Add permission checks before editing teams or events, use Django messaging framework to tell the use what went wrong

This commit is contained in:
Michael Hall 2018-01-22 17:03:25 -05:00
parent de445c0728
commit b327dcec97
2 changed files with 25 additions and 0 deletions

View file

@ -155,6 +155,15 @@ SETTINGS_EXPORT = [
'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', 'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
] ]
# Make django messages framework use Bootstrap's alert style classes
from django.contrib.messages import constants as messages
MESSAGE_TAGS = {
messages.INFO: 'alert-info',
messages.SUCCESS: 'alert-success',
messages.WARNING: 'alert-warning',
messages.ERROR: 'alert-danger',
}
# Keep this at the end of settings.py to allow overriding settings in local deployments # Keep this at the end of settings.py to allow overriding settings in local deployments
try: try:
from local_settings import * from local_settings import *

View file

@ -1,3 +1,6 @@
from django.utils.translation import ugettext_lazy as _
from django.contrib import messages
from django.shortcuts import render, redirect from django.shortcuts import render, redirect
from django.http import HttpResponse, JsonResponse from django.http import HttpResponse, JsonResponse
@ -53,6 +56,10 @@ def create_team(request, *args, **kwargs):
def edit_team(request, team_id): def edit_team(request, team_id):
team = Team.objects.get(id=team_id) team = Team.objects.get(id=team_id)
if not request.user.profile.can_edit_team(team):
messages.add_message(request, messages.WARNING, message=_('You can not make changes to this team.'))
return redirect('show-team', team_id=team.pk)
if request.method == 'GET': if request.method == 'GET':
form = TeamForm(instance=team) form = TeamForm(instance=team)
@ -98,6 +105,11 @@ def show_team(request, team_id, *args, **kwargs):
def edit_event(request, event_id): def edit_event(request, event_id):
event = Event.objects.get(id=event_id) event = Event.objects.get(id=event_id)
if not request.user.profile.can_edit_event(event):
messages.add_message(request, messages.WARNING, message=_('You can not make changes to this event.'))
return redirect(event.get_absolute_url())
if request.method == 'GET': if request.method == 'GET':
form = TeamEventForm(instance=event) form = TeamEventForm(instance=event)
@ -124,6 +136,10 @@ def edit_event(request, event_id):
def create_event(request, team_id): def create_event(request, team_id):
team = Team.objects.get(id=team_id) team = Team.objects.get(id=team_id)
if not request.user.profile.can_create_event(team):
messages.add_message(request, messages.WARNING, message=_('You can not create events for this team.'))
return redirect('show-team', team_id=team.pk)
if request.method == 'GET': if request.method == 'GET':
form = NewTeamEventForm() form = NewTeamEventForm()