Merge branch 'feature/committee-events-only' into 'master'

Prevent non-organiser from editing or viewing event data Closes #362 See merge request !418

Merge branch 'feature/committee-events-only' into 'master'
Prevent non-organiser from editing or viewing event data Closes #362 See merge request !418
27d305df · Luuk Scholten · 8d7a1dc6 · 5faf7ab0 · 27d305df · 27d305df
Commit 27d305df authored Mar 22, 2017 by Luuk Scholten
--- a/website/activemembers/models.py
+++ b/website/activemembers/models.py
@@ -9,7 +9,6 @@ from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _

-from members.models import Member
 from utils.translation import (ModelTranslateMeta, MultilingualField,
                               localize_attr_name)

@@ -67,7 +66,7 @@ class Committee(models.Model, metaclass=ModelTranslateMeta):
    )

    members = models.ManyToManyField(
-        Member,
+        'members.Member',
        through='CommitteeMembership'
    )

@@ -165,7 +164,7 @@ class CommitteeMembership(models.Model, metaclass=ModelTranslateMeta):
    active_memberships = ActiveMembershipManager()

    member = models.ForeignKey(
-        Member,
+        'members.Member',
        on_delete=models.CASCADE,
        verbose_name=_('Member'),
    )
@@ -297,7 +296,7 @@ class CommitteeMembership(models.Model, metaclass=ModelTranslateMeta):

 class Mentorship(models.Model):
    member = models.ForeignKey(
-        Member,
+        'members.Member',
        on_delete=models.CASCADE,
        verbose_name=_('Member'),
    )

--- a/website/events/admin.py
+++ b/website/events/admin.py
@@ -8,7 +8,6 @@ from django.utils.html import format_html
 from django.utils.http import is_safe_url
 from django.utils.translation import ugettext_lazy as _

-from activemembers.models import Committee
 from members.models import Member
 from utils.translation import TranslatedModelAdmin
 from . import forms, models
@@ -70,6 +69,16 @@ class EventAdmin(DoNextModelAdmin):
                                        kwargs={'event_id': obj.pk}),
                           title=obj.title)

+    def has_change_permission(self, request, event=None):
+        try:
+            if not request.user.is_superuser and event is not None:
+                committees = request.user.member.get_committees().filter(
+                    Q(pk=event.organiser.pk)).count()
+                return committees > 0
+        except Member.DoesNotExist:
+            pass
+        return super().has_change_permission(request, event)
+
    def edit_link(self, obj):
        return _('Edit')
    edit_link.short_description = ''
@@ -84,13 +93,23 @@ class EventAdmin(DoNextModelAdmin):
    num_participants.short_description = _('Number of participants')

    def make_published(self, request, queryset):
-        queryset.update(published=True)
+        self._change_published(request, queryset, True)
    make_published.short_description = _('Publish selected events')

    def make_unpublished(self, request, queryset):
-        queryset.update(published=False)
+        self._change_published(request, queryset, False)
    make_unpublished.short_description = _('Unpublish selected events')

+    @staticmethod
+    def _change_published(request, queryset, published):
+        try:
+            if not request.user.is_superuser:
+                queryset = queryset.filter(
+                    organiser__in=request.user.member.get_committees())
+            queryset.update(published=published)
+        except Member.DoesNotExist:
+            pass
+
    def save_formset(self, request, form, formset, change):
        """Save formsets with their order"""
        formset.save()
@@ -118,18 +137,17 @@ class EventAdmin(DoNextModelAdmin):
            # Only get the current active committees the user is a member of
            try:
                if not request.user.is_superuser:
-                    member = request.user.member
-                    kwargs['queryset'] = Committee.unfiltered_objects.filter(
-                        Q(committeemembership__member=member) &
-                        (
-                            Q(committeemembership__until=None) |
-                            Q(committeemembership__until__gt=timezone.now())
-                        )).exclude(active=False)
+                    kwargs['queryset'] = request.user.member.get_committees()

            except Member.DoesNotExist:
                pass
        return super().formfield_for_foreignkey(db_field, request, **kwargs)

+    def get_actions(self, request):
+        actions = super(EventAdmin, self).get_actions(request)
+        del actions['delete_selected']
+        return actions
+

 @admin.register(models.Registration)
 class RegistrationAdmin(DoNextModelAdmin):

--- a/website/events/views.py
+++ b/website/events/views.py
@@ -4,14 +4,15 @@ import json
 from django.contrib import messages
 from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth.decorators import login_required, permission_required
+from django.core.exceptions import PermissionDenied
 from django.core.mail import EmailMessage
 from django.http import HttpResponse, HttpResponseRedirect, JsonResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.template.loader import get_template
 from django.utils import timezone, translation
 from django.utils.text import slugify
-from django.utils.translation import ugettext_lazy as _
 from django.utils.translation import pgettext_lazy
+from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.http import require_http_methods

 from .forms import FieldsForm
@@ -22,6 +23,14 @@ from .models import Event, Registration, RegistrationInformationField
 @permission_required('events.change_event')
 def admin_details(request, event_id):
    event = get_object_or_404(Event, pk=event_id)
+
+    if not request.user.is_superuser:
+        committees = request.user.member.get_committees().filter(
+            pk=event.organiser.pk).count()
+
+        if committees == 0:
+            raise PermissionDenied
+
    n = event.max_participants
    registrations = list(event.registration_set.filter(date_cancelled=None))
    cancellations = event.registration_set.exclude(date_cancelled=None)

--- a/website/members/models.py
+++ b/website/members/models.py
@@ -13,6 +13,7 @@ from django.utils.translation import ugettext_lazy as _
 from localflavor.generic.countries.sepa import IBAN_SEPA_COUNTRIES
 from localflavor.generic.models import IBANField

+from activemembers.models import Committee
 from utils.snippets import datetime_to_lectureyear
 from utils.validators import validate_file_extension

@@ -353,6 +354,14 @@ class Member(models.Model):
    def get_full_name(self):
        return self.user.get_full_name()

+    def get_committees(self):
+        return Committee.unfiltered_objects.filter(
+            Q(committeemembership__member=self) &
+            (
+                Q(committeemembership__until=None) |
+                Q(committeemembership__until__gt=timezone.now())
+            )).exclude(active=False)
+
    def get_absolute_url(self):
        return reverse('members:profile', args=[str(self.pk)])