Commit 27d305df authored by Luuk Scholten's avatar Luuk Scholten
Browse files

Merge branch 'feature/committee-events-only' into 'master'

Prevent non-organiser from editing or viewing event data

Closes #362

See merge request !418
parents 8d7a1dc6 5faf7ab0
......@@ -9,7 +9,6 @@ from django.urls import reverse
from django.utils import timezone
from django.utils.translation import ugettext_lazy as _
from members.models import Member
from utils.translation import (ModelTranslateMeta, MultilingualField,
localize_attr_name)
......@@ -67,7 +66,7 @@ class Committee(models.Model, metaclass=ModelTranslateMeta):
)
members = models.ManyToManyField(
Member,
'members.Member',
through='CommitteeMembership'
)
......@@ -165,7 +164,7 @@ class CommitteeMembership(models.Model, metaclass=ModelTranslateMeta):
active_memberships = ActiveMembershipManager()
member = models.ForeignKey(
Member,
'members.Member',
on_delete=models.CASCADE,
verbose_name=_('Member'),
)
......@@ -297,7 +296,7 @@ class CommitteeMembership(models.Model, metaclass=ModelTranslateMeta):
class Mentorship(models.Model):
member = models.ForeignKey(
Member,
'members.Member',
on_delete=models.CASCADE,
verbose_name=_('Member'),
)
......
......@@ -8,7 +8,6 @@ from django.utils.html import format_html
from django.utils.http import is_safe_url
from django.utils.translation import ugettext_lazy as _
from activemembers.models import Committee
from members.models import Member
from utils.translation import TranslatedModelAdmin
from . import forms, models
......@@ -70,6 +69,16 @@ class EventAdmin(DoNextModelAdmin):
kwargs={'event_id': obj.pk}),
title=obj.title)
def has_change_permission(self, request, event=None):
try:
if not request.user.is_superuser and event is not None:
committees = request.user.member.get_committees().filter(
Q(pk=event.organiser.pk)).count()
return committees > 0
except Member.DoesNotExist:
pass
return super().has_change_permission(request, event)
def edit_link(self, obj):
return _('Edit')
edit_link.short_description = ''
......@@ -84,13 +93,23 @@ class EventAdmin(DoNextModelAdmin):
num_participants.short_description = _('Number of participants')
def make_published(self, request, queryset):
queryset.update(published=True)
self._change_published(request, queryset, True)
make_published.short_description = _('Publish selected events')
def make_unpublished(self, request, queryset):
queryset.update(published=False)
self._change_published(request, queryset, False)
make_unpublished.short_description = _('Unpublish selected events')
@staticmethod
def _change_published(request, queryset, published):
try:
if not request.user.is_superuser:
queryset = queryset.filter(
organiser__in=request.user.member.get_committees())
queryset.update(published=published)
except Member.DoesNotExist:
pass
def save_formset(self, request, form, formset, change):
"""Save formsets with their order"""
formset.save()
......@@ -118,18 +137,17 @@ class EventAdmin(DoNextModelAdmin):
# Only get the current active committees the user is a member of
try:
if not request.user.is_superuser:
member = request.user.member
kwargs['queryset'] = Committee.unfiltered_objects.filter(
Q(committeemembership__member=member) &
(
Q(committeemembership__until=None) |
Q(committeemembership__until__gt=timezone.now())
)).exclude(active=False)
kwargs['queryset'] = request.user.member.get_committees()
except Member.DoesNotExist:
pass
return super().formfield_for_foreignkey(db_field, request, **kwargs)
def get_actions(self, request):
actions = super(EventAdmin, self).get_actions(request)
del actions['delete_selected']
return actions
@admin.register(models.Registration)
class RegistrationAdmin(DoNextModelAdmin):
......
......@@ -4,14 +4,15 @@ import json
from django.contrib import messages
from django.contrib.admin.views.decorators import staff_member_required
from django.contrib.auth.decorators import login_required, permission_required
from django.core.exceptions import PermissionDenied
from django.core.mail import EmailMessage
from django.http import HttpResponse, HttpResponseRedirect, JsonResponse
from django.shortcuts import get_object_or_404, redirect, render
from django.template.loader import get_template
from django.utils import timezone, translation
from django.utils.text import slugify
from django.utils.translation import ugettext_lazy as _
from django.utils.translation import pgettext_lazy
from django.utils.translation import ugettext_lazy as _
from django.views.decorators.http import require_http_methods
from .forms import FieldsForm
......@@ -22,6 +23,14 @@ from .models import Event, Registration, RegistrationInformationField
@permission_required('events.change_event')
def admin_details(request, event_id):
event = get_object_or_404(Event, pk=event_id)
if not request.user.is_superuser:
committees = request.user.member.get_committees().filter(
pk=event.organiser.pk).count()
if committees == 0:
raise PermissionDenied
n = event.max_participants
registrations = list(event.registration_set.filter(date_cancelled=None))
cancellations = event.registration_set.exclude(date_cancelled=None)
......
......@@ -13,6 +13,7 @@ from django.utils.translation import ugettext_lazy as _
from localflavor.generic.countries.sepa import IBAN_SEPA_COUNTRIES
from localflavor.generic.models import IBANField
from activemembers.models import Committee
from utils.snippets import datetime_to_lectureyear
from utils.validators import validate_file_extension
......@@ -353,6 +354,14 @@ class Member(models.Model):
def get_full_name(self):
return self.user.get_full_name()
def get_committees(self):
return Committee.unfiltered_objects.filter(
Q(committeemembership__member=self) &
(
Q(committeemembership__until=None) |
Q(committeemembership__until__gt=timezone.now())
)).exclude(active=False)
def get_absolute_url(self):
return reverse('members:profile', args=[str(self.pk)])
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment