Commit c56094ea authored by Sli's avatar Sli
Browse files

Some selected club members can now make people subscribe and fix major...

Some selected club members can now make people subscribe and fix major security hole in board_member verification
parent e80f5b6f
Pipeline #1107 passed with stage
in 3 minutes and 47 seconds
...@@ -139,10 +139,7 @@ class Club(models.Model): ...@@ -139,10 +139,7 @@ class Club(models.Model):
""" """
Method to see if that object can be edited by the given user Method to see if that object can be edited by the given user
""" """
ms = self.get_membership_for(user) return self.has_rights_in_club(user)
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
return True
return False
def can_be_viewed_by(self, user): def can_be_viewed_by(self, user):
""" """
...@@ -170,6 +167,10 @@ class Club(models.Model): ...@@ -170,6 +167,10 @@ class Club(models.Model):
Club._memberships[self.id][user.id] = m Club._memberships[self.id][user.id] = m
return m return m
def has_rights_in_club(self, user):
m = self.get_membership_for(user)
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
class Membership(models.Model): class Membership(models.Model):
""" """
......
...@@ -300,7 +300,15 @@ class User(AbstractBaseUser): ...@@ -300,7 +300,15 @@ class User(AbstractBaseUser):
@cached_property @cached_property
def is_board_member(self): def is_board_member(self):
from club.models import Club from club.models import Club
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self) return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
@cached_property
def can_create_subscription(self):
from club.models import Club
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
if club.has_rights_in_club(self):
return True
return False
@cached_property @cached_property
def is_launderette_manager(self): def is_launderette_manager(self):
...@@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser): ...@@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
def __init__(self, request): def __init__(self, request):
super(AnonymousUser, self).__init__() super(AnonymousUser, self).__init__()
@property
def can_create_subscription(self):
return False
@property @property
def was_subscribed(self): def was_subscribed(self):
return False return False
......
...@@ -14,8 +14,10 @@ ...@@ -14,8 +14,10 @@
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li> <li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li> <li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
{% endif %} {% endif %}
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %} {% if user.can_create_subscription or user.is_root %}
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li> <li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
{% endif %}
{% if user.is_board_member or user.is_root %}
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li> <li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li> <li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
{% endif %} {% endif %}
......
...@@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1 ...@@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
SITH_PRODUCTTYPE_SUBSCRIPTION = 2 SITH_PRODUCTTYPE_SUBSCRIPTION = 2
SITH_CAN_CREATE_SUBSCRIPTIONS = [
1,
]
# Subscription durations are in semestres # Subscription durations are in semestres
# Be careful, modifying this parameter will need a migration to be applied # Be careful, modifying this parameter will need a migration to be applied
SITH_SUBSCRIPTIONS = { SITH_SUBSCRIPTIONS = {
......
...@@ -106,7 +106,7 @@ class NewSubscription(CreateView): ...@@ -106,7 +106,7 @@ class NewSubscription(CreateView):
def dispatch(self, request, *arg, **kwargs): def dispatch(self, request, *arg, **kwargs):
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs) res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP): if request.user.can_create_subscription:
return res return res
raise PermissionDenied raise PermissionDenied
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment