Add permission checking before showing edit buttons

2018-01-21 12:23:13 -05:00 · 2018-01-21 12:23:13 -05:00 · 542a8c82e9
commit 542a8c82e9
parent 54adf71434
4 changed files with 28 additions and 1 deletions
--- a/events/models/profiles.py
+++ b/events/models/profiles.py
@ -47,6 +47,8 @@ class UserProfile(models.Model):
        return local.astimezone(pytz.utc)

    def can_create_event(self, team):
+        if self.user.is_superuser:
+            return True
        if not self.user_id:
            return False
        if self.user.is_superuser:
@ -59,6 +61,27 @@ class UserProfile(models.Model):
            return True
        return False

+    def can_edit_event(self, event):
+        if self.user.is_superuser:
+            return True
+        if event.created_by == self:
+            return True
+        if event.team.owner_profile == self:
+            return True
+        if self in event.team.admin_profiles.all():
+            return True
+        return False
+
+    def can_edit_team(self, team):
+        print("Checking team edit permission for: %s" % team)
+        if self.user.is_superuser:
+            return True
+        if team.owner_profile == self:
+            return True
+        if self in team.admin_profiles.all():
+            return True
+        return False
+
 def get_user_timezone(username):
    # TODO: find a smarter way to get timezone
    return 'UTC'
--- a/get_together/templates/get_together/show_event.html
+++ b/get_together/templates/get_together/show_event.html
@ -6,7 +6,7 @@
 <h4>Hosted by <a href="{% url "show-team" team.id %}">{{ team.name }}</a></h4>
 {% include "events/event_details.html" %}

-{% if request.user.profile == event.created_by %}
+{% if can_edit_event %}
 <form action="{% url 'edit-event' event.id %}" method="get">
 <button type="submit" class="btn btn-secondary">Edit Event</button>
 </form>
--- a/get_together/templates/get_together/show_team.html
+++ b/get_together/templates/get_together/show_team.html
@ -10,7 +10,9 @@
 <form action="{% url 'create-event' team.id %}" method="get">
 <button type="submit" class="btn btn-primary">Plan a Get Together</button>
 </form>
+{% endif %}

+{% if can_edit_team %}
 <form action="{% url 'edit-team' team.id %}" method="get">
 <button type="submit" class="btn btn-secondary">Edit Team</button>
 </form>
--- a/get_together/views.py
+++ b/get_together/views.py
@ -92,6 +92,7 @@ def show_team(request, team_id, *args, **kwargs):
        'team': team,
        'events_list': team_events,
        'can_create_event': request.user.profile.can_create_event(team),
+        'can_edit_team': request.user.profile.can_edit_team(team),
    }
    return render(request, 'get_together/show_team.html', context)

@ -180,5 +181,6 @@ def show_event(request, event_id, event_slug):
    context = {
        'team': event.team,
        'event': event,
+        'can_edit_event': request.user.profile.can_edit_event(event),
    }
    return render(request, 'get_together/show_event.html', context)