Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
thalia
concrexit
Commits
822f3506
Verified
Commit
822f3506
authored
Aug 04, 2019
by
Sébastiaan Versteeg
Browse files
Fix pizza order permissions
parent
35588448
Changes
2
Show whitespace changes
Inline
Side-by-side
website/pizzas/admin.py
View file @
822f3506
...
...
@@ -2,15 +2,14 @@ from django.conf import settings
from
django.contrib
import
admin
from
django.core.exceptions
import
PermissionDenied
from
django.urls
import
reverse
,
path
from
django.utils
import
timezone
from
django.utils.html
import
format_html
from
django.utils.translation
import
ugettext_lazy
as
_
from
events
import
services
from
events.services
import
is_organiser
from
pizzas
import
admin_views
from
utils.admin
import
DoNextModelAdmin
from
.models
import
Order
,
PizzaEvent
,
Product
from
events.models
import
Event
from
events.services
import
is_organiser
@
admin
.
register
(
Product
)
...
...
@@ -26,6 +25,7 @@ class PizzaEventAdmin(admin.ModelAdmin):
date_hierarchy
=
'start'
exclude
=
(
'end_reminder'
,)
search_fields
=
[
f
'event__title_
{
l
[
0
]
}
'
for
l
in
settings
.
LANGUAGES
]
autocomplete_fields
=
(
'event'
,)
def
notification_enabled
(
self
,
obj
):
return
obj
.
send_notification
...
...
@@ -33,18 +33,25 @@ class PizzaEventAdmin(admin.ModelAdmin):
notification_enabled
.
admin_order_field
=
'send_notification'
notification_enabled
.
boolean
=
True
def
has_change_permission
(
self
,
request
,
obj
=
None
):
"""Only allow access to the change form if the user is an organiser"""
if
(
obj
is
not
None
and
not
services
.
is_organiser
(
request
.
member
,
obj
.
event
)):
return
False
return
super
().
has_change_permission
(
request
,
obj
)
def
has_delete_permission
(
self
,
request
,
obj
=
None
):
"""Only allow access to delete if the user is an organiser"""
if
(
obj
is
not
None
and
not
services
.
is_organiser
(
request
.
member
,
obj
.
event
)):
return
False
return
super
().
has_delete_permission
(
request
,
obj
)
def
orders
(
self
,
obj
):
url
=
reverse
(
'admin:pizzas_pizzaevent_details'
,
kwargs
=
{
'pk'
:
obj
.
pk
})
return
format_html
(
'<a href="{url}">{text}</a>'
,
url
=
url
,
text
=
_
(
"Orders"
))
def
formfield_for_foreignkey
(
self
,
db_field
,
request
,
**
kwargs
):
if
db_field
.
name
==
"event"
:
kwargs
[
"queryset"
]
=
Event
.
objects
.
filter
(
end__gte
=
timezone
.
now
())
return
super
(
PizzaEventAdmin
,
self
).
formfield_for_foreignkey
(
db_field
,
request
,
**
kwargs
)
def
get_urls
(
self
):
urls
=
super
().
get_urls
()
custom_urls
=
[
...
...
website/pizzas/admin_views.py
View file @
822f3506
"""Admin views provided by the pizzas package"""
from
django.shortcuts
import
get_object_or_404
from
django.utils.decorators
import
method_decorator
from
django.utils.text
import
capfirst
from
django.utils.translation
import
ugettext_lazy
as
_
from
django.views.generic
import
TemplateView
from
events.decorators
import
organiser_only
from
payments.models
import
Payment
from
pizzas.models
import
PizzaEvent
,
Order
@
method_decorator
(
organiser_only
,
name
=
'dispatch'
)
class
PizzaOrderSummary
(
TemplateView
):
template_name
=
'pizzas/admin/summary.html'
admin
=
None
...
...
@@ -57,6 +60,7 @@ class PizzaOrderSummary(TemplateView):
return
context
@
method_decorator
(
organiser_only
,
name
=
'dispatch'
)
class
PizzaOrderDetails
(
TemplateView
):
template_name
=
'pizzas/admin/orders.html'
admin
=
None
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment