added missing/incomplete permissions to views
This commit is contained in:
+22
-32
@@ -12,7 +12,7 @@ from accounts.forms import LoginForm, RegisterForm, UserChangePasswordForm, User
|
||||
from accounts.models import DepotUser
|
||||
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.contrib.auth.mixins import AccessMixin, LoginRequiredMixin
|
||||
from django.contrib.auth.mixins import AccessMixin, LoginRequiredMixin, UserPassesTestMixin
|
||||
|
||||
|
||||
# Create your views here.
|
||||
@@ -28,27 +28,21 @@ class DepotLoginView(LoginView):
|
||||
def is_company_admin(user):
|
||||
return user.is_authenticated and user.is_company_admin
|
||||
|
||||
@method_decorator(login_required, name='dispatch')
|
||||
class RegisterView(AccessMixin, FormView):
|
||||
|
||||
class RegisterView(LoginRequiredMixin, UserPassesTestMixin, FormView):
|
||||
template_name = 'registration/register.html'
|
||||
form_class = RegisterForm
|
||||
# model = get_user_model()
|
||||
success_url = reverse_lazy('dashboard')
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
user: DepotUser = request.user
|
||||
|
||||
if not (user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN):
|
||||
return self.handle_no_permission()
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
def test_func(self):
|
||||
user = self.request.user
|
||||
return user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN
|
||||
|
||||
def form_valid(self, form):
|
||||
# Create user from form data
|
||||
user = form.save(commit=False)
|
||||
user_type = form.cleaned_data['user_type']
|
||||
user.save()
|
||||
|
||||
# Clear irrelevant permissions based on user type
|
||||
if user_type == DepotUser.UserType.CLIENT:
|
||||
user.employee_permissions.clear()
|
||||
user.company_permissions.set(form.cleaned_data['company_permissions'])
|
||||
@@ -90,17 +84,15 @@ class RegisterView(AccessMixin, FormView):
|
||||
|
||||
return form
|
||||
|
||||
class UserListView(ListView):
|
||||
class UserListView(LoginRequiredMixin, UserPassesTestMixin, ListView):
|
||||
template_name = 'registration/user-list.html'
|
||||
model = get_user_model()
|
||||
context_object_name = 'objects'
|
||||
paginate_by = 20 # Number of containers per page
|
||||
# base_template = 'employee-base.html'
|
||||
paginate_by = 20
|
||||
|
||||
# def get_context_data(self, **kwargs):
|
||||
# context = super().get_context_data(**kwargs)
|
||||
# context['base_template'] = self.base_template
|
||||
# return context
|
||||
def test_func(self):
|
||||
user = self.request.user
|
||||
return user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN
|
||||
|
||||
def get_queryset(self):
|
||||
queryset = super().get_queryset()
|
||||
@@ -111,7 +103,6 @@ class UserListView(ListView):
|
||||
if data_filter != 'all':
|
||||
queryset = queryset.filter(is_active=True)
|
||||
|
||||
# Filter users based on permissions
|
||||
if user.is_superuser:
|
||||
return queryset.all()
|
||||
elif user.user_type == DepotUser.UserType.COMPANY_ADMIN:
|
||||
@@ -119,18 +110,15 @@ class UserListView(ListView):
|
||||
else:
|
||||
return queryset.none()
|
||||
|
||||
class UserUpdateView(UpdateView):
|
||||
class UserUpdateView(LoginRequiredMixin, UserPassesTestMixin, UpdateView):
|
||||
template_name = 'registration/register.html'
|
||||
form_class = UserEditForm
|
||||
model = get_user_model()
|
||||
success_url = reverse_lazy('user_list')
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
user: DepotUser = request.user
|
||||
|
||||
if not (user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN):
|
||||
return self.handle_no_permission()
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
def test_func(self):
|
||||
user = self.request.user
|
||||
return user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN
|
||||
|
||||
def form_valid(self, form):
|
||||
user = form.save(commit=False)
|
||||
@@ -175,14 +163,16 @@ class UserUpdateView(UpdateView):
|
||||
|
||||
return form
|
||||
|
||||
class UserActiveView(LoginRequiredMixin, View):
|
||||
class UserActiveView(LoginRequiredMixin, UserPassesTestMixin, View):
|
||||
success_url = reverse_lazy('user_list')
|
||||
|
||||
def test_func(self):
|
||||
user = self.request.user
|
||||
return user.is_superuser or user.user_type == DepotUser.UserType.COMPANY_ADMIN
|
||||
|
||||
|
||||
def post(self, request, pk, *args, **kwargs):
|
||||
user = request.user
|
||||
if not (user.is_superuser or getattr(user, 'user_type', None) == DepotUser.UserType.COMPANY_ADMIN):
|
||||
return HttpResponseForbidden("You do not have permission to perform this action.")
|
||||
|
||||
target_user = get_object_or_404(get_user_model(), pk=pk)
|
||||
if target_user == user:
|
||||
return HttpResponseForbidden("You cannot change your own active status.")
|
||||
@@ -192,7 +182,7 @@ class UserActiveView(LoginRequiredMixin, View):
|
||||
return JsonResponse({'success': True, 'is_active': target_user.is_active})
|
||||
|
||||
|
||||
class CustomPasswordChangeView(PasswordChangeView):
|
||||
class CustomPasswordChangeView(LoginRequiredMixin, PasswordChangeView):
|
||||
template_name = 'registration/change_password.html'
|
||||
|
||||
def get_success_url(self):
|
||||
|
||||
Reference in New Issue
Block a user