Verified Commit 0ba0df0f authored by Sli's avatar Sli Committed by Sli
Browse files

Better handling of user rights for studentcards

parent 616b7ccf
...@@ -87,14 +87,6 @@ class Customer(models.Model): ...@@ -87,14 +87,6 @@ class Customer(models.Model):
letter = random.choice(string.ascii_lowercase) letter = random.choice(string.ascii_lowercase)
return number + letter return number + letter
def add_student_card(self, uid, request, counter=None):
"""
Add a new student card on the customer account
"""
if not StudentCard.check_creation_permission(request, self, counter):
raise PermissionDenied
StudentCard(customer=self, uid=uid).save()
def save(self, allow_negative=False, is_selling=False, *args, **kwargs): def save(self, allow_negative=False, is_selling=False, *args, **kwargs):
""" """
is_selling : tell if the current action is a selling is_selling : tell if the current action is a selling
...@@ -756,34 +748,18 @@ class StudentCard(models.Model): ...@@ -756,34 +748,18 @@ class StudentCard(models.Model):
@staticmethod @staticmethod
def is_valid(uid): def is_valid(uid):
return len(uid) == StudentCard.UID_SIZE
@staticmethod
def __comming_from_right_counter(request, counter):
return ( return (
counter.type == "BAR" len(uid) == StudentCard.UID_SIZE
and "counter_token" in request.session.keys() and not StudentCard.objects.filter(uid=uid).exists()
and request.session["counter_token"] == counter.token
and len(counter.get_barmen_list()) > 0
) )
@staticmethod @staticmethod
def __user_has_rights(customer, user): def can_create(customer, user):
return user.pk == customer.user.pk or user.is_board_member or user.is_root return user.pk == customer.user.pk or user.is_board_member or user.is_root
@staticmethod
def check_creation_permission(request, customer, counter=None):
"""
If you are comming from a counter, only your connection to the counter is checked, not your right on the user to avoid wierd conflicts
If you are not comming from a counter, your permissions are checked
"""
if counter:
return StudentCard.__comming_from_right_counter(request, counter)
return StudentCard.__user_has_rights(customer, request.user)
def can_edit(self, obj): def can_edit(self, obj):
if isinstance(obj, User): if isinstance(obj, User):
return StudentCard.__user_has_rights(self.customer, obj) return StudentCard.can_create(self.customer, obj)
return False return False
uid = models.CharField( uid = models.CharField(
......
...@@ -119,7 +119,7 @@ class StudentCardForm(forms.ModelForm): ...@@ -119,7 +119,7 @@ class StudentCardForm(forms.ModelForm):
return cleaned_data return cleaned_data
class StudentCardDeleteView(DeleteView): class StudentCardDeleteView(DeleteView, CanEditMixin):
""" """
View used to delete a card from a user View used to delete a card from a user
""" """
...@@ -130,8 +130,6 @@ class StudentCardDeleteView(DeleteView): ...@@ -130,8 +130,6 @@ class StudentCardDeleteView(DeleteView):
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"]) self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
if not self.get_object().can_edit(self.customer.user):
raise PermissionDenied
return super(StudentCardDeleteView, self).dispatch(request, *args, **kwargs) return super(StudentCardDeleteView, self).dispatch(request, *args, **kwargs)
def get_success_url(self, **kwargs): def get_success_url(self, **kwargs):
...@@ -580,7 +578,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView): ...@@ -580,7 +578,15 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
request.session["not_valid_student_card_uid"] = True request.session["not_valid_student_card_uid"] = True
return False return False
self.customer.add_student_card(uid, request, self.object) if not (
self.object.type == "BAR"
and "counter_token" in request.session.keys()
and request.session["counter_token"] == self.object.token
and len(self.object.get_barmen_list()) > 0
):
raise PermissionDenied
StudentCard(customer=self.customer, uid=uid).save()
return True return True
def del_product(self, request): def del_product(self, request):
...@@ -1842,12 +1848,14 @@ class StudentCardFormView(FormView): ...@@ -1842,12 +1848,14 @@ class StudentCardFormView(FormView):
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"]) self.customer = get_object_or_404(Customer, pk=kwargs["customer_id"])
if not StudentCard.can_create(self.customer, request.user):
raise PermissionDenied
return super(StudentCardFormView, self).dispatch(request, *args, **kwargs) return super(StudentCardFormView, self).dispatch(request, *args, **kwargs)
def form_valid(self, form): def form_valid(self, form):
data = form.clean() data = form.clean()
res = super(FormView, self).form_valid(form) res = super(FormView, self).form_valid(form)
self.customer.add_student_card(data["uid"], self.request) StudentCard(customer=self.customer, uid=data["uid"]).save()
return res return res
def get_success_url(self, **kwargs): def get_success_url(self, **kwargs):
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment