Verified Commit 822f3506 authored by Sébastiaan Versteeg's avatar Sébastiaan Versteeg
Browse files

Fix pizza order permissions

parent 35588448
...@@ -2,15 +2,14 @@ from django.conf import settings ...@@ -2,15 +2,14 @@ from django.conf import settings
from django.contrib import admin from django.contrib import admin
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.urls import reverse, path from django.urls import reverse, path
from django.utils import timezone
from django.utils.html import format_html from django.utils.html import format_html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from events import services
from events.services import is_organiser
from pizzas import admin_views from pizzas import admin_views
from utils.admin import DoNextModelAdmin from utils.admin import DoNextModelAdmin
from .models import Order, PizzaEvent, Product from .models import Order, PizzaEvent, Product
from events.models import Event
from events.services import is_organiser
@admin.register(Product) @admin.register(Product)
...@@ -26,6 +25,7 @@ class PizzaEventAdmin(admin.ModelAdmin): ...@@ -26,6 +25,7 @@ class PizzaEventAdmin(admin.ModelAdmin):
date_hierarchy = 'start' date_hierarchy = 'start'
exclude = ('end_reminder',) exclude = ('end_reminder',)
search_fields = [f'event__title_{l[0]}' for l in settings.LANGUAGES] search_fields = [f'event__title_{l[0]}' for l in settings.LANGUAGES]
autocomplete_fields = ('event',)
def notification_enabled(self, obj): def notification_enabled(self, obj):
return obj.send_notification return obj.send_notification
...@@ -33,18 +33,25 @@ class PizzaEventAdmin(admin.ModelAdmin): ...@@ -33,18 +33,25 @@ class PizzaEventAdmin(admin.ModelAdmin):
notification_enabled.admin_order_field = 'send_notification' notification_enabled.admin_order_field = 'send_notification'
notification_enabled.boolean = True notification_enabled.boolean = True
def has_change_permission(self, request, obj=None):
"""Only allow access to the change form if the user is an organiser"""
if (obj is not None and
not services.is_organiser(request.member, obj.event)):
return False
return super().has_change_permission(request, obj)
def has_delete_permission(self, request, obj=None):
"""Only allow access to delete if the user is an organiser"""
if (obj is not None and
not services.is_organiser(request.member, obj.event)):
return False
return super().has_delete_permission(request, obj)
def orders(self, obj): def orders(self, obj):
url = reverse('admin:pizzas_pizzaevent_details', kwargs={'pk': obj.pk}) url = reverse('admin:pizzas_pizzaevent_details', kwargs={'pk': obj.pk})
return format_html('<a href="{url}">{text}</a>', return format_html('<a href="{url}">{text}</a>',
url=url, text=_("Orders")) url=url, text=_("Orders"))
def formfield_for_foreignkey(self, db_field, request, **kwargs):
if db_field.name == "event":
kwargs["queryset"] = Event.objects.filter(
end__gte=timezone.now())
return super(PizzaEventAdmin, self).formfield_for_foreignkey(
db_field, request, **kwargs)
def get_urls(self): def get_urls(self):
urls = super().get_urls() urls = super().get_urls()
custom_urls = [ custom_urls = [
......
"""Admin views provided by the pizzas package""" """Admin views provided by the pizzas package"""
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
from django.utils.decorators import method_decorator
from django.utils.text import capfirst from django.utils.text import capfirst
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.views.generic import TemplateView from django.views.generic import TemplateView
from events.decorators import organiser_only
from payments.models import Payment from payments.models import Payment
from pizzas.models import PizzaEvent, Order from pizzas.models import PizzaEvent, Order
@method_decorator(organiser_only, name='dispatch')
class PizzaOrderSummary(TemplateView): class PizzaOrderSummary(TemplateView):
template_name = 'pizzas/admin/summary.html' template_name = 'pizzas/admin/summary.html'
admin = None admin = None
...@@ -57,6 +60,7 @@ class PizzaOrderSummary(TemplateView): ...@@ -57,6 +60,7 @@ class PizzaOrderSummary(TemplateView):
return context return context
@method_decorator(organiser_only, name='dispatch')
class PizzaOrderDetails(TemplateView): class PizzaOrderDetails(TemplateView):
template_name = 'pizzas/admin/orders.html' template_name = 'pizzas/admin/orders.html'
admin = None admin = None
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment