DAV-KA/django-dav-events
1
0
Fork 0
Code Issues 24 Pull Requests Actions Releases Wiki Activity

Improved authorization.

Browse Source
This commit is contained in:
heinzel
2018-01-29 17:53:29 +01:00
parent b68949ba5f
commit fdcc103571
2 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
dav_events/templates/dav_events/event_detail.html
View File

@@ -14,12 +14,12 @@
<a class="btn" <a class="btn"
href="{% url 'dav_events:event_detail' event.pk %}">{% trans 'Details' %}</a> href="{% url 'dav_events:event_detail' event.pk %}">{% trans 'Details' %}</a>
</li> </li>
<li class="{% if not has_permission_accept or event.accepted %}disabled{% endif %}"> <li class="{% if not has_permission_accept %}disabled{% endif %}">
<a class="btn {% if has_permission_accept and not event.accepted %}btn-success{% else %}disabled{% endif %}" <a class="btn {% if has_permission_accept %}btn-success{% else %}disabled{% endif %}"
href="{% url 'dav_events:event_accept' event.pk %}">{% trans 'Freigeben' %}</a> href="{% url 'dav_events:event_accept' event.pk %}">{% trans 'Freigeben' %}</a>
</li> </li>
<li class="{% if not has_permission_update or event.accepted %}disabled{% endif %}"> <li class="{% if not has_permission_update %}disabled{% endif %}">
<a class="btn {% if has_permission_update and not event.accepted %}btn-warning{% else %}disabled{% endif %}" <a class="btn {% if has_permission_update %}btn-warning{% else %}disabled{% endif %}"
href="{% url 'dav_events:event_update' event.pk %}">{% trans 'Ändern' %}</a> href="{% url 'dav_events:event_update' event.pk %}">{% trans 'Ändern' %}</a>
</li> </li>
<li class="disabled"> <li class="disabled">

23
dav_events/views/events.py
View File

@@ -31,12 +31,20 @@ class EventListView(generic.ListView):
elif has_role(user, 'manage_all'): elif has_role(user, 'manage_all'):
qs = self.model.objects.all() qs = self.model.objects.all()
else: else:
filter = Q(owner=user)
user_sports_list = list() user_sports_list = list()
for k in ('W', 'S', 'M', 'K', 'B'): for k in ('W', 'S', 'M', 'K', 'B'):
role = 'manage_{}'.format(k.lower()) role = 'manage_{}'.format(k.lower())
if has_role(user, role): if has_role(user, role):
user_sports_list.append(k) user_sports_list.append(k)
qs = self.model.objects.filter(Q(owner=user) | Q(sport__in=user_sports_list))
filter |= Q(sport__in=user_sports_list)
if has_role(user, 'publish') or has_role(user, 'publish_incremental'):
filter |= Q(accepted=True)
qs = self.model.objects.filter(filter)
return qs return qs
@@ -110,11 +118,22 @@ class EventPermissionMixin(object):
return True return True
if has_role(user, 'manage_{}'.format(obj.sport.lower())): if has_role(user, 'manage_{}'.format(obj.sport.lower())):
return True return True
elif permission in ('update', 'accept'): if obj.accepted and (has_role(user, 'publish') or has_role(user, 'publish_incremental')):
return True
elif permission == 'accept':
if not obj.accepted:
if has_role(user, 'manage_all'): if has_role(user, 'manage_all'):
return True return True
if has_role(user, 'manage_{}'.format(obj.sport.lower())): if has_role(user, 'manage_{}'.format(obj.sport.lower())):
return True return True
elif permission == 'update':
if not obj.accepted:
if has_role(user, 'manage_all'):
return True
if has_role(user, 'manage_{}'.format(obj.sport.lower())):
return True
elif has_role(user, 'publish') or has_role(user, 'publish_incremental'):
return True
return False return False