rezometz/re2o
8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-11-23 03:43:12 +00:00
Code Issues Releases Wiki Activity

Verouille toutes les vues avec des acl, un user sans droit peut uniquement se modifier lui et ses machines

Browse source
This commit is contained in:
Gabriel Detraz 2016-07-09 18:26:39 +02:00
parent 2076051635
commit 6e587c7d94
2 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
machines/views.py
View file

@ -55,6 +55,9 @@ def new_machine(request, userid):
except User.DoesNotExist: except User.DoesNotExist:
messages.error(request, u"Utilisateur inexistant" ) messages.error(request, u"Utilisateur inexistant" )
return redirect("/machines/") return redirect("/machines/")
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une machine à un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine = NewMachineForm(request.POST or None) machine = NewMachineForm(request.POST or None)
interface = AddInterfaceForm(request.POST or None) interface = AddInterfaceForm(request.POST or None)
if machine.is_valid() and interface.is_valid(): if machine.is_valid() and interface.is_valid():
@ -79,6 +82,9 @@ def edit_machine(request, interfaceid):
except Interface.DoesNotExist: except Interface.DoesNotExist:
messages.error(request, u"Interface inexistante" ) messages.error(request, u"Interface inexistante" )
return redirect("/machines") return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(interface.machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas éditer une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine_form = EditMachineForm(request.POST or None, instance=interface.machine) machine_form = EditMachineForm(request.POST or None, instance=interface.machine)
interface_form = EditInterfaceForm(request.POST or None, instance=interface) interface_form = EditInterfaceForm(request.POST or None, instance=interface)
if machine_form.is_valid() and interface_form.is_valid(): if machine_form.is_valid() and interface_form.is_valid():
@ -95,6 +101,9 @@ def new_interface(request, machineid):
except Machine.DoesNotExist: except Machine.DoesNotExist:
messages.error(request, u"Machine inexistante" ) messages.error(request, u"Machine inexistante" )
return redirect("/machines") return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une interface à une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
interface_form = AddInterfaceForm(request.POST or None) interface_form = AddInterfaceForm(request.POST or None)
machine_form = EditMachineForm(request.POST or None, instance=machine) machine_form = EditMachineForm(request.POST or None, instance=machine)
if interface_form.is_valid() and machine_form.is_valid(): if interface_form.is_valid() and machine_form.is_valid():

14
users/views.py
View file

@ -104,6 +104,9 @@ def new_user(request):
@login_required @login_required
def edit_info(request, userid): def edit_info(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
user = User.objects.get(pk=userid) user = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist:
@ -137,13 +140,18 @@ def state(request, userid):
return form({'userform': state}, 'users/user.html', request) return form({'userform': state}, 'users/user.html', request)
@login_required @login_required
@permission_required('bureau')
def password(request, userid): def password(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
user = User.objects.get(pk=userid) user = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist:
messages.error(request, "Utilisateur inexistant") messages.error(request, "Utilisateur inexistant")
return redirect("/users/") return redirect("/users/")
if not request.user.has_perms(('bureau',)) and str(userid)!=str(request.user.id) and Right.objects.filter(user=user):
messages.error(request, "Il faut les droits bureau pour modifier le mot de passe d'un membre actif")
return redirect("/users/profil/" + str(request.user.id))
u_form = PassForm(request.POST or None) u_form = PassForm(request.POST or None)
if u_form.is_valid(): if u_form.is_valid():
if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']: if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']:
@ -303,6 +311,7 @@ def del_school(request):
return form({'userform': school}, 'users/user.html', request) return form({'userform': school}, 'users/user.html', request)
@login_required @login_required
@permission_required('cableur')
def index(request): def index(request):
users_list = User.objects.order_by('pk') users_list = User.objects.order_by('pk')
connexion = [] connexion = []
@ -340,6 +349,9 @@ def index_school(request):
@login_required @login_required
def profil(request, userid): def profil(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas afficher un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try: try:
users = User.objects.get(pk=userid) users = User.objects.get(pk=userid)
except User.DoesNotExist: except User.DoesNotExist: