Merge branch 'fix/registrations-api-without-right-permissions' into 'master'

Restrict changing registration to users with change registration perms Closes #825 See merge request !1166

Merge branch 'fix/registrations-api-without-right-permissions' into 'master'
Restrict changing registration to users with change registration perms Closes #825 See merge request !1166
bb84dc09 · Luko van der Maas · 5ef05612 · 6df7ad37 · bb84dc09 · bb84dc09
Commit bb84dc09 authored Feb 27, 2019 by Luko van der Maas
--- a/website/events/admin_views.py
+++ b/website/events/admin_views.py
 import csv

 from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import get_object_or_404
 from django.urls import reverse
@@ -18,22 +19,24 @@ from .models import Event, Registration

 @method_decorator([staff_member_required, ], name='dispatch')
 @method_decorator(organiser_only, name='dispatch')
-class EventAdminDetails(DetailView):
+class EventAdminDetails(DetailView, PermissionRequiredMixin):
    """
    Renders an overview of registrations for the specified event
    """
    template_name = 'events/admin/details.html'
    model = Event
    context_object_name = 'event'
+    permission_required = 'events.change_event'


 @method_decorator([staff_member_required, ], name='dispatch')
 @method_decorator(organiser_only, name='dispatch')
-class EventRegistrationsExport(View):
+class EventRegistrationsExport(View, PermissionRequiredMixin):
    """
    View to export registrations
    """
    template_name = 'events/admin/details.html'
+    permission_required = 'events.change_event'

    def get(self, request, pk):
        """
@@ -124,12 +127,13 @@ class EventRegistrationsExport(View):

 @method_decorator([staff_member_required, ], name='dispatch')
 @method_decorator(organiser_only, name='dispatch')
-class EventRegistrationEmailsExport(TemplateView):
+class EventRegistrationEmailsExport(TemplateView, PermissionRequiredMixin):
    """
    Renders a page that outputs all email addresses of registered members
    for an event
    """
    template_name = 'events/admin/email_export.html'
+    permission_required = 'events.view_event'

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
@@ -147,12 +151,13 @@ class EventRegistrationEmailsExport(TemplateView):

 @method_decorator([staff_member_required, ], name='dispatch')
 @method_decorator(organiser_only, name='dispatch')
-class EventRegistrationsMarkPresent(View):
+class EventRegistrationsMarkPresent(View, PermissionRequiredMixin):
    """
    Renders a page that outputs all email addresses of registered members
    for an event
    """
    template_name = 'events/admin/email_export.html'
+    permission_required = 'events.change_registration'

    def get(self, request, pk):
        """

--- a/website/events/api/viewsets.py
+++ b/website/events/api/viewsets.py
@@ -197,7 +197,9 @@ class RegistrationViewSet(GenericViewSet, RetrieveModelMixin,
    def perform_update(self, serializer):
        registration = serializer.instance

-        if services.is_organiser(self.request.member, registration.event):
+        member = self.request.member
+        if (member and member.has_perm('events.change_registration') and
+                services.is_organiser(member, registration.event)):
            services.update_registration_by_organiser(
                registration,
                self.request.member,

--- a/website/events/services.py
+++ b/website/events/services.py
@@ -71,7 +71,7 @@ def is_organiser(member, event):
        if member.is_superuser or member.has_perm("events.override_organiser"):
            return True

-        if event and member.has_perm('events.change_event'):
+        if event:
            return member.get_member_groups().filter(
                    pk=event.organiser.pk).count() != 0