.machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas éditer une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine_form = EditMachineForm(request.POST or None, instance=interface.machine)
interface_form = EditInterfaceForm(request.POST or None, instance=interface)
if machine_form.is_valid() and interface_form.is_valid():
@ -95,6 +101,9 @@ def new_interface(request, machineid):
except Machine.DoesNotExist:
messages.error(request, u"Machine inexistante" )
return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une interface à une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
interface_form = AddInterfaceForm(request.POST or None)
machine_form = EditMachineForm(request.POST or None, instance=machine)
if interface_form.is_valid() and machine_form.is_valid():

14
users/views.py
View file

@ -104,6 +104,9 @@ def new_user(request):
@login_required
def edit_info(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
user = User.objects.get(pk=userid)
except User.DoesNotExist:
@ -137,13 +140,18 @@ def state(request, userid):
return form({'userform': state}, 'users/user.html', request)
@login_required
@permission_required('bureau')
def password(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
user = User.objects.get(pk=userid)
except User.DoesNotExist:
messages.error(request, "Utilisateur inexistant")
return redirect("/users/")
if not request.user.has_perms(('bureau',)) and str(userid)!=str(request.user.id) and Right.objects.filter(user=user):
messages.error(request, "Il faut les droits bureau pour modifier le mot de passe d'un membre actif")
return redirect("/users/profil/" + str(request.user.id))
u_form = PassForm(request.POST or None)
if u_form.is_valid():
if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']:
@ -303,6 +311,7 @@ def del_school(request):
return form({'userform': school}, 'users/user.html', request)
@login_required
@permission_required('cableur')
def index(request):
users_list = User.objects.order_by('pk')
connexion = []
@ -340,6 +349,9 @@ def index_school(request):
@login_required
def profil(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas afficher un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
users = User.objects.get(pk=userid)
except User.DoesNotExist: