Improved authorization.

2018-01-29 17:53:29 +01:00
parent b68949ba5f
commit fdcc103571
2 changed files with 27 additions and 8 deletions
--- a/dav_events/templates/dav_events/event_detail.html
+++ b/dav_events/templates/dav_events/event_detail.html
@@ -14,12 +14,12 @@
            <a class="btn"
               href="{% url 'dav_events:event_detail' event.pk %}">{% trans 'Details' %}</a>
        </li>
-        <li class="{% if not has_permission_accept or event.accepted %}disabled{% endif %}">
-            <a class="btn {% if has_permission_accept and not event.accepted %}btn-success{% else %}disabled{% endif %}"
+        <li class="{% if not has_permission_accept %}disabled{% endif %}">
+            <a class="btn {% if has_permission_accept %}btn-success{% else %}disabled{% endif %}"
               href="{% url 'dav_events:event_accept' event.pk %}">{% trans 'Freigeben' %}</a>
        </li>
-        <li class="{% if not has_permission_update or event.accepted %}disabled{% endif %}">
-            <a class="btn {% if has_permission_update and not event.accepted %}btn-warning{% else %}disabled{% endif %}"
+        <li class="{% if not has_permission_update %}disabled{% endif %}">
+            <a class="btn {% if has_permission_update %}btn-warning{% else %}disabled{% endif %}"
               href="{% url 'dav_events:event_update' event.pk %}">{% trans 'Ändern' %}</a>
        </li>
        <li class="disabled">
--- a/dav_events/views/events.py
+++ b/dav_events/views/events.py
@@ -31,12 +31,20 @@ class EventListView(generic.ListView):
        elif has_role(user, 'manage_all'):
            qs = self.model.objects.all()
        else:
+            filter = Q(owner=user)
+
            user_sports_list = list()
            for k in ('W', 'S', 'M', 'K', 'B'):
                role = 'manage_{}'.format(k.lower())
                if has_role(user, role):
                    user_sports_list.append(k)
-            qs = self.model.objects.filter(Q(owner=user) | Q(sport__in=user_sports_list))
+
+            filter |= Q(sport__in=user_sports_list)
+
+            if has_role(user, 'publish') or has_role(user, 'publish_incremental'):
+                filter |= Q(accepted=True)
+
+            qs = self.model.objects.filter(filter)

        return qs

@@ -110,11 +118,22 @@ class EventPermissionMixin(object):
                return True
            if has_role(user, 'manage_{}'.format(obj.sport.lower())):
                return True
-        elif permission in ('update', 'accept'):
+            if obj.accepted and (has_role(user, 'publish') or has_role(user, 'publish_incremental')):
+                return True
+        elif permission == 'accept':
+            if not obj.accepted:
                if has_role(user, 'manage_all'):
                    return True
                if has_role(user, 'manage_{}'.format(obj.sport.lower())):
                    return True
+        elif permission == 'update':
+            if not obj.accepted:
+                if has_role(user, 'manage_all'):
+                    return True
+                if has_role(user, 'manage_{}'.format(obj.sport.lower())):
+                    return True
+            elif has_role(user, 'publish') or has_role(user, 'publish_incremental'):
+                return True

        return False