Commit 2f2d5292 authored by Sli's avatar Sli
Browse files

Some permissions fixs and security for atomic vote

parent 729659e3
Pipeline #656 passed with stage
in 3 minutes and 12 seconds
...@@ -128,7 +128,7 @@ class Candidature(models.Model): ...@@ -128,7 +128,7 @@ class Candidature(models.Model):
election_list = models.ForeignKey(ElectionList, related_name='candidatures', verbose_name=_('election list')) election_list = models.ForeignKey(ElectionList, related_name='candidatures', verbose_name=_('election list'))
def can_be_edited_by(self, user): def can_be_edited_by(self, user):
return (user == self.user) return (user == self.user) or user.can_edit(self.role.election)
def __str__(self): def __str__(self):
return "%s : %s" % (self.role.title, self.user.username) return "%s : %s" % (self.role.title, self.user.username)
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
{% endblock %} {% endblock %}
{% block content %} {% block content %}
{%- if election.can_candidate(user) or user.can_edit(election) %} {%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
<section class="election__add-candidature"> <section class="election__add-candidature">
<form action="{{ url('election:candidate', election_id=election.id) }}" method="post"> <form action="{{ url('election:candidate', election_id=election.id) }}" method="post">
{% csrf_token %} {% csrf_token %}
......
...@@ -359,7 +359,7 @@ th { ...@@ -359,7 +359,7 @@ th {
</section> </section>
{%- endif %} {%- endif %}
<section class="election__add-elements"> <section class="election__add-elements">
{%- if election.can_candidate(user) or user.can_edit(election) %} {%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
<a href="{{ url('election:candidate', election_id=object.id) }}">{% trans %}Candidate{% endtrans %}</a> <a href="{{ url('election:candidate', election_id=object.id) }}">{% trans %}Candidate{% endtrans %}</a>
{%- endif %} {%- endif %}
<a href="{{ url('election:create_list', election_id=object.id) }}">{% trans %}Add a new list{% endtrans %}</a> <a href="{{ url('election:create_list', election_id=object.id) }}">{% trans %}Add a new list{% endtrans %}</a>
......
...@@ -5,6 +5,7 @@ from django.core.urlresolvers import reverse_lazy, reverse ...@@ -5,6 +5,7 @@ from django.core.urlresolvers import reverse_lazy, reverse
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.forms.models import modelform_factory from django.forms.models import modelform_factory
from django.core.exceptions import PermissionDenied, ObjectDoesNotExist, ImproperlyConfigured from django.core.exceptions import PermissionDenied, ObjectDoesNotExist, ImproperlyConfigured
from django.db import DataError, transaction
from django.forms import CheckboxSelectMultiple from django.forms import CheckboxSelectMultiple
from django.utils import timezone from django.utils import timezone
from django.conf import settings from django.conf import settings
...@@ -173,20 +174,21 @@ class VoteFormView(CanCreateMixin, FormView): ...@@ -173,20 +174,21 @@ class VoteFormView(CanCreateMixin, FormView):
return super(VoteFormView, self).dispatch(request, *arg, **kwargs) return super(VoteFormView, self).dispatch(request, *arg, **kwargs)
def vote(self, election_data): def vote(self, election_data):
for role_title in election_data.keys(): with transaction.atomic():
# If we have a multiple choice field for role_title in election_data.keys():
if isinstance(election_data[role_title], QuerySet): # If we have a multiple choice field
if election_data[role_title].count() > 0: if isinstance(election_data[role_title], QuerySet):
vote = Vote(role=election_data[role_title].first().role) if election_data[role_title].count() > 0:
vote = Vote(role=election_data[role_title].first().role)
vote.save()
for el in election_data[role_title]:
vote.candidature.add(el)
# If we have a single choice
elif election_data[role_title] is not None:
vote = Vote(role=election_data[role_title].role)
vote.save() vote.save()
for el in election_data[role_title]: vote.candidature.add(election_data[role_title])
vote.candidature.add(el) self.election.voters.add(self.request.user)
# If we have a single choice
elif election_data[role_title] is not None:
vote = Vote(role=election_data[role_title].role)
vote.save()
vote.candidature.add(election_data[role_title])
self.election.voters.add(self.request.user)
def get_form_kwargs(self): def get_form_kwargs(self):
kwargs = super(VoteFormView, self).get_form_kwargs() kwargs = super(VoteFormView, self).get_form_kwargs()
...@@ -366,6 +368,22 @@ class ElectionUpdateView(CanEditMixin, UpdateView): ...@@ -366,6 +368,22 @@ class ElectionUpdateView(CanEditMixin, UpdateView):
template_name = 'core/edit.jinja' template_name = 'core/edit.jinja'
pk_url_kwarg = 'election_id' pk_url_kwarg = 'election_id'
def get_initial(self):
init = {}
try:
init['start_date'] = self.object.start_date.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['end_date'] = self.object.end_date.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['start_candidature'] = self.object.start_candidature.strftime('%Y-%m-%d %H:%M:%S')
except:pass
try:
init['end_candidature'] = self.object.end_candidature.strftime('%Y-%m-%d %H:%M:%S')
except:pass
return init
def get_success_url(self, **kwargs): def get_success_url(self, **kwargs):
return reverse_lazy('election:detail', kwargs={'election_id': self.object.id}) return reverse_lazy('election:detail', kwargs={'election_id': self.object.id})
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment