Commit 6f8fcb8b authored by Luko van der Maas's avatar Luko van der Maas
Browse files

Merge branch 'fix/restrict-pizza-order-updates-to-organisers' into 'master'

Restrict updates to pizza orders to organisers of the pizza event

See merge request !1164
parents 360ea8f3 4152b640
from django.contrib import admin
from django.core.exceptions import PermissionDenied
from django.urls import reverse
from django.utils import timezone
from django.utils.html import format_html
......@@ -6,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _
from .models import Order, PizzaEvent, Product
from events.models import Event
from events.services import is_organiser
@admin.register(Product)
......@@ -35,3 +37,29 @@ class PizzaEventAdmin(admin.ModelAdmin):
@admin.register(Order)
class OrderAdmin(admin.ModelAdmin):
list_display = ('pizza_event', 'member_name', 'product', 'paid')
def save_model(self, request, obj, form, change):
if not is_organiser(request.member, obj.pizza_event.event):
raise PermissionDenied
return super().save_model(request, obj, form, change)
def has_view_permission(self, request, order=None):
"""Only give view permission if the user is an organiser"""
if (order is not None and
not is_organiser(request.member, order.pizza_event.event)):
return False
return super().has_view_permission(request, order)
def has_change_permission(self, request, order=None):
"""Only give change permission if the user is an organiser"""
if (order is not None and
not is_organiser(request.member, order.pizza_event.event)):
return False
return super().has_change_permission(request, order)
def has_delete_permission(self, request, order=None):
"""Only give delete permission if the user is an organiser"""
if (order is not None and
not is_organiser(request.member, order.pizza_event.event)):
return False
return super().has_delete_permission(request, order)
......@@ -3,6 +3,7 @@ from rest_framework import serializers
from rest_framework.exceptions import ValidationError
from pizzas.models import Product, PizzaEvent, Order
from pizzas.services import can_change_order
class PizzaSerializer(serializers.ModelSerializer):
......@@ -12,12 +13,16 @@ class PizzaSerializer(serializers.ModelSerializer):
class PizzaEventSerializer(serializers.ModelSerializer):
class Meta:
model = PizzaEvent
fields = ('start', 'end', 'event', 'title', 'is_admin')
event = serializers.PrimaryKeyRelatedField(read_only=True)
is_admin = serializers.SerializerMethodField('_is_admin')
class Meta:
model = PizzaEvent
fields = ('start', 'end', 'event', 'title')
def _is_admin(self, instance):
member = self.context['request'].member
return can_change_order(member, instance)
class OrderSerializer(serializers.ModelSerializer):
......
......@@ -10,6 +10,7 @@ from rest_framework.viewsets import GenericViewSet, ModelViewSet
from pizzas.api import serializers
from pizzas.models import Product, PizzaEvent, Order
from pizzas.services import can_change_order
class PizzaViewset(GenericViewSet, ListModelMixin):
......@@ -32,7 +33,9 @@ class PizzaViewset(GenericViewSet, ListModelMixin):
event = PizzaEvent.current()
if event:
serializer = serializers.PizzaEventSerializer(event)
context = {'request': request}
serializer = serializers.PizzaEventSerializer(event,
context=context)
return Response(serializer.data)
raise NotFound
......@@ -44,7 +47,7 @@ class OrderViewset(ModelViewSet):
def get_queryset(self):
event = PizzaEvent.current()
if self.request.user.has_perm('pizzas.change_order'):
if can_change_order(self.request.user, event):
return Order.objects.filter(pizza_event=event)
if self.action == 'update' or self.action == 'destroy':
if not event or event.has_ended:
......@@ -57,7 +60,9 @@ class OrderViewset(ModelViewSet):
pizza_event=event)
def get_serializer_class(self):
if self.request.member.has_perm('pizzas.change_order'):
if (can_change_order(self.request.member,
self.get_object().pizza_event) and
self.action.endswith('update')):
return serializers.AdminOrderSerializer
return serializers.OrderSerializer
......
from events.services import is_organiser
from . models import Product, Order, PizzaEvent
......@@ -34,3 +35,8 @@ def gen_stats_current_pizza_orders():
total.sort(key=lambda prod: prod['total'], reverse=True)
return total
def can_change_order(member, pizza_event):
return (member.has_perm('pizzas.change_order') and
is_organiser(member, pizza_event.event))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment