Commit bb84dc09 authored by Luko van der Maas's avatar Luko van der Maas
Browse files

Merge branch 'fix/registrations-api-without-right-permissions' into 'master'

Restrict changing registration to users with change registration perms

Closes #825

See merge request !1166
parents 5ef05612 6df7ad37
import csv import csv
from django.contrib.admin.views.decorators import staff_member_required from django.contrib.admin.views.decorators import staff_member_required
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.http import HttpResponse, HttpResponseRedirect from django.http import HttpResponse, HttpResponseRedirect
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
from django.urls import reverse from django.urls import reverse
...@@ -18,22 +19,24 @@ from .models import Event, Registration ...@@ -18,22 +19,24 @@ from .models import Event, Registration
@method_decorator([staff_member_required, ], name='dispatch') @method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch') @method_decorator(organiser_only, name='dispatch')
class EventAdminDetails(DetailView): class EventAdminDetails(DetailView, PermissionRequiredMixin):
""" """
Renders an overview of registrations for the specified event Renders an overview of registrations for the specified event
""" """
template_name = 'events/admin/details.html' template_name = 'events/admin/details.html'
model = Event model = Event
context_object_name = 'event' context_object_name = 'event'
permission_required = 'events.change_event'
@method_decorator([staff_member_required, ], name='dispatch') @method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch') @method_decorator(organiser_only, name='dispatch')
class EventRegistrationsExport(View): class EventRegistrationsExport(View, PermissionRequiredMixin):
""" """
View to export registrations View to export registrations
""" """
template_name = 'events/admin/details.html' template_name = 'events/admin/details.html'
permission_required = 'events.change_event'
def get(self, request, pk): def get(self, request, pk):
""" """
...@@ -124,12 +127,13 @@ class EventRegistrationsExport(View): ...@@ -124,12 +127,13 @@ class EventRegistrationsExport(View):
@method_decorator([staff_member_required, ], name='dispatch') @method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch') @method_decorator(organiser_only, name='dispatch')
class EventRegistrationEmailsExport(TemplateView): class EventRegistrationEmailsExport(TemplateView, PermissionRequiredMixin):
""" """
Renders a page that outputs all email addresses of registered members Renders a page that outputs all email addresses of registered members
for an event for an event
""" """
template_name = 'events/admin/email_export.html' template_name = 'events/admin/email_export.html'
permission_required = 'events.view_event'
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs) context = super().get_context_data(**kwargs)
...@@ -147,12 +151,13 @@ class EventRegistrationEmailsExport(TemplateView): ...@@ -147,12 +151,13 @@ class EventRegistrationEmailsExport(TemplateView):
@method_decorator([staff_member_required, ], name='dispatch') @method_decorator([staff_member_required, ], name='dispatch')
@method_decorator(organiser_only, name='dispatch') @method_decorator(organiser_only, name='dispatch')
class EventRegistrationsMarkPresent(View): class EventRegistrationsMarkPresent(View, PermissionRequiredMixin):
""" """
Renders a page that outputs all email addresses of registered members Renders a page that outputs all email addresses of registered members
for an event for an event
""" """
template_name = 'events/admin/email_export.html' template_name = 'events/admin/email_export.html'
permission_required = 'events.change_registration'
def get(self, request, pk): def get(self, request, pk):
""" """
......
...@@ -197,7 +197,9 @@ class RegistrationViewSet(GenericViewSet, RetrieveModelMixin, ...@@ -197,7 +197,9 @@ class RegistrationViewSet(GenericViewSet, RetrieveModelMixin,
def perform_update(self, serializer): def perform_update(self, serializer):
registration = serializer.instance registration = serializer.instance
if services.is_organiser(self.request.member, registration.event): member = self.request.member
if (member and member.has_perm('events.change_registration') and
services.is_organiser(member, registration.event)):
services.update_registration_by_organiser( services.update_registration_by_organiser(
registration, registration,
self.request.member, self.request.member,
......
...@@ -71,7 +71,7 @@ def is_organiser(member, event): ...@@ -71,7 +71,7 @@ def is_organiser(member, event):
if member.is_superuser or member.has_perm("events.override_organiser"): if member.is_superuser or member.has_perm("events.override_organiser"):
return True return True
if event and member.has_perm('events.change_event'): if event:
return member.get_member_groups().filter( return member.get_member_groups().filter(
pk=event.organiser.pk).count() != 0 pk=event.organiser.pk).count() != 0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment