Merge branch 'fix/restrict-pizza-order-updates-to-organisers' into 'master'

Restrict updates to pizza orders to organisers of the pizza event See merge request !1164

Merge branch 'fix/restrict-pizza-order-updates-to-organisers' into 'master'
Restrict updates to pizza orders to organisers of the pizza event See merge request !1164
6f8fcb8b · Luko van der Maas · 360ea8f3 · 4152b640 · 6f8fcb8b · 6f8fcb8b
Commit 6f8fcb8b authored Mar 27, 2019 by Luko van der Maas
--- a/website/pizzas/admin.py
+++ b/website/pizzas/admin.py
 from django.contrib import admin
+from django.core.exceptions import PermissionDenied
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.html import format_html
@@ -6,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _

 from .models import Order, PizzaEvent, Product
 from events.models import Event
+from events.services import is_organiser


 @admin.register(Product)
@@ -35,3 +37,29 @@ class PizzaEventAdmin(admin.ModelAdmin):
 @admin.register(Order)
 class OrderAdmin(admin.ModelAdmin):
    list_display = ('pizza_event', 'member_name', 'product', 'paid')
+
+    def save_model(self, request, obj, form, change):
+        if not is_organiser(request.member, obj.pizza_event.event):
+            raise PermissionDenied
+        return super().save_model(request, obj, form, change)
+
+    def has_view_permission(self, request, order=None):
+        """Only give view permission if the user is an organiser"""
+        if (order is not None and
+                not is_organiser(request.member, order.pizza_event.event)):
+            return False
+        return super().has_view_permission(request, order)
+
+    def has_change_permission(self, request, order=None):
+        """Only give change permission if the user is an organiser"""
+        if (order is not None and
+                not is_organiser(request.member, order.pizza_event.event)):
+            return False
+        return super().has_change_permission(request, order)
+
+    def has_delete_permission(self, request, order=None):
+        """Only give delete permission if the user is an organiser"""
+        if (order is not None and
+                not is_organiser(request.member, order.pizza_event.event)):
+            return False
+        return super().has_delete_permission(request, order)
--- a/website/pizzas/api/serializers.py
+++ b/website/pizzas/api/serializers.py
@@ -3,6 +3,7 @@ from rest_framework import serializers
 from rest_framework.exceptions import ValidationError

 from pizzas.models import Product, PizzaEvent, Order
+from pizzas.services import can_change_order


 class PizzaSerializer(serializers.ModelSerializer):
@@ -12,12 +13,16 @@ class PizzaSerializer(serializers.ModelSerializer):


 class PizzaEventSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = PizzaEvent
+        fields = ('start', 'end', 'event', 'title', 'is_admin')

    event = serializers.PrimaryKeyRelatedField(read_only=True)
+    is_admin = serializers.SerializerMethodField('_is_admin')

-    class Meta:
-        model = PizzaEvent
-        fields = ('start', 'end', 'event', 'title')
+    def _is_admin(self, instance):
+        member = self.context['request'].member
+        return can_change_order(member, instance)


 class OrderSerializer(serializers.ModelSerializer):

--- a/website/pizzas/api/viewsets.py
+++ b/website/pizzas/api/viewsets.py
@@ -10,6 +10,7 @@ from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from pizzas.api import serializers
 from pizzas.models import Product, PizzaEvent, Order
+from pizzas.services import can_change_order


 class PizzaViewset(GenericViewSet, ListModelMixin):
@@ -32,7 +33,9 @@ class PizzaViewset(GenericViewSet, ListModelMixin):
        event = PizzaEvent.current()

        if event:
-            serializer = serializers.PizzaEventSerializer(event)
+            context = {'request': request}
+            serializer = serializers.PizzaEventSerializer(event,
+                                                          context=context)
            return Response(serializer.data)

        raise NotFound
@@ -44,7 +47,7 @@ class OrderViewset(ModelViewSet):

    def get_queryset(self):
        event = PizzaEvent.current()
-        if self.request.user.has_perm('pizzas.change_order'):
+        if can_change_order(self.request.user, event):
            return Order.objects.filter(pizza_event=event)
        if self.action == 'update' or self.action == 'destroy':
            if not event or event.has_ended:
@@ -57,7 +60,9 @@ class OrderViewset(ModelViewSet):
                                    pizza_event=event)

    def get_serializer_class(self):
-        if self.request.member.has_perm('pizzas.change_order'):
+        if (can_change_order(self.request.member,
+                             self.get_object().pizza_event) and
+                self.action.endswith('update')):
            return serializers.AdminOrderSerializer
        return serializers.OrderSerializer


--- a/website/pizzas/services.py
+++ b/website/pizzas/services.py
+from events.services import is_organiser
 from . models import Product, Order, PizzaEvent


@@ -34,3 +35,8 @@ def gen_stats_current_pizza_orders():
    total.sort(key=lambda prod: prod['total'], reverse=True)

    return total
+
+
+def can_change_order(member, pizza_event):
+    return (member.has_perm('pizzas.change_order') and
+            is_organiser(member, pizza_event.event))