Commit 2f2d5292 authored by Sli's avatar Sli

Some permissions fixs and security for atomic vote

parent 729659e3
Pipeline #656 passed with stage
in 3 minutes and 12 seconds
......@@ -128,7 +128,7 @@ class Candidature(models.Model):
election_list = models.ForeignKey(ElectionList, related_name='candidatures', verbose_name=_('election list'))
def can_be_edited_by(self, user):
return (user == self.user)
return (user == self.user) or user.can_edit(self.role.election)
def __str__(self):
return "%s : %s" % (self.role.title, self.user.username)
......
......@@ -5,7 +5,7 @@
{% endblock %}
{% block content %}
{%- if election.can_candidate(user) or user.can_edit(election) %}
{%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
<section class="election__add-candidature">
<form action="{{ url('election:candidate', election_id=election.id) }}" method="post">
{% csrf_token %}
......
......@@ -359,7 +359,7 @@ th {
</section>
{%- endif %}
<section class="election__add-elements">
{%- if election.can_candidate(user) or user.can_edit(election) %}
{%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
<a href="{{ url('election:candidate', election_id=object.id) }}">{% trans %}Candidate{% endtrans %}</a>
{%- endif %}
<a href="{{ url('election:create_list', election_id=object.id) }}">{% trans %}Add a new list{% endtrans %}</a>
......
......@@ -5,6 +5,7 @@ from django.core.urlresolvers import reverse_lazy, reverse
from django.utils.translation import ugettext_lazy as _
from django.forms.models import modelform_factory
from django.core.exceptions import PermissionDenied, ObjectDoesNotExist, ImproperlyConfigured
from django.db import DataError, transaction
from django.forms import CheckboxSelectMultiple
from django.utils import timezone
from django.conf import settings
......@@ -173,20 +174,21 @@ class VoteFormView(CanCreateMixin, FormView):
return super(VoteFormView, self).dispatch(request, *arg, **kwargs)
def vote(self, election_data):
for role_title in election_data.keys():
# If we have a multiple choice field
if isinstance(election_data[role_title], QuerySet):
if election_data[role_title].count() > 0:
vote = Vote(role=election_data[role_title].first().role)
with transaction.atomic():
for role_title in election_data.keys():
# If we have a multiple choice field
if isinstance(election_data[role_title], QuerySet):
if election_data[role_title].count() > 0:
vote = Vote(role=election_data[role_title].first().role)
vote.save()
for el in election_data[role_title]:
vote.candidature.add(el)
# If we have a single choice
elif election_data[role_title] is not None:
vote = Vote(role=election_data[role_title].role)
vote.save()
for el in election_data[role_title]:
vote.candidature.add(el)
# If we have a single choice
elif election_data[role_title] is not None:
vote = Vote(role=election_data[role_title].role)
vote.save()
vote.candidature.add(election_data[role_title])
self.election.voters.add(self.request.user)
vote.candidature.add(election_data[role_title])
self.election.voters.add(self.request.user)
def get_form_kwargs(self):
kwargs = super(VoteFormView, self).get_form_kwargs()
......@@ -366,6 +368,22 @@ class ElectionUpdateView(CanEditMixin, UpdateView):
template_name = 'core/edit.jinja'
pk_url_kwarg = 'election_id'
def get_initial(self):
init = {}
try:
init['start_date'] = self.object.start_date.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['end_date'] = self.object.end_date.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['start_candidature'] = self.object.start_candidature.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['end_candidature'] = self.object.end_candidature.strftime('%Y-%m-%d %H:%M:%S')
except:pass
return init
def get_success_url(self, **kwargs):
return reverse_lazy('election:detail', kwargs={'election_id': self.object.id})
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment