Verified Commit 0ba0df0f authored by Sli's avatar Sli Committed by Sli
Browse files

Better handling of user rights for studentcards

parent 616b7ccf
......@@ -87,14 +87,6 @@ class Customer(models.Model):
letter = random.choice(string.ascii_lowercase)
return number + letter
def add_student_card(self, uid, request, counter=None):
Add a new student card on the customer account
if not StudentCard.check_creation_permission(request, self, counter):
raise PermissionDenied
StudentCard(customer=self, uid=uid).save()
def save(self, allow_negative=False, is_selling=False, *args, **kwargs):
is_selling : tell if the current action is a selling
......@@ -756,34 +748,18 @@ class StudentCard(models.Model):
def is_valid(uid):
return len(uid) == StudentCard.UID_SIZE
def __comming_from_right_counter(request, counter):
return (
counter.type == "BAR"
and "counter_token" in request.session.keys()
and request.session["counter_token"] == counter.token
and len(counter.get_barmen_list()) > 0
len(uid) == StudentCard.UID_SIZE
and not StudentCard.objects.filter(uid=uid).exists()
def __user_has_rights(customer, user):
def can_create(customer, user):
return == or user.is_board_member or user.is_root
def check_creation_permission(request, customer, counter=None):
If you are comming from a counter, only your connection to the counter is checked, not your right on the user to avoid wierd conflicts
If you are not comming from a counter, your permissions are checked
if counter:
return StudentCard.__comming_from_right_counter(request, counter)
return StudentCard.__user_has_rights(customer, request.user)
def can_edit(self, obj):
if isinstance(obj, User):
return StudentCard.__user_has_rights(self.customer, obj)
return StudentCard.can_create(self.customer, obj)
return False
uid = models.CharField(
......@@ -119,7 +119,7 @@ class StudentCardForm(forms.ModelForm):
return cleaned_data
class StudentCardDeleteView(DeleteView):
class StudentCardDeleteView(DeleteView, CanEditMixin):
View used to delete a card from a user
......@@ -130,8 +130,6 @@ class StudentCardDeleteView(DeleteView):
def dispatch(self, request, *args, **kwargs):
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
if not self.get_object().can_edit(self.customer.user):
raise PermissionDenied
return super(StudentCardDeleteView, self).dispatch(request, *args, **kwargs)
def get_success_url(self, **kwargs):
......@@ -580,7 +578,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
request.session["not_valid_student_card_uid"] = True
return False
self.customer.add_student_card(uid, request, self.object)
if not (
self.object.type == "BAR"
and "counter_token" in request.session.keys()
and request.session["counter_token"] == self.object.token
and len(self.object.get_barmen_list()) > 0
raise PermissionDenied
StudentCard(customer=self.customer, uid=uid).save()
return True
def del_product(self, request):
......@@ -1842,12 +1848,14 @@ class StudentCardFormView(FormView):
def dispatch(self, request, *args, **kwargs):
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
if not StudentCard.can_create(self.customer, request.user):
raise PermissionDenied
return super(StudentCardFormView, self).dispatch(request, *args, **kwargs)
def form_valid(self, form):
data = form.clean()
res = super(FormView, self).form_valid(form)
self.customer.add_student_card(data["uid"], self.request)
StudentCard(customer=self.customer, uid=data["uid"]).save()
return res
def get_success_url(self, **kwargs):
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment