bic/GetTogether
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add permission checking before showing edit buttons

Browse source
This commit is contained in:
Michael Hall 2018-01-21 12:23:13 -05:00
parent 54adf71434
commit 542a8c82e9
4 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
events/models/profiles.py
View file

@ -47,6 +47,8 @@ class UserProfile(models.Model):
return local.astimezone(pytz.utc) return local.astimezone(pytz.utc)
def can_create_event(self, team): def can_create_event(self, team):
if self.user.is_superuser:
return True
if not self.user_id: if not self.user_id:
return False return False
if self.user.is_superuser: if self.user.is_superuser:
@ -59,6 +61,27 @@ class UserProfile(models.Model):
return True return True
return False return False
def can_edit_event(self, event):
if self.user.is_superuser:
return True
if event.created_by == self:
return True
if event.team.owner_profile == self:
return True
if self in event.team.admin_profiles.all():
return True
return False
def can_edit_team(self, team):
print("Checking team edit permission for: %s" % team)
if self.user.is_superuser:
return True
if team.owner_profile == self:
return True
if self in team.admin_profiles.all():
return True
return False
def get_user_timezone(username): def get_user_timezone(username):
# TODO: find a smarter way to get timezone # TODO: find a smarter way to get timezone
return 'UTC' return 'UTC'

2
get_together/templates/get_together/show_event.html
View file

@ -6,7 +6,7 @@
<h4>Hosted by <a href="{% url "show-team" team.id %}">{{ team.name }}</a></h4> <h4>Hosted by <a href="{% url "show-team" team.id %}">{{ team.name }}</a></h4>
{% include "events/event_details.html" %} {% include "events/event_details.html" %}
{% if request.user.profile == event.created_by %} {% if can_edit_event %}
<form action="{% url 'edit-event' event.id %}" method="get"> <form action="{% url 'edit-event' event.id %}" method="get">
<button type="submit" class="btn btn-secondary">Edit Event</button> <button type="submit" class="btn btn-secondary">Edit Event</button>
</form> </form>

2
get_together/templates/get_together/show_team.html
View file

@ -10,7 +10,9 @@
<form action="{% url 'create-event' team.id %}" method="get"> <form action="{% url 'create-event' team.id %}" method="get">
<button type="submit" class="btn btn-primary">Plan a Get Together</button> <button type="submit" class="btn btn-primary">Plan a Get Together</button>
</form> </form>
{% endif %}
{% if can_edit_team %}
<form action="{% url 'edit-team' team.id %}" method="get"> <form action="{% url 'edit-team' team.id %}" method="get">
<button type="submit" class="btn btn-secondary">Edit Team</button> <button type="submit" class="btn btn-secondary">Edit Team</button>
</form> </form>

2
get_together/views.py
View file

@ -92,6 +92,7 @@ def show_team(request, team_id, *args, **kwargs):
'team': team, 'team': team,
'events_list': team_events, 'events_list': team_events,
'can_create_event': request.user.profile.can_create_event(team), 'can_create_event': request.user.profile.can_create_event(team),
'can_edit_team': request.user.profile.can_edit_team(team),
} }
return render(request, 'get_together/show_team.html', context) return render(request, 'get_together/show_team.html', context)
@ -180,5 +181,6 @@ def show_event(request, event_id, event_slug):
context = { context = {
'team': event.team, 'team': event.team,
'event': event, 'event': event,
'can_edit_event': request.user.profile.can_edit_event(event),
} }
return render(request, 'get_together/show_event.html', context) return render(request, 'get_together/show_event.html', context)