Commit f9a4b389 authored by Luko van der Maas's avatar Luko van der Maas

Merge branch 'fix/pizza-order-permissions' into 'master'

Fix pizza order permissions

Closes #872

See merge request !1321
parents 5cdb48f0 822f3506
......@@ -2,15 +2,14 @@ from django.conf import settings
from django.contrib import admin
from django.core.exceptions import PermissionDenied
from django.urls import reverse, path
from django.utils import timezone
from django.utils.html import format_html
from django.utils.translation import ugettext_lazy as _
from events import services
from events.services import is_organiser
from pizzas import admin_views
from utils.admin import DoNextModelAdmin
from .models import Order, PizzaEvent, Product
from events.models import Event
from events.services import is_organiser
@admin.register(Product)
......@@ -26,6 +25,7 @@ class PizzaEventAdmin(admin.ModelAdmin):
date_hierarchy = 'start'
exclude = ('end_reminder',)
search_fields = [f'event__title_{l[0]}' for l in settings.LANGUAGES]
autocomplete_fields = ('event',)
def notification_enabled(self, obj):
return obj.send_notification
......@@ -33,18 +33,25 @@ class PizzaEventAdmin(admin.ModelAdmin):
notification_enabled.admin_order_field = 'send_notification'
notification_enabled.boolean = True
def has_change_permission(self, request, obj=None):
"""Only allow access to the change form if the user is an organiser"""
if (obj is not None and
not services.is_organiser(request.member, obj.event)):
return False
return super().has_change_permission(request, obj)
def has_delete_permission(self, request, obj=None):
"""Only allow access to delete if the user is an organiser"""
if (obj is not None and
not services.is_organiser(request.member, obj.event)):
return False
return super().has_delete_permission(request, obj)
def orders(self, obj):
url = reverse('admin:pizzas_pizzaevent_details', kwargs={'pk': obj.pk})
return format_html('<a href="{url}">{text}</a>',
url=url, text=_("Orders"))
def formfield_for_foreignkey(self, db_field, request, **kwargs):
if db_field.name == "event":
kwargs["queryset"] = Event.objects.filter(
end__gte=timezone.now())
return super(PizzaEventAdmin, self).formfield_for_foreignkey(
db_field, request, **kwargs)
def get_urls(self):
urls = super().get_urls()
custom_urls = [
......
"""Admin views provided by the pizzas package"""
from django.shortcuts import get_object_or_404
from django.utils.decorators import method_decorator
from django.utils.text import capfirst
from django.utils.translation import ugettext_lazy as _
from django.views.generic import TemplateView
from events.decorators import organiser_only
from payments.models import Payment
from pizzas.models import PizzaEvent, Order
@method_decorator(organiser_only, name='dispatch')
class PizzaOrderSummary(TemplateView):
template_name = 'pizzas/admin/summary.html'
admin = None
......@@ -57,6 +60,7 @@ class PizzaOrderSummary(TemplateView):
return context
@method_decorator(organiser_only, name='dispatch')
class PizzaOrderDetails(TemplateView):
template_name = 'pizzas/admin/orders.html'
admin = None
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment