def finaid_download_csv(request):
# Download financial aid application data as a .CSV file
if not is_reviewer(request.user):
return HttpResponseForbidden(_(u"Not authorized for this page"))
# Fields to include
application_field_names = ['id'] + [
name for name in get_names_of_fields(FinancialAidApplication)
if name not in ['id', 'review']
] + ['email', 'user']
reviewdata_field_names = [
name for name in get_names_of_fields(FinancialAidReviewData)
if name not in ['application', 'id', 'last_update']
]
# For these fields, use the get_FIELDNAME_display() method so we get
# the name of the choice (or other custom string) instead of the internal value
use_display_method = [
'cash_check',
'last_update',
'presenting',
'status',
'travel_cash_check',
]
def get_value(name, object):
# Get a value from an application or review, using get_NAME_display
# if appropriate, then forcing to a unicode string and encoding in
# UTF-8 for CSV
if name in use_display_method:
display_method = getattr(object, "get_%s_display" % name)
value = display_method()
elif name == 'email':
value = object.user.email
else:
value = getattr(object, name)
return unicode(value).encode('utf-8')
response = HttpResponse(content_type='text/csv')
response[
'Content-Disposition'] = 'attachment; filename="financial_aid.csv"'
writer = csv.DictWriter(response,
fieldnames=application_field_names +
reviewdata_field_names)
writer.writeheader()
default_review_data = FinancialAidReviewData()
apps = FinancialAidApplication.objects.all().select_related('review')
for application in apps.order_by('pk'):
# They won't all have review data, so use the default values if they don't
try:
review = application.review
except FinancialAidReviewData.DoesNotExist:
review = default_review_data
# Write the data for this application.
data = {}
for name in application_field_names:
data[name] = get_value(name, application)
for name in reviewdata_field_names:
data[name] = get_value(name, review)
writer.writerow(data)
return response
def finaid_review(request, pks=None):
"""Starting view for reviewers - list the applications"""
# On a POST the pks are in the form.
# On a GET there might be pks in the URL.
if not is_reviewer(request.user):
return HttpResponseForbidden(_(u"Not authorized for this page"))
if request.method == 'POST':
# They want to do something to bulk applicants
# Find the checkboxes they checked
regex = re.compile(r'^finaid_application_(.*)$')
pk_list = []
for field_name in request.POST:
m = regex.match(field_name)
if m:
pk_list.append(m.group(1))
if not pk_list:
messages.add_message(request, messages.ERROR,
_(u"Please select at least one application"))
return redirect(request.path)
if 'email_action' in request.POST:
# They want to email applicants
pks = ",".join(pk_list)
return redirect('finaid_email', pks=pks)
elif 'message_action' in request.POST:
# They want to attach a message to applications
pks = ",".join(pk_list)
return redirect('finaid_message', pks=pks)
elif 'status_action' in request.POST:
# They want to change applications' statuses
applications = FinancialAidApplication.objects.filter(pk__in=pk_list)\
.select_related('review')
status = int(request.POST['status'])
count = 0
for application in applications:
try:
review = application.review
except FinancialAidReviewData.DoesNotExist:
review = FinancialAidReviewData(application=application)
if review.status != status:
review.status = status
review.save()
count += 1
messages.info(
request, "Updated %d application status%s" %
(count, "" if count == 1 else "es"))
pks = ",".join(pk_list)
return redirect(reverse('finaid_review', kwargs=dict(pks=pks)))
else:
messages.error(request, "WHAT?")
else:
# GET - pks are in the URL. maybe.
pk_list = pks.split(",") if pks else []
return render(
request, "finaid/application_list.html", {
"applications":
FinancialAidApplication.objects.all().select_related('review'),
"status_options":
STATUS_CHOICES,
"pks": [int(pk) for pk in pk_list],
})
def put(self, request, application_id):
if not request.user.is_staff and not request.user.is_superuser:
return HttpResponseForbidden()
html = request.data["html"]
pdf_content = self.generate_pdf(html)
return self.create_download_response(pdf_content)
def finaid_review_detail(request, pk):
"""Review a particular application"""
application = get_object_or_404(FinancialAidApplication, pk=pk)
# Redirect a a reviewer who is attempting to access FA application detail
# page to their edit page
if is_reviewer(request.user) and request.user == application.user:
return redirect("finaid_edit")
if not is_reviewer(request.user):
# Redirect a non reviewer to their FA edit page
if has_application(request.user):
return redirect("finaid_edit")
return HttpResponseForbidden(_(u"Not authorized for this page"))
try:
review_data = application.review
except FinancialAidReviewData.DoesNotExist:
review_data = FinancialAidReviewData(application=application)
message_form = None
review_form = None
if request.method == 'POST':
if 'message_submit' in request.POST:
message = FinancialAidMessage(user=request.user,
application=application)
message_form = ReviewerMessageForm(request.POST, instance=message)
if message_form.is_valid():
message = message_form.save()
# Send notice to the reviewers alias
# If the message is visible, also send to the applicant
context = email_context(request, application, message)
# Notify reviewers
send_email_message("reviewer/message",
from_=request.user.email,
to=[email_address()],
context=context)
# If visible to applicant, notify them as well
if message.visible:
send_email_message("applicant/message",
from_=request.user.email,
to=[application.user.email],
context=context)
messages.add_message(
request, messages.INFO,
_(u"Message has been added to the application, "
u"and recipients notified by email."))
return redirect(request.path)
elif 'review_submit' in request.POST:
review_form = FinancialAidReviewForm(request.POST,
instance=review_data)
if review_form.is_valid():
review_data = review_form.save()
return redirect(reverse("finaid_review"))
else:
log.error("finaid_review_detail posted with unknown form: %r" %
request.POST)
return HttpResponseForbidden("HEY WHY WAS THIS POSTED")
# Create initial forms if needed
message_form = message_form or ReviewerMessageForm()
review_form = review_form or FinancialAidReviewForm(instance=review_data)
context = {
"application":
application,
"message_form":
message_form,
"review_form":
review_form,
"review_messages":
FinancialAidMessage.objects.filter(application=application)
}
return render(request, "finaid/review.html", context)
def post(self, request, *args, **kwargs):
if request.user.is_authenticated:
return HttpResponseForbidden()
return super().post(self, request, *args, **kwargs)
def __call__(self, request):
auth_header = request.META.get("HTTP_AUTHORIZATION", None)
webtoken = request.GET.get("webtoken", None)
if auth_header or webtoken:
try:
if auth_header:
auth = auth_header.split()
authmethod = auth[0].lower()
else:
authmethod = None
if authmethod == "basic":
# Basic authentication
auth = base64.b64decode(
auth[1]).decode("iso-8859-1").partition(":")
user = authenticate(username=auth[0], password=auth[2])
if user and user.is_active:
# Active user
request.api = True # TODO I think this is no longer used
login(request, user)
request.user = user
elif authmethod == "bearer" or webtoken:
# JWT webtoken authentication
decoded = None
for secret in (
getattr(settings, "AUTH_SECRET_KEY", None),
settings.DATABASES[request.database].get(
"SECRET_WEBTOKEN_KEY", settings.SECRET_KEY),
):
if secret:
try:
decoded = jwt.decode(
webtoken or auth[1],
secret,
algorithms=["HS256"],
)
except jwt.exceptions.InvalidTokenError:
pass
if not decoded:
logger.error("Missing or invalid webtoken")
return HttpResponseForbidden(
"Missing or invalid webtoken")
try:
if "user" in decoded:
user = User.objects.get(username=decoded["user"])
elif "email" in decoded:
user = User.objects.get(email=decoded["email"])
else:
logger.error("No user or email in webtoken")
return HttpResponseForbidden(
"No user or email in webtoken")
except User.DoesNotExist:
logger.error("Invalid user in webtoken")
messages.add_message(request, messages.ERROR,
"Unknown user")
return HttpResponseRedirect("/data/login/")
user.backend = settings.AUTHENTICATION_BACKENDS[0]
login(request, user)
MultiDBBackend.getScenarios(user)
request.user = user
if not decoded.get("navbar", True):
request.session["navbar"] = False
if decoded.get("xframe_options_exempt", True):
request.session["xframe_options_exempt"] = True
except Exception as e:
logger.warn(
"silently ignoring exception in http authentication: %s" %
e)
response = self.get_response(request)
return response
def post(self, request, *args, **kwargs):
data = {}
if hasattr(request, 'POST'):
data = request.POST
elif hasattr(request, 'DATA'):
data = request.DATA
allow = False
# Check permissions
username = data.get('username')
client_id = data.get('clientid')
acc = int(data.get('acc')) # 1 == sub, 2 == pub
# get topic and remove first '/'
topic = data.get('topic').split('/')
if len(topic) > 0 and topic[0] == '':
del topic[0]
try:
# get user
user = User.objects.get(username=data.get('username'),
is_active=True)
#print('topic = {}'.format(topic))
#print('user = {}'.format(user))
#print('user.hospitals = {}'.format(user.hospitals.all()))
if acc == 1:
# permission to subscribe:
# - settings
if (len(topic) == 1 and topic[0] == 'settings'):
return HttpResponse('OK')
# - user/{username}/error
# - user/{username}/profile
elif (len(topic) == 3 and topic[0] == 'user'
and topic[1] == user.username):
if (topic[2] == 'profile' or topic[2] == 'error'):
return HttpResponse('OK')
# - hospital/{hospital-id}/data
# - hospital/{hospital-id}/metadata
# - hospital/{hospital-id}/equipment/+/data
elif (len(topic) >= 3 and topic[0] == 'hospital'):
hospital_id = int(topic[1])
#print('hospital_id = {}'.format(hospital_id))
# is user authorized?
try:
perm = user.profile.hospitals.get(hospital=hospital_id)
if (perm.can_read and
((len(topic) == 3 and topic[2] == 'data') or
(len(topic) == 3 and topic[2] == 'metadata') or
(len(topic) == 5 and topic[2] == 'equipment'
and topic[4] == 'data'))):
return HttpResponse('OK')
except ObjectDoesNotExist:
pass
# - ambulance/{ambulance-id}/data
elif (len(topic) == 3 and topic[0] == 'ambulance'
and topic[2] == 'data'):
ambulance_id = int(topic[1])
#print('ambulance_id = {}'.format(ambulance_id))
# is user authorized?
try:
perm = user.profile.ambulances.get(
ambulance=ambulance_id)
if perm.can_read:
return HttpResponse('OK')
except ObjectDoesNotExist:
pass
elif acc == 2:
# permission to publish:
if (len(topic) >= 3 and topic[0] == 'user'
and topic[1] == user.username):
# - user/{username}/error
if (len(topic) == 3 and topic[2] == 'error'):
return HttpResponse('OK')
# - user/{username}/ambulance/{ambulance-id}/data
elif (len(topic) == 5 and topic[2] == 'ambulance'
and topic[4] == 'data'):
ambulance_id = int(topic[3])
#print('ambulance_id = {}'.format(ambulance_id))
# is user authorized?
try:
perm = user.profile.ambulances.get(
ambulance=ambulance_id)
if perm.can_write:
return HttpResponse('OK')
except ObjectDoesNotExist:
pass
# - user/{username}/hospital/{hospital-id}/data
# - user/{username}/hospital/{hospital-id}/equipment/+/data
elif (
(len(topic) == 5 and topic[2] == 'hospital'
and topic[4] == 'data') or
(len(topic) == 7 and topic[2] == 'hospital'
and topic[4] == 'equipment' and topic[6] == 'data')):
hospital_id = int(topic[3])
#print('hospital_id = {}'.format(hospital_id))
# is user authorized?
try:
perm = user.profile.hospitals.get(
hospital=hospital_id)
if perm.can_write:
return HttpResponse('OK')
except ObjectDoesNotExist:
pass
# - user/{username}/client/{client-id}/status
elif (len(topic) == 5 and topic[2] == 'client'
and topic[4] == 'status' and topic[3] == client_id):
return HttpResponse('OK')
except User.DoesNotExist:
pass
return HttpResponseForbidden()
def delete_detail(self, object_list, bundle):
if not self.delete_list(object_list, bundle).filter(pk=bundle.obj.pk).exists():
raise ImmediateHttpResponse(HttpResponseForbidden('you have no permission to delete flows'))
return True
def container_post(request):
'''
Proxies the grading result from inside container to A+
'''
sid = request.POST.get("sid", None)
if not sid:
return HttpResponseForbidden("Missing sid")
meta = read_and_remove_submission_meta(sid)
if meta is None:
return HttpResponseForbidden("Invalid sid")
#clean_submission_dir(meta["dir"])
data = {
"points": int(request.POST.get("points", 0)),
"max_points": int(request.POST.get("max_points", 1)),
}
for key in ["error", "grading_data"]:
if key in request.POST:
data[key] = request.POST[key]
if "error" in data and data["error"].lower() in ("no", "false"):
del data["error"]
feedback = request.POST.get("feedback", "")
# Fetch the corresponding exercise entry from the config.
lang = meta["lang"]
(course, exercise) = config.exercise_entry(meta["course_key"],
meta["exercise_key"],
lang=lang)
if "feedback_template" in exercise:
# replace the feedback with a rendered feedback template if the exercise is configured to do so
# it is not feasible to support all of the old feedback template variables that runactions.py
# used to have since the grading actions are not configured in the exercise YAML file anymore
required_fields = {'points', 'max_points', 'error', 'out'}
result = MonitoredDict({
"points": data["points"],
"max_points": data["max_points"],
"out": feedback,
"error": data.get("error", False),
"title": exercise.get("title", ""),
})
translation.activate(lang)
feedback = template_to_str(course,
exercise,
None,
exercise["feedback_template"],
result=result)
if result.accessed.isdisjoint(required_fields):
alert = template_to_str(
course, exercise, None,
"access/feedback_template_did_not_use_result_alert.html")
feedback = alert + feedback
# Make unicode results ascii.
feedback = feedback.encode("ascii", "xmlcharrefreplace")
data["feedback"] = feedback
if not post_data(meta["url"], data):
write_submission_meta(sid, meta)
return HttpResponse("Failed to deliver results", status=502)
return HttpResponse("Ok")
def dashboard_index(request):
if not request.user.has_perm("django_sql_dashboard.execute_sql"):
return HttpResponseForbidden(
"You do not have permission to execute SQL")
sql_queries = []
too_long_so_use_post = False
save_form = SaveDashboardForm(prefix="_save")
if request.method == "POST":
# Is this an export?
if any(k for k in request.POST.keys() if k.startswith("export_")
) and request.user.has_perm("django_sql_dashboard.execute_sql"):
if not getattr(settings, "DASHBOARD_ENABLE_FULL_EXPORT", None):
return HttpResponseForbidden(
"The export feature is not enabled")
return export_sql_results(request)
sqls = [sql for sql in request.POST.getlist("sql") if sql.strip()]
saving = False
# How about a save?
if request.POST.get("_save-slug"):
save_form = SaveDashboardForm(request.POST, prefix="_save")
saving = True
if save_form.is_valid():
dashboard = save_form.save(commit=False)
dashboard.owned_by = request.user
dashboard.save()
for sql in sqls:
dashboard.queries.create(sql=sql)
return HttpResponseRedirect(dashboard.get_absolute_url())
# Convert ?sql= into signed values and redirect as GET
other_pairs = [
(key, value) for key, value in request.POST.items() if key not in (
"sql", "csrfmiddlewaretoken") and not key.startswith("_save-")
]
signed_sqls = [sign_sql(sql) for sql in sqls if sql.strip()]
params = {
"sql": signed_sqls,
}
params.update(other_pairs)
redirect_path = request.path + "?" + urlencode(params, doseq=True)
# Is this short enough for us to redirect?
too_long_so_use_post = len(redirect_path) > MAX_REDIRECT_LENGTH
if not saving and not too_long_so_use_post:
return HttpResponseRedirect(redirect_path)
else:
sql_queries = sqls
unverified_sql_queries = []
for signed_sql in request.GET.getlist("sql"):
sql, signature_verified = unsign_sql(signed_sql)
if signature_verified:
sql_queries.append(sql)
else:
unverified_sql_queries.append(sql)
if getattr(settings, "DASHBOARD_UPGRADE_OLD_BASE64_LINKS", None):
redirect_querystring = check_for_base64_upgrade(sql_queries)
if redirect_querystring:
return HttpResponseRedirect(request.path + redirect_querystring)
return _dashboard_index(
request,
sql_queries,
unverified_sql_queries=unverified_sql_queries,
too_long_so_use_post=too_long_so_use_post,
extra_context={"save_form": save_form},
)
def post(self, request):
user = request.user
data = copy.deepcopy(request.data)
# Now, we post the data directly to OSM.
try:
# Split osm and extension attribute
osm_attr, locality_attr = split_osm_and_extension_attr(data['tag'])
data['tag'] = osm_attr
# Verify data uploader and owner/collector if the API is being used
# for uploading data from other osm user.
if request.user.is_staff and request.GET.get('review', None):
data['osm_user'] = get_pending_review(
request.GET.get('review')).uploader.username
if data.get('osm_user'):
is_valid, message = verify_user(user, data['osm_user'])
if not is_valid:
return HttpResponseForbidden(message)
else:
try:
user = get_object_or_404(User,
username=data['osm_user'])
except Http404:
message = 'User %s is not exist.' % data['osm_user']
return HttpResponseForbidden(message)
duplication_check = request.GET.get('duplication-check', True)
if duplication_check == 'false':
duplication_check = False
validate_osm_data(data, duplication_check=duplication_check)
# Map Healthsites tags to OSM tags
mapping_file_path = ABS_PATH('api', 'fixtures', 'mapping.yml')
data['tag'] = convert_to_osm_tag(mapping_file_path, data['tag'],
'node')
# Push data to OSM
response = create_osm_node(user, data)
# create pending index
create_pending_update('node', response['id'], data['tag']['name'],
user, response['version'])
save_extensions('node', response['id'], locality_attr)
if request.GET.get('review', None):
delete_pending_review(request.GET.get('review', None))
return Response(response)
except Exception as e:
if not request.GET.get('review', None):
if user != request.user:
create_pending_review(user, request.data, '%s' % e)
else:
try:
update_pending_review(request.GET.get('review', None),
request.data, '%s' % e)
except Exception as e:
return HttpResponseBadRequest('%s' % e)
output = {
'error': '%s' % e,
'payload': request.data,
}
return HttpResponseBadRequest('%s' % json.dumps(output))
def task(request, contest_id, task_id):
contest = get_object_or_404(models.TaskBasedContest, pk=contest_id)
if not contest.is_visible_in_list and not request.user.is_staff:
return HttpResponseNotFound()
task = get_object_or_404(tasks_models.Task, pk=task_id)
if not contest.has_task(task):
return HttpResponseNotFound()
if not contest.is_started() and not request.user.is_staff:
return HttpResponseForbidden('Contest is not started')
participant = contest.get_participant_for_user(request.user)
if not is_task_open(contest, task,
participant) and not request.user.is_staff:
return HttpResponseForbidden('Task is closed')
if request.method == 'POST' and request.user.is_authenticated():
form = tasks_forms.AttemptForm(data=request.POST)
if participant is None:
messages.warning(request, 'You are not registered to the contest')
elif participant.is_disqualified:
messages.error(request, 'You are disqualified from the contest')
elif get_count_attempts_in_last_minute(
contest, participant) >= settings.DRAPO_MAX_TRIES_IN_MINUTE:
messages.error(request, 'Too fast, try later')
elif contest.is_finished():
messages.error(request,
'Contest is finished! You are too late, sorry')
elif form.is_valid():
answer = form.cleaned_data['answer']
attempt = tasks_models.Attempt(
contest=contest,
task=task,
participant=contest.get_participant_for_user(request.user),
author=request.user,
answer=answer)
attempt.save()
attempt.try_to_check()
if not attempt.is_checked:
messages.info(request, 'We will check you answer, thank you')
elif attempt.is_correct:
messages.success(request, 'Yeah! Correct answer!')
else:
messages.error(request, 'Wrong answer, sorry')
return redirect(
urlresolvers.reverse('contests:task',
args=[contest.id, task.id]))
else:
form = tasks_forms.AttemptForm()
statement_generator = task.statement_generator
if request.user.is_anonymous(
) and not statement_generator.is_available_for_anonymous():
messages.error(
request, 'This task is not available for guests. Please sign in')
return redirect(
urlresolvers.reverse('contests:tasks', args=[contest.id]))
statement = statement_generator.generate({
'user': request.user,
'participant': participant
})
# Files can be in statement or in task for this participant
files = statement.files + list(
task.files.filter(
Q(participant__isnull=True) | Q(participant=participant)))
participant_score = max(task.attempts.filter(contest=contest_id,
participant=participant,
is_checked=True).values_list(
'score', flat=True),
default=None)
return render(
request, 'contests/task.html', {
'current_contest': contest,
'contest': contest,
'task': task,
'statement': statement,
'files': files,
'attempt_form': form,
'participant': participant,
'participant_score': participant_score,
})
def read_detail(self, object_list, bundle):
if bundle.obj not in self.read_list(object_list, bundle):
raise ImmediateHttpResponse(HttpResponseForbidden(
'you have no permission to read %s' % bundle.obj.__class__.__name__
))
return True
def view_user_timesheet(request, user_id, active_tab):
user = get_object_or_404(User, pk=user_id)
has_perm = request.user.has_perm('entries.view_entry_summary')
if not (has_perm or user.pk == request.user.pk):
return HttpResponseForbidden('Forbidden')
FormClass = UserYearMonthForm if has_perm else YearMonthForm
form = FormClass(request.GET or None)
if form.is_valid():
if has_perm:
from_date, to_date, form_user = form.save()
if form_user and request.GET.get('yearmonth', None):
url = reverse('view_user_timesheet', args=(form_user.pk, ))
request_data = {
'month': from_date.month,
'year': from_date.year,
'user': form_user.pk,
}
url += '?{0}'.format(urlencode(request_data))
return HttpResponseRedirect(url)
else:
from_date, to_date = form.save()
from_date = add_timezone(from_date)
to_date = add_timezone(to_date)
else:
# from_date = get_month_start()
# to_date = from_date + relativedelta(months=1)
from_date = Entry.objects.last().start_time
to_date = datetime.datetime.today()
entries_qs = Entry.objects.filter(user=user)
if form.is_valid():
month_qs = entries_qs.timespan(from_date, span='month')
else:
month_qs = entries_qs.timespan(from_date)
extra_values = ('start_time', 'end_time', 'comments', 'seconds_paused',
'id', 'location__name', 'project__name', 'activity__name',
'status')
month_entries = month_qs.date_trunc('month',
extra_values).order_by('start_time')
entry_ids = month_entries.values_list('id', flat=True)
tasks = TaskList.objects.filter(entry_id__in=entry_ids).values(
'entry_id', 'tasks').order_by('entry_id')
task_values = [
tasks.get(entry_id=entry_id)['tasks']
if entry_id in tasks.values_list('entry_id', flat=True) else ''
for entry_id in entry_ids
]
first_week = get_week_start(from_date)
month_week = first_week + relativedelta(weeks=1)
grouped_qs = entries_qs.timespan(first_week, to_date=to_date)
intersection = grouped_qs.filter(start_time__lt=month_week,
start_time__gte=from_date)
if not intersection and first_week.month < from_date.month:
grouped_qs = entries_qs.timespan(from_date, to_date=to_date)
totals = grouped_totals(grouped_qs) if month_entries else ''
project_entries = month_qs.order_by().values('project__name').annotate(
sum=Sum('hours')).order_by('-sum')
summary = Entry.summary(user, from_date, to_date)
show_approve = show_verify = False
can_change = request.user.has_perm('entries.can_change_entry')
can_approve = request.user.has_perm('entries.approve_timesheet')
if can_change or can_approve or user == request.user:
statuses = list(month_qs.values_list('status', flat=True))
total_statuses = len(statuses)
unverified_count = statuses.count(Entry.UNVERIFIED)
verified_count = statuses.count(Entry.VERIFIED)
approved_count = statuses.count(Entry.APPROVED)
if can_change or user == request.user:
show_verify = unverified_count != 0
if can_approve:
show_approve = all([
verified_count + approved_count == total_statuses,
verified_count > 0,
total_statuses != 0,
])
return render(
request, 'user/timesheet_view.html', {
'active_tab': active_tab or 'overview',
'year_month_form': form,
'from_date': from_date,
'to_date': to_date - relativedelta(days=1),
'show_verify': show_verify,
'show_approve': show_approve,
'timesheet_user': user,
'entries': zip(month_entries, task_values),
'grouped_totals': totals,
'project_entries': project_entries,
'summary': summary
})
def form_invalid(self, form):
return HttpResponseForbidden()
def gym_permissions_user_edit(request, user_pk):
"""
Edits the permissions of a gym member
"""
member = get_object_or_404(User, pk=user_pk)
user = request.user
if not user.is_authenticated:
return HttpResponseForbidden()
if not user.has_perm('gym.manage_gyms') and not user.has_perm('gym.manage_gym'):
return HttpResponseForbidden()
if user.has_perm('gym.manage_gym') and user.userprofile.gym != member.userprofile.gym:
return HttpResponseForbidden()
# Calculate available user permissions
form_group_permission = get_permission_list(user)
if request.method == 'POST':
form = GymUserPermissionForm(available_roles=form_group_permission,
data=request.POST)
if form.is_valid():
# Remove the user from all gym permission groups
member.groups.remove(Group.objects.get(name='gym_member'))
member.groups.remove(Group.objects.get(name='gym_trainer'))
member.groups.remove(Group.objects.get(name='gym_manager'))
member.groups.remove(Group.objects.get(name='general_gym_manager'))
# Set appropriate permission groups
if 'user' in form.cleaned_data['role']:
member.groups.add(Group.objects.get(name='gym_member'))
if 'trainer' in form.cleaned_data['role']:
member.groups.add(Group.objects.get(name='gym_trainer'))
if 'admin' in form.cleaned_data['role']:
member.groups.add(Group.objects.get(name='gym_manager'))
if 'manager' in form.cleaned_data['role']:
member.groups.add(Group.objects.get(name='general_gym_manager'))
return HttpResponseRedirect(reverse('gym:gym:user-list',
kwargs={'pk': member.userprofile.gym.pk}))
else:
initial_data = {}
if member.groups.filter(name='gym_member').exists():
initial_data['user'] = True
if member.groups.filter(name='gym_trainer').exists():
initial_data['trainer'] = True
if member.groups.filter(name='gym_manager').exists():
initial_data['admin'] = True
if member.groups.filter(name='general_gym_manager').exists():
initial_data['manager'] = True
form = GymUserPermissionForm(initial={'role': initial_data},
available_roles=form_group_permission)
# Set form action to absolute path
form.helper.form_action = request.path
context = {'title': member.get_full_name(),
'form': form,
'submit_text': 'Save'}
return render(request, 'form.html', context)
def dispatch(self, *args, **kwargs):
if not self.request.user.has_perm('clips.delete_clip'):
return HttpResponseForbidden()
return super(ClipDeleteView, self).dispatch(*args, **kwargs)
