manager: allow viewing resources of editable agenda (#56977)
This commit is contained in:
parent
6297ea6231
commit
ff08d62e61
|
@ -2120,6 +2120,12 @@ class Resource(models.Model):
|
|||
def base_slug(self):
|
||||
return slugify(self.label)
|
||||
|
||||
def can_be_viewed(self, user):
|
||||
if user.is_staff:
|
||||
return True
|
||||
group_ids = [x.id for x in user.groups.all()]
|
||||
return self.agenda_set.filter(edit_role_id__in=group_ids).exists()
|
||||
|
||||
|
||||
class Category(models.Model):
|
||||
slug = models.SlugField(_('Identifier'), max_length=160, unique=True)
|
||||
|
|
|
@ -16,8 +16,10 @@
|
|||
{% endblock %}
|
||||
<span class="actions">
|
||||
{% block appbar-extras %}
|
||||
{% if request.user.is_staff %}
|
||||
<a rel="popup" href="{% url 'chrono-manager-resource-edit' pk=resource.pk %}">{% trans 'Edit' %}</a>
|
||||
<a rel="popup" href="{% url 'chrono-manager-resource-delete' pk=resource.pk %}">{% trans 'Delete' %}</a>
|
||||
{% endif %}
|
||||
{% now "Y" as today_year %}
|
||||
{% now "n" as today_month %}
|
||||
{% now "j" as today_day %}
|
||||
|
|
|
@ -198,7 +198,8 @@ class ResourceDetailView(DetailView):
|
|||
model = Resource
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
if not request.user.is_staff:
|
||||
resource = self.get_object()
|
||||
if not resource.can_be_viewed(request.user):
|
||||
raise PermissionDenied()
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
|
@ -232,9 +233,9 @@ class ResourceDayView(DateMixin, DayArchiveView):
|
|||
allow_future = True
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
if not request.user.is_staff:
|
||||
raise PermissionDenied()
|
||||
self.resource = get_object_or_404(Resource, pk=kwargs['pk'])
|
||||
if not self.resource.can_be_viewed(request.user):
|
||||
raise PermissionDenied()
|
||||
# specify 6am time to get the expected timezone on daylight saving time
|
||||
# days.
|
||||
try:
|
||||
|
@ -359,9 +360,9 @@ class ResourceMonthView(DateMixin, MonthArchiveView):
|
|||
allow_future = True
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
if not request.user.is_staff:
|
||||
raise PermissionDenied()
|
||||
self.resource = get_object_or_404(Resource, pk=kwargs['pk'])
|
||||
if not self.resource.can_be_viewed(request.user):
|
||||
raise PermissionDenied()
|
||||
self.date = make_aware(
|
||||
datetime.datetime.strptime(
|
||||
'%s-%s-%s 06:00' % (self.get_year(), self.get_month(), 1), '%Y-%m-%d %H:%M'
|
||||
|
|
|
@ -598,3 +598,27 @@ def test_agenda_day_month_view_backoffice_url_translation(
|
|||
|
||||
resp = app.get(url)
|
||||
assert 'http://example.org/foo/' in resp.text
|
||||
|
||||
|
||||
def test_resource_access_permission(app, manager_user):
|
||||
agenda = Agenda.objects.create(label='Foo Bar', kind='meetings')
|
||||
resource = Resource.objects.create(label='Resource 1', agenda=agenda)
|
||||
resource2 = Resource.objects.create(label='Resource 2')
|
||||
agenda.resources.add(resource)
|
||||
|
||||
app = login(app, username='manager', password='manager')
|
||||
assert app.get('/manage/resource/%s/' % resource.pk, status=403)
|
||||
assert app.get('/manage/resource/%s/' % resource2.pk, status=403)
|
||||
|
||||
agenda.edit_role = manager_user.groups.all()[0]
|
||||
agenda.save()
|
||||
|
||||
resp = app.get('/manage/agendas/%s/settings' % agenda.pk)
|
||||
resp = resp.click('Resource 1')
|
||||
assert 'Edit' not in resp.text
|
||||
assert 'Delete' not in resp.text
|
||||
|
||||
assert resp.click('Month view')
|
||||
assert resp.click('Day view')
|
||||
|
||||
assert app.get('/manage/resource/%s/' % resource2.pk, status=403)
|
||||
|
|
Loading…
Reference in New Issue