Commit e4e4eae1 authored by Skia's avatar Skia

Merge branch 'subscriptions' into 'master'

Some selected club members can now make people subscribe and fix major security …

Le bdf m'as demandé si c'était possible pour eux de faire des cotisations pour les nouveaux
Je retire WIP quand j'ai la confirmation du bureau que je peux faire ça
Par contre il j'y ai patché une grosse faille de sécurité : se mettre curieux à l'AE suffit à avoir tous les droits de board_member

See merge request !91
parents b99bbc38 c56094ea
Pipeline #1108 passed with stage
in 4 minutes and 17 seconds
......@@ -139,10 +139,7 @@ class Club(models.Model):
"""
Method to see if that object can be edited by the given user
"""
ms = self.get_membership_for(user)
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
return True
return False
return self.has_rights_in_club(user)
def can_be_viewed_by(self, user):
"""
......@@ -170,6 +167,10 @@ class Club(models.Model):
Club._memberships[self.id][user.id] = m
return m
def has_rights_in_club(self, user):
m = self.get_membership_for(user)
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
class Membership(models.Model):
"""
......
......@@ -300,7 +300,15 @@ class User(AbstractBaseUser):
@cached_property
def is_board_member(self):
from club.models import Club
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
@cached_property
def can_create_subscription(self):
from club.models import Club
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
if club.has_rights_in_club(self):
return True
return False
@cached_property
def is_launderette_manager(self):
......@@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
def __init__(self, request):
super(AnonymousUser, self).__init__()
@property
def can_create_subscription(self):
return False
@property
def was_subscribed(self):
return False
......
......@@ -14,8 +14,10 @@
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
{% endif %}
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
{% if user.can_create_subscription or user.is_root %}
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
{% endif %}
{% if user.is_board_member or user.is_root %}
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
{% endif %}
......
......@@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
SITH_PRODUCTTYPE_SUBSCRIPTION = 2
SITH_CAN_CREATE_SUBSCRIPTIONS = [
1,
]
# Subscription durations are in semestres
# Be careful, modifying this parameter will need a migration to be applied
SITH_SUBSCRIPTIONS = {
......
......@@ -106,7 +106,7 @@ class NewSubscription(CreateView):
def dispatch(self, request, *arg, **kwargs):
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
if request.user.can_create_subscription:
return res
raise PermissionDenied
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment