0001-manager-allow-viewing-resources-of-editable-agenda-5.patch
chrono/agendas/models.py | ||
---|---|---|
2078 | 2078 |
def base_slug(self): |
2079 | 2079 |
return slugify(self.label) |
2080 | 2080 | |
2081 |
def can_be_viewed(self, user): |
|
2082 |
if user.is_staff: |
|
2083 |
return True |
|
2084 |
group_ids = [x.id for x in user.groups.all()] |
|
2085 |
return self.agenda_set.filter(edit_role_id__in=group_ids).exists() |
|
2086 | ||
2081 | 2087 | |
2082 | 2088 |
class Category(models.Model): |
2083 | 2089 |
slug = models.SlugField(_('Identifier'), max_length=160, unique=True) |
chrono/manager/templates/chrono/manager_resource_detail.html | ||
---|---|---|
16 | 16 |
{% endblock %} |
17 | 17 |
<span class="actions"> |
18 | 18 |
{% block appbar-extras %} |
19 |
{% if request.user.is_staff %} |
|
19 | 20 |
<a rel="popup" href="{% url 'chrono-manager-resource-edit' pk=resource.pk %}">{% trans 'Edit' %}</a> |
20 | 21 |
<a rel="popup" href="{% url 'chrono-manager-resource-delete' pk=resource.pk %}">{% trans 'Delete' %}</a> |
22 |
{% endif %} |
|
21 | 23 |
{% now "Y" as today_year %} |
22 | 24 |
{% now "n" as today_month %} |
23 | 25 |
{% now "j" as today_day %} |
chrono/manager/views.py | ||
---|---|---|
178 | 178 |
model = Resource |
179 | 179 | |
180 | 180 |
def dispatch(self, request, *args, **kwargs): |
181 |
if not request.user.is_staff: |
|
181 |
resource = self.get_object() |
|
182 |
if not resource.can_be_viewed(request.user): |
|
182 | 183 |
raise PermissionDenied() |
183 | 184 |
return super().dispatch(request, *args, **kwargs) |
184 | 185 | |
... | ... | |
212 | 213 |
allow_future = True |
213 | 214 | |
214 | 215 |
def dispatch(self, request, *args, **kwargs): |
215 |
if not request.user.is_staff: |
|
216 |
raise PermissionDenied() |
|
217 | 216 |
self.resource = get_object_or_404(Resource, pk=kwargs['pk']) |
217 |
if not self.resource.can_be_viewed(request.user): |
|
218 |
raise PermissionDenied() |
|
218 | 219 |
# specify 6am time to get the expected timezone on daylight saving time |
219 | 220 |
# days. |
220 | 221 |
try: |
... | ... | |
339 | 340 |
allow_future = True |
340 | 341 | |
341 | 342 |
def dispatch(self, request, *args, **kwargs): |
342 |
if not request.user.is_staff: |
|
343 |
raise PermissionDenied() |
|
344 | 343 |
self.resource = get_object_or_404(Resource, pk=kwargs['pk']) |
344 |
if not self.resource.can_be_viewed(request.user): |
|
345 |
raise PermissionDenied() |
|
345 | 346 |
self.date = make_aware( |
346 | 347 |
datetime.datetime.strptime( |
347 | 348 |
'%s-%s-%s 06:00' % (self.get_year(), self.get_month(), 1), '%Y-%m-%d %H:%M' |
tests/manager/test_resource.py | ||
---|---|---|
560 | 560 |
resp = resp.follow() |
561 | 561 |
assert '/manage/resource/%s/' % resource.pk not in resp.text |
562 | 562 |
assert '/manage/agendas/%s/resource/%s/delete/' % (agenda.pk, resource.pk) not in resp.text |
563 | ||
564 | ||
565 |
def test_resource_access_permission(app, manager_user): |
|
566 |
agenda = Agenda.objects.create(label='Foo Bar', kind='meetings') |
|
567 |
resource = Resource.objects.create(label='Resource 1', agenda=agenda) |
|
568 |
resource2 = Resource.objects.create(label='Resource 2') |
|
569 |
agenda.resources.add(resource) |
|
570 | ||
571 |
app = login(app, username='manager', password='manager') |
|
572 |
assert app.get('/manage/resource/%s/' % resource.pk, status=403) |
|
573 |
assert app.get('/manage/resource/%s/' % resource2.pk, status=403) |
|
574 | ||
575 |
agenda.edit_role = manager_user.groups.all()[0] |
|
576 |
agenda.save() |
|
577 | ||
578 |
resp = app.get('/manage/agendas/%s/settings' % agenda.pk) |
|
579 |
resp = resp.click('Resource 1') |
|
580 |
assert 'Edit' not in resp.text |
|
581 |
assert 'Delete' not in resp.text |
|
582 | ||
583 |
assert resp.click('Month view') |
|
584 |
assert resp.click('Day view') |
|
585 | ||
586 |
assert app.get('/manage/resource/%s/' % resource2.pk, status=403) |
|
563 |
- |