rezometz
/
re2o
mirror of https://gitlab.federez.net/re2o/re2o
8
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Verouille toutes les vues avec des acl, un user sans droit peut uniquement se modifier lui et ses machines

test_david
chirac 10 years ago
parent
8af94c8536
commit
61126e0173
2 changed files with 22 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      machines/views.py
  2. 14
      users/views.py

9
machines/views.py
View File

@ -55,6 +55,9 @@ def new_machine(request, userid):
except User.DoesNotExist:
messages.error(request, u"Utilisateur inexistant" )
return redirect("/machines/")
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une machine à un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine = NewMachineForm(request.POST or None)
interface = AddInterfaceForm(request.POST or None)
if machine.is_valid() and interface.is_valid():
@ -79,6 +82,9 @@ def edit_machine(request, interfaceid):
except Interface.DoesNotExist:
messages.error(request, u"Interface inexistante" )
return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(interface.machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas éditer une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
machine_form = EditMachineForm(request.POST or None, instance=interface.machine)
interface_form = EditInterfaceForm(request.POST or None, instance=interface)
if machine_form.is_valid() and interface_form.is_valid():
@ -95,6 +101,9 @@ def new_interface(request, machineid):
except Machine.DoesNotExist:
messages.error(request, u"Machine inexistante" )
return redirect("/machines")
if not request.user.has_perms(('cableur',)) and str(machine.user.id)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas ajouter une interface à une machine d'un autre user que vous sans droit")
return redirect("/users/profil/" + str(request.user.id))
interface_form = AddInterfaceForm(request.POST or None)
machine_form = EditMachineForm(request.POST or None, instance=machine)
if interface_form.is_valid() and machine_form.is_valid():

14
users/views.py
View File

@ -104,6 +104,9 @@ def new_user(request):
@login_required
def edit_info(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
user = User.objects.get(pk=userid)
except User.DoesNotExist:
@ -137,13 +140,18 @@ def state(request, userid):
return form({'userform': state}, 'users/user.html', request)
@login_required
@permission_required('bureau')
def password(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas modifier un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
user = User.objects.get(pk=userid)
except User.DoesNotExist:
messages.error(request, "Utilisateur inexistant")
return redirect("/users/")
if not request.user.has_perms(('bureau',)) and str(userid)!=str(request.user.id) and Right.objects.filter(user=user):
messages.error(request, "Il faut les droits bureau pour modifier le mot de passe d'un membre actif")
return redirect("/users/profil/" + str(request.user.id))
u_form = PassForm(request.POST or None)
if u_form.is_valid():
if u_form.cleaned_data['passwd1'] != u_form.cleaned_data['passwd2']:
@ -303,6 +311,7 @@ def del_school(request):
return form({'userform': school}, 'users/user.html', request)
@login_required
@permission_required('cableur')
def index(request):
users_list = User.objects.order_by('pk')
connexion = []
@ -340,6 +349,9 @@ def index_school(request):
@login_required
def profil(request, userid):
if not request.user.has_perms(('cableur',)) and str(userid)!=str(request.user.id):
messages.error(request, "Vous ne pouvez pas afficher un autre user que vous sans droit cableur")
return redirect("/users/profil/" + str(request.user.id))
try:
users = User.objects.get(pk=userid)
except User.DoesNotExist:

Write Preview
Loading…
Cancel
Save