def edit_product(request, id=None): stuff = request.user if not has_permission(stuff, 'edit_product') and not has_permission(stuff, 'change_status'): messages.warning(request, 'You have no permission to edit product') return HttpResponseRedirect(reverse("products:about", kwargs={'id':id})) product = get_object_or_404(Product, id=id) role = get_user_role(stuff) if role.title == 'zavsklad': form = ProductForm(request.POST or None, request.FILES or None, instance=product) elif product.status == 'out of stock': form = ProductFormStatus(request.POST or None, instance=product) else: messages.warning(request, 'You can change product status only if it is "out of stock"') return HttpResponseRedirect(reverse("products:about", kwargs={'id':id})) context = { "form": form, } if form.is_valid(): status = form.cleaned_data.get('status') if role.title == 'postavshik' and status != 'comming soon' and status != 'out of stock': messages.warning(request, 'You can change only to comming soon') return render(request, 'add_product.html', context) old_product = product product = form.save(commit=False) log = ProductHistory( changed_by=request.user, product_id=product.id, product_title = product.title, old_title = old_product.title, old_content = old_product.content, old_image = old_product.image, old_quantity = old_product.quantity, old_price = old_product.price, old_status = old_product.status, new_title = product.title, new_content = product.content, new_image = product.image, new_quantity = product.quantity, new_price = product.price, new_status = product.status,) product.save() log.save() # print log.product_changes messages.info(request, "Successfully changed!") # return HttpResponseRedirect(product.get_absolute_url()) return redirect(reverse("products:about", kwargs={"id":product.id})) return render(request, 'add_product.html', context)
def user_cantons(user): if user.pk in _user_cantons: return _user_cantons[user.pk] if has_permission(user, 'cantons_all'): _user_cantons[user.pk] = DV_STATES return _user_cantons[user.pk] if has_permission(user, 'cantons_mine'): _user_cantons[user.pk] = [ m.canton for m in user.managedstates.all() ] return _user_cantons[user.pk] raise LookupError("No user cantons")
def create_user(request): stuff = request.user if not has_permission(stuff, 'create_user'): messages.warning(request, 'You have no permission to create user') return HttpResponseRedirect(reverse("hr:list")) form = CreateUserForm(request.POST or None) print request.POST print 'pass', request.POST.get('password') print 'pass2', request.POST.get('verification') if form.is_valid(): username = form.cleaned_data.get('username') password = form.cleaned_data.get('password') verification = form.cleaned_data.get('verification') image = request.FILES.get('image') role = form.cleaned_data.get('role') print username, password, verification print 'here is ', image user = User.objects.create_user(username=username, password=password) profile = UserProfile( user=user, role=role, image=image, ) profile.save() if role == 'zavsklad': Zavsklad.assign_role_to_user(user) if role == 'postavshik': Postavshik.assign_role_to_user(user) if role == 'sotrudnik': Sotrudnik.assign_role_to_user(user) role = get_user_role(user) user.role = role.title print has_permission(user, 'create_product') print form.cleaned_data.get('role') print role.title print 'user.role', user.role return HttpResponseRedirect(reverse("hr:about", kwargs={'id': user.id})) context = { 'form': form, } return render(request, 'create_user.html', context)
def wrapper(request, *args, **kwargs): user = request.user if user.is_authenticated(): if has_permission(user, permission_name): return dispatch(request, *args, **kwargs) raise PermissionDenied
def wrapper(request, *args, **kwargs): if get_state().current == 1: if not (has_role(request.user, ['staff', 'dev', 'selection']) or has_permission(request.user, 'edit_applicants')): raise Http404('App not available until later.') return f(request, *args, **kwargs)
def edit_info(request, name): user_info = McUser.objects.get(norm_name=normalize_name(name)) if not user_info.user.id == request.user.id and not has_permission(request.user, 'edit_all_info'): return redirect('edit_info', request.user.mcuser.get_link_name()) if request.method == 'POST': if has_role(request.user, 'staff'): form = McUserStaffForm(request.POST, request.FILES, instance=user_info, prefix='base') else: form = McUserForm(request.POST, request.FILES, instance=user_info, prefix='base') if (form.is_valid()): mcuser = form.save(commit=False) hidden_fields = [key.replace('checkbox_', '') for key in request.POST if key.startswith('checkbox_')] mcuser.hidden_fields = hidden_fields mcuser.save() messages.add_message( request, messages.SUCCESS, 'Changes saved! Click <a href="%s">here</a> to view profile.' % reverse('profile', args=[mcuser.get_link_name()])) update_last_updated(user_info, request.user) return redirect('edit_info', user_info.norm_name) else: if has_role(request.user, 'staff'): form = McUserStaffForm(instance=user_info, prefix='base') else: form = McUserForm(instance=user_info, prefix='base') context = { 'form': form, 'mcuser': user_info } template = 'core/edit_info.html' if has_role(user_info.user, 'staff'): template = 'core/edit_info_staff.html' return render(request, template, context)
def edit_honor(request, name): user_info = McUser.objects.get(norm_name=normalize_name(name)) if not user_info.user.id == request.user.id and not has_permission( request.user, 'edit_all_info'): return redirect('edit_honor', request.user.mcuser.norm_name) honor = Honor.objects.filter(user_id=user_info.id) if request.method == 'POST': honor_formset = HonorFormSet(request.POST, queryset=honor, initial=[{ 'user': user_info.id }]) if (honor_formset.is_valid()): honor_formset.save() messages.add_message( request, messages.SUCCESS, 'Changes saved! Click <a href="%s">here</a> to view profile.' % reverse('profile', args=[user_info.get_link_name()])) update_last_updated(user_info, request.user) return redirect('edit_honor', user_info.norm_name) else: honor_formset = HonorFormSet(queryset=honor, initial=[{ 'user': user_info.id }]) context = {'honor_formset': honor_formset, 'mcuser': user_info} return render(request, 'core/edit_honor.html', context)
def add_product(request): stuff = request.user if not has_permission(stuff, 'create_product'): messages.warning(request, 'You have no permission to add product') return HttpResponseRedirect(reverse("products:list")) form = ProductForm(request.POST or None, request.FILES or None) context = { 'form': form } if form.is_valid(): product = form.save(commit=False) product.save() log = ProductHistory( changed_by=request.user, product_id=product.id, product_title=product.title, create_action=True) log.save() print log.product_changes() # return reverse("products:list") messages.success(request, "Successfully created!") return HttpResponseRedirect(reverse("products:about", kwargs={"id":product.id})) return render(request, 'add_product.html', context)
def can_advance_search(role, user, program): """ Determines whether a user can perform an advanced search on a specific program. """ return (has_permission(user, Permissions.CAN_ADVANCE_SEARCH) and Role.objects.filter( user=user, role=role.ROLE_ID, program=program).exists())
def sell_product(request, id=None): stuff = request.user if not has_permission(stuff, 'sell_product'): messages.warning(request, 'You have no permission to sell product') return HttpResponseRedirect(reverse("products:about", kwargs={'id':id})) product = get_object_or_404(Product, id=id) quantity = int(request.POST.get('quantity')) if quantity > product.quantity: messages.warning(request, 'Can not sell more than %s' % product.quantity) # return redirect(reverse("products:sell", kwargs={"id":product.id})) return redirect(reverse("products:about", kwargs={"id":product.id})) product.quantity -= quantity if product.quantity == 0: product.status = 'out of stock' product.save() messages.success(request, "Successfully sold!") log = ProductHistory( product_id = id, changed_by = request.user, sell_action=True, sold=quantity,) log.save() return redirect(reverse("products:about", kwargs={"id":product.id}))
def can_message_learners(role, user, program): """ Determines whether a user can send a message to learners of a specific program. """ return (has_permission(user, Permissions.CAN_MESSAGE_LEARNERS) and Role.objects.filter( user=user, role=role.ROLE_ID, program=program).exists())
def wrapper(request, *args, **kwargs): user = request.user if user.is_authenticated(): if has_permission(user, permission_name): return dispatch(request, *args, **kwargs) if hasattr(settings, 'ROLEPERMISSIONS_REDIRECT_TO_LOGIN'): return redirect_to_login(request.get_full_path()) raise PermissionDenied
def assert_standard_role_permissions(self, expected_bool, program=None): """ Helper function to assert role and permissions assignment """ assert isinstance(expected_bool, bool) assert has_role(self.user, 'staff') is expected_bool assert has_permission(self.user, 'can_advance_search') is expected_bool assert has_object_permission('can_advance_search', self.user, program or self.program) is expected_bool
def delete_product(request, id=None): stuff = request.user if not has_permission(stuff, 'delete_product'): messages.warning(request, 'You have no permission to delete product') return HttpResponseRedirect(reverse("products:about", kwargs={'id':id})) product = get_object_or_404(Product, id=id) product.delete() messages.warning(request, "Successfully deleted!") return HttpResponseRedirect(reverse("products:list"))
def get_form_kwargs(self): kwargs = super(UserSelfAccessMixin, self).get_form_kwargs() if has_permission(self.request.user, self.required_permission): kwargs['allow_email'] = True try: kwargs['cantons'] = user_cantons(self.request.user) except LookupError: pass return kwargs
def delete_user(request, id=None): stuff = request.user if not has_permission(stuff, 'delete_user'): messages.warning(request, 'You have no permission to delete user') return HttpResponseRedirect(reverse("hr:list")) user = get_object_or_404(User, id=id) messages.success(request, "%s succesfully deleted" % user.username) user.delete() return HttpResponseRedirect(reverse('hr:list'))
def get_context_data(self, **kwargs): context = super(HomeView, self).get_context_data(**kwargs) articles_qs = Article.objects if not has_permission(self.request.user, 'home_article_crud'): articles_qs = articles_qs.filter(published=True) context['articles'] = articles_qs.order_by('-modified')[:5] # Add our menu_category context context['menu_category'] = 'home' return context
def get_success_url(self): if has_permission(self.request.user, 'challenge_season_crud'): return reverse_lazy('season-availabilities', kwargs={'pk': self.season.pk}) else: return reverse_lazy('season-availabilities-update', kwargs={ 'pk': self.season.pk, 'helperpk': self.request.user.pk, })
def dispatch(self, request, bypassperm=False, *args, **kwargs): if ( bypassperm or # Soit j'ai le droit has_permission(request.user, self.required_permission) ): return ( super(SeasonUpdateView, self) .dispatch(request, *args, **kwargs) ) else: raise PermissionDenied
def available_perm_status(user): from rolepermissions.verifications import has_permission role = get_user_role(user) permission_names = role.permission_names_list() permission_hash = {} for permission_name in permission_names: permission_hash[permission_name] = has_permission(user, permission_name) return permission_hash
def dispatch(self, request, *args, **kwargs): edit = kwargs.pop('edit', False) try: usercantons = user_cantons(request.user) except LookupError: usercantons = False user = self.get_object() if ( # Soit c'est moi request.user.pk == user.pk or # Soit j'ai le droit sur tous les cantons has_permission(request.user, 'cantons_all') or # Soit il est dans mes cantons et j'ai droit ( usercantons and ( # Il est dans mes cantons d'affiliation user.profile.affiliation_canton in usercantons or ( # Je ne fais que le consulter et il est dans mes # cantons d'activité not edit and user.profile.activity_cantons and len( set(user.profile.activity_cantons) .intersection(usercantons) ) != 0 ) ) and has_permission(request.user, self.required_permission) ) ): return ( super(UserSelfAccessMixin, self) .dispatch(request, *args, **kwargs) ) else: raise PermissionDenied
def test_does_not_creates_if_permission_does_not_exists_in_role(self): user = self.user Role1.assign_role_to_user(user) self.assertFalse(has_permission(user, 'different_permission')) try: permission = UserPermission.objects.get(user=user, permission_name='different_permission') except: permission = None self.assertIsNone(permission)
def form_valid(self, form): ret = super(ProfileMixin, self).form_valid(form) """ Write the non-model fields """ try: user = self.object except AttributeError: user = self.get_object() update_profile_fields = PERSONAL_FIELDS # if the edit user has access, extend the update_profile_fields if has_permission(self.request.user, 'user_crud_dv_public_fields'): update_profile_fields += DV_PUBLIC_FIELDS if has_permission(self.request.user, 'user_crud_dv_private_fields'): update_profile_fields += DV_PRIVATE_FIELDS (userprofile, created) = ( UserProfile.objects.get_or_create(user=user) ) for field in update_profile_fields: if field in form.cleaned_data: # For field updates that have date markers, note them properly if field in ['status', 'bagstatus']: oldstatus = int(getattr(userprofile, field)) try: newstatus = int(form.cleaned_data[field]) except ValueError: newstatus = 0 if oldstatus != newstatus: setattr(userprofile, '%s_updatetime' % field, timezone.now() ) setattr(userprofile, field, form.cleaned_data[field]) userprofile.save() return ret
def test_creates_permission_when_not_existent(self): user = self.user class Role4(AbstractUserRole): available_permissions = { 'the_permission': True } RolesManager.register_role(Role4) Role4.assign_role_to_user(user) Role4.available_permissions = { 'different_one': True } self.assertTrue(has_permission(user, 'different_one')) permission = UserPermission.objects.get(user=user, permission_name='different_one') self.assertTrue(permission.is_granted)
def dispatch(self, request, *args, **kwargs): if ( # Check that the request user is alone in the potential_helpers ( True in [ [request.user.pk] == [u.pk for u in users] for (cat, users) in self.potential_helpers() ] ) or # Soit j'ai le droit has_permission(request.user, self.required_permission) ): return ( super(SeasonAvailabilityMixin, self) .dispatch(request, bypassperm=True, *args, **kwargs) ) else: raise PermissionDenied
def edit_edu(request, name): user_info = McUser.objects.get(norm_name=normalize_name(name)) if not user_info.user.id == request.user.id and not has_permission(request.user, 'edit_all_info'): return redirect('edit_edu', request.user.mcuser.norm_name) degrees = Degree.objects.filter(user_id=user_info.id) if request.method == 'POST': degrees_formset = DegreeFormSet(request.POST, queryset=degrees, initial=[{'user': user_info.id}]) if (degrees_formset.is_valid()): degrees_formset.save() messages.add_message( request, messages.SUCCESS, 'Changes saved! Click <a href="%s">here</a> to view profile.' % reverse('profile', args=[user_info.get_link_name()])) update_last_updated(user_info, request.user) return redirect('edit_edu', user_info.norm_name) else: degrees_formset = DegreeFormSet(queryset=degrees, initial=[{'user': user_info.id}]) context = { 'degrees_formset': degrees_formset, 'mcuser': user_info } return render(request, 'core/edit_edu.html', context)
def edit_info(request, name): user_info = McUser.objects.get(norm_name=normalize_name(name)) if not user_info.user.id == request.user.id and not has_permission( request.user, 'edit_all_info'): return redirect('edit_info', request.user.mcuser.get_link_name()) if request.method == 'POST': if has_role(request.user, 'staff'): form = McUserStaffForm(request.POST, request.FILES, instance=user_info, prefix='base') else: form = McUserForm(request.POST, request.FILES, instance=user_info, prefix='base') if (form.is_valid()): mcuser = form.save(commit=False) hidden_fields = [ key.replace('checkbox_', '') for key in request.POST if key.startswith('checkbox_') ] mcuser.hidden_fields = hidden_fields mcuser.save() messages.add_message( request, messages.SUCCESS, 'Changes saved! Click <a href="%s">here</a> to view profile.' % reverse('profile', args=[mcuser.get_link_name()])) update_last_updated(user_info, request.user) return redirect('edit_info', user_info.norm_name) else: if has_role(request.user, 'staff'): form = McUserStaffForm(instance=user_info, prefix='base') else: form = McUserForm(instance=user_info, prefix='base') context = {'form': form, 'mcuser': user_info} template = 'core/edit_info.html' if has_role(user_info.user, 'staff'): template = 'core/edit_info_staff.html' return render(request, template, context)
def has_permission(self, request, view): """ Returns True if the user has the 'can_advance_search' permission. """ return has_permission(request.user, Permissions.CAN_ADVANCE_SEARCH)
def test_user_with_no_role(self): user = mommy.make(get_user_model()) self.assertFalse(has_permission(user, 'permission1'))
def test_revoke_revoked_permission(self): user = self.user self.assertTrue(revoke_permission(user, 'permission4')) self.assertFalse(has_permission(user, 'permission4'))
def test_grat_granted_permission(self): user = self.user self.assertTrue(grant_permission(user, 'permission3')) self.assertTrue(has_permission(user, 'permission3'))
def test_none_user_param(self): self.assertFalse(has_permission(None, 'ver_role1'))
def test_not_existent_permission(self): user = self.user self.assertFalse(has_permission(user, 'not_a_permission'))
def test_revoke_permission(self): user = self.user self.assertTrue(revoke_permission(user, 'permission3')) self.assertFalse(has_permission(user, 'permission3'))
def has_role_template_tag(user, role): return has_permission(user, role)
def has_permission(self, request, view): """ Returns True if the user has the 'can_message_learners' permission. """ return has_permission(request.user, Permissions.CAN_MESSAGE_LEARNERS)
def test_dos_not_have_Role1_permission(self): user = self.user Role1.assign_role_to_user(user) self.assertFalse(has_permission(user, 'permission3'))
def test_has_VerRole1_permission(self): user = self.user self.assertTrue(has_permission(user, 'permission1'))
def test_dos_not_have_VerRole1_permission(self): user = self.user VerRole1.assign_role_to_user(user) self.assertFalse(has_permission(user, 'permission3'))
def choices_for_request(self): self.choices = self.get_choices() if has_permission(self.request.user, self.required_permission): return super(PersonAutocomplete, self).choices_for_request() else: raise PermissionDenied
def test_has_Role1_permission(self): user = self.user self.assertTrue(has_permission(user, 'permission1'))