Commit bb84dc09 authored by Luko van der Maas's avatar Luko van der Maas
Browse files

Merge branch 'fix/registrations-api-without-right-permissions' into 'master'

Restrict changing registration to users with change registration perms

Closes #825

See merge request !1166
parents 5ef05612 6df7ad37
import csv
from django.contrib.admin.views.decorators import staff_member_required
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.http import HttpResponse, HttpResponseRedirect
from django.shortcuts import get_object_or_404
from django.urls import reverse
......@@ -18,22 +19,24 @@ from .models import Event, Registration
@method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch')
class EventAdminDetails(DetailView):
class EventAdminDetails(DetailView, PermissionRequiredMixin):
"""
Renders an overview of registrations for the specified event
"""
template_name = 'events/admin/details.html'
model = Event
context_object_name = 'event'
permission_required = 'events.change_event'
@method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch')
class EventRegistrationsExport(View):
class EventRegistrationsExport(View, PermissionRequiredMixin):
"""
View to export registrations
"""
template_name = 'events/admin/details.html'
permission_required = 'events.change_event'
def get(self, request, pk):
"""
......@@ -124,12 +127,13 @@ class EventRegistrationsExport(View):
@method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch')
class EventRegistrationEmailsExport(TemplateView):
class EventRegistrationEmailsExport(TemplateView, PermissionRequiredMixin):
"""
Renders a page that outputs all email addresses of registered members
for an event
"""
template_name = 'events/admin/email_export.html'
permission_required = 'events.view_event'
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
......@@ -147,12 +151,13 @@ class EventRegistrationEmailsExport(TemplateView):
@method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch')
class EventRegistrationsMarkPresent(View):
class EventRegistrationsMarkPresent(View, PermissionRequiredMixin):
"""
Renders a page that outputs all email addresses of registered members
for an event
"""
template_name = 'events/admin/email_export.html'
permission_required = 'events.change_registration'
def get(self, request, pk):
"""
......
......@@ -197,7 +197,9 @@ class RegistrationViewSet(GenericViewSet, RetrieveModelMixin,
def perform_update(self, serializer):
registration = serializer.instance
if services.is_organiser(self.request.member, registration.event):
member = self.request.member
if (member and member.has_perm('events.change_registration') and
services.is_organiser(member, registration.event)):
services.update_registration_by_organiser(
registration,
self.request.member,
......
......@@ -71,7 +71,7 @@ def is_organiser(member, event):
if member.is_superuser or member.has_perm("events.override_organiser"):
return True
if event and member.has_perm('events.change_event'):
if event:
return member.get_member_groups().filter(
pk=event.organiser.pk).count() != 0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment