entrouvert
/
chrono
14
1
Fork 0
Code Issues Pull Requests 5 Releases Wiki Activity

manager: allow viewing resources of editable agenda (#56977)

This commit is contained in:
Valentin Deniaud 2021-09-16 12:05:52 +02:00
parent 6297ea6231
commit ff08d62e61
4 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
chrono/agendas/models.py
View File

@ -2120,6 +2120,12 @@ class Resource(models.Model):
def base_slug(self):
return slugify(self.label)
def can_be_viewed(self, user):
if user.is_staff:
return True
group_ids = [x.id for x in user.groups.all()]
return self.agenda_set.filter(edit_role_id__in=group_ids).exists()
class Category(models.Model):
slug = models.SlugField(_('Identifier'), max_length=160, unique=True)

2
chrono/manager/templates/chrono/manager_resource_detail.html
View File

@ -16,8 +16,10 @@
{% endblock %}
<span class="actions">
{% block appbar-extras %}
{% if request.user.is_staff %}
<a rel="popup" href="{% url 'chrono-manager-resource-edit' pk=resource.pk %}">{% trans 'Edit' %}</a>
<a rel="popup" href="{% url 'chrono-manager-resource-delete' pk=resource.pk %}">{% trans 'Delete' %}</a>
{% endif %}
{% now "Y" as today_year %}
{% now "n" as today_month %}
{% now "j" as today_day %}

11
chrono/manager/views.py
View File

@ -198,7 +198,8 @@ class ResourceDetailView(DetailView):
model = Resource
def dispatch(self, request, *args, **kwargs):
if not request.user.is_staff:
resource = self.get_object()
if not resource.can_be_viewed(request.user):
raise PermissionDenied()
return super().dispatch(request, *args, **kwargs)
@ -232,9 +233,9 @@ class ResourceDayView(DateMixin, DayArchiveView):
allow_future = True
def dispatch(self, request, *args, **kwargs):
if not request.user.is_staff:
raise PermissionDenied()
self.resource = get_object_or_404(Resource, pk=kwargs['pk'])
if not self.resource.can_be_viewed(request.user):
raise PermissionDenied()
# specify 6am time to get the expected timezone on daylight saving time
# days.
try:
@ -359,9 +360,9 @@ class ResourceMonthView(DateMixin, MonthArchiveView):
allow_future = True
def dispatch(self, request, *args, **kwargs):
if not request.user.is_staff:
raise PermissionDenied()
self.resource = get_object_or_404(Resource, pk=kwargs['pk'])
if not self.resource.can_be_viewed(request.user):
raise PermissionDenied()
self.date = make_aware(
datetime.datetime.strptime(
'%s-%s-%s 06:00' % (self.get_year(), self.get_month(), 1), '%Y-%m-%d %H:%M'

24
tests/manager/test_resource.py
View File

@ -598,3 +598,27 @@ def test_agenda_day_month_view_backoffice_url_translation(
resp = app.get(url)
assert 'http://example.org/foo/' in resp.text
def test_resource_access_permission(app, manager_user):
agenda = Agenda.objects.create(label='Foo Bar', kind='meetings')
resource = Resource.objects.create(label='Resource 1', agenda=agenda)
resource2 = Resource.objects.create(label='Resource 2')
agenda.resources.add(resource)
app = login(app, username='manager', password='manager')
assert app.get('/manage/resource/%s/' % resource.pk, status=403)
assert app.get('/manage/resource/%s/' % resource2.pk, status=403)
agenda.edit_role = manager_user.groups.all()[0]
agenda.save()
resp = app.get('/manage/agendas/%s/settings' % agenda.pk)
resp = resp.click('Resource 1')
assert 'Edit' not in resp.text
assert 'Delete' not in resp.text
assert resp.click('Month view')
assert resp.click('Day view')
assert app.get('/manage/resource/%s/' % resource2.pk, status=403)