backoffice: only display submission pages to relevant users (#8134)
This commit is contained in:
parent
71e85282f1
commit
01cb0c4300
|
@ -461,14 +461,14 @@ def test_backoffice_submission(pub):
|
|||
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/backoffice/')
|
||||
assert 'Submission' in resp.body
|
||||
assert not 'Submission' in resp.body
|
||||
app.get('/backoffice/submission/', status=403)
|
||||
|
||||
resp = resp.click('Submission', index=0)
|
||||
formdef = FormDef.select()[0]
|
||||
assert not formdef.url_name in resp.body
|
||||
|
||||
formdef.backoffice_submission_roles = user.roles[:]
|
||||
formdef.store()
|
||||
resp = app.get('/backoffice/')
|
||||
assert 'Submission' in resp.body
|
||||
resp = app.get('/backoffice/submission/')
|
||||
assert formdef.url_name in resp.body
|
||||
|
||||
|
@ -518,13 +518,8 @@ def test_backoffice_submission_tracking_code(pub):
|
|||
create_environment(pub)
|
||||
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/backoffice/')
|
||||
assert 'Submission' in resp.body
|
||||
|
||||
resp = resp.click('Submission', index=0)
|
||||
formdef = FormDef.select()[0]
|
||||
assert not formdef.url_name in resp.body
|
||||
|
||||
formdef.enable_tracking_codes = True
|
||||
formdef.backoffice_submission_roles = user.roles[:]
|
||||
formdef.store()
|
||||
|
|
|
@ -47,6 +47,9 @@ from wcs.formdef import FormDef
|
|||
class ManagementDirectory(Directory):
|
||||
_q_exports = ['', 'statistics']
|
||||
|
||||
def is_accessible(self, user):
|
||||
return user.can_go_in_backoffice()
|
||||
|
||||
def _q_traverse(self, path):
|
||||
get_response().breadcrumb.append(('management/', _('Management')))
|
||||
return super(ManagementDirectory, self)._q_traverse(path)
|
||||
|
|
|
@ -105,13 +105,12 @@ class RootDirectory(BackofficeRootDirectory):
|
|||
# access is governed by roles set in the settings panel
|
||||
return user_roles.intersection(authorised_roles)
|
||||
|
||||
# for some subdirectories, the user needs to be part of a role allowed
|
||||
# to go in the backoffice
|
||||
if subdirectory in ('management', 'submission'):
|
||||
return get_request().user.can_go_in_backoffice()
|
||||
# if the directory defines a is_accessible method, use it.
|
||||
if hasattr(getattr(cls, subdirectory), 'is_accessible'):
|
||||
return getattr(cls, subdirectory).is_accessible(get_request().user)
|
||||
|
||||
# for the other directories, an extra level is required, the user needs
|
||||
# to be marked as admin
|
||||
# as a last resort, for the other directories, the user needs to be
|
||||
# marked as admin
|
||||
return get_request().user.can_go_in_admin()
|
||||
|
||||
def check_admin_for_all(self):
|
||||
|
|
|
@ -95,6 +95,16 @@ class FormFillPage(PublicFormFillPage):
|
|||
class SubmissionDirectory(Directory):
|
||||
_q_exports = ['']
|
||||
|
||||
def is_accessible(self, user):
|
||||
if not user.can_go_in_backoffice():
|
||||
return False
|
||||
# check user has at least one role set for backoffice submission
|
||||
for role_id in (user.roles or []):
|
||||
ids = FormDef.get_ids_with_indexed_value('backoffice_submission_roles', role_id)
|
||||
if ids:
|
||||
return True
|
||||
return False
|
||||
|
||||
def _q_index(self):
|
||||
get_response().breadcrumb.append(('submission/', _('Submission')))
|
||||
html_top('submission', _('Submission'))
|
||||
|
|
|
@ -55,6 +55,7 @@ def lax_int(s):
|
|||
class FormDef(StorableObject):
|
||||
_names = 'formdefs'
|
||||
_indexes = ['url_name']
|
||||
_hashed_indexes = ['backoffice_submission_roles']
|
||||
|
||||
name = None
|
||||
description = None
|
||||
|
|
|
@ -595,6 +595,8 @@ class StorableObject(object):
|
|||
new_value = getattr(self, index)
|
||||
if previous_object_value:
|
||||
old_value = getattr(previous_object_value, index)
|
||||
if old_value is None:
|
||||
old_value = []
|
||||
else:
|
||||
new_value = [getattr(self, index)]
|
||||
if previous_object_value:
|
||||
|
|
Loading…
Reference in New Issue