Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AlekSIS-Core
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Terraform modules
Monitor
Service Desk
Analyze
Contributor analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
AlekSIS®
Official
AlekSIS-Core
Commits
46c4dd04
Verified
Commit
46c4dd04
authored
3 years ago
by
Jonathan Weth
Browse files
Options
Downloads
Patches
Plain Diff
Fix permission checking for person form so users can (only) edit the configured fields
parent
eefe8e04
No related branches found
Branches containing commit
No related tags found
Tags containing commit
1 merge request
!752
Resolve "Users are able to change the linked user, but not the supposed fields"
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
aleksis/core/forms.py
+12
-9
12 additions, 9 deletions
aleksis/core/forms.py
aleksis/core/rules.py
+0
-13
0 additions, 13 deletions
aleksis/core/rules.py
with
12 additions
and
22 deletions
aleksis/core/forms.py
+
12
−
9
View file @
46c4dd04
...
...
@@ -146,17 +146,20 @@ class EditPersonForm(ExtensibleForm):
super
().
__init__
(
*
args
,
**
kwargs
)
# Disable non-editable fields
person_fields
=
set
([
field
.
name
for
field
in
Person
.
syncable_fields
()]).
intersection
(
set
(
self
.
fields
)
)
allowed_person_fields
=
get_site_preferences
()[
"
account__editable_fields_person
"
]
if
self
.
instance
:
checker
=
ObjectPermissionChecker
(
request
.
user
)
checker
.
prefetch_perms
([
self
.
instance
])
if
(
request
and
self
.
instance
and
not
request
.
user
.
has_perm
(
"
core.change_person
"
,
self
.
instance
)
):
# First, disable all fields
for
field
in
self
.
fields
:
self
.
fields
[
field
].
disabled
=
True
for
field
in
person_
fields
:
if
not
checker
.
has_perm
(
f
"
core.change_person_field_
{
field
}
"
,
self
.
instance
)
:
self
.
fields
[
field
].
disabled
=
Tru
e
# Then, activate allowed
fields
for
field
in
allowed_person_fields
:
self
.
fields
[
field
].
disabled
=
Fals
e
def
clean
(
self
)
->
None
:
# Use code implemented in dedicated form to verify user selection
...
...
This diff is collapsed.
Click to expand it.
aleksis/core/rules.py
+
0
−
13
View file @
46c4dd04
...
...
@@ -2,7 +2,6 @@ import rules
from
.models
import
AdditionalField
,
Announcement
,
Group
,
GroupType
,
Person
from
.util.predicates
import
(
contains_site_preference_value
,
has_any_object
,
has_global_perm
,
has_object_perm
,
...
...
@@ -350,15 +349,3 @@ rules.add_perm("core.upload_files_ckeditor_rule", upload_files_ckeditor_predicat
test_pdf_generation_predicate
=
has_person
&
has_global_perm
(
"
core.test_pdf
"
)
rules
.
add_perm
(
"
core.test_pdf_rule
"
,
test_pdf_generation_predicate
)
# Generate rules for syncable fields
for
field
in
Person
.
_meta
.
fields
:
perm
=
(
has_global_perm
(
"
core.edit_person
"
)
|
has_object_perm
(
"
core.edit_person
"
)
|
(
is_current_person
&
contains_site_preference_value
(
"
account
"
,
"
editable_fields_person
"
,
field
.
name
)
)
)
rules
.
add_perm
(
f
"
core.change_person_field_
{
field
.
name
}
_rule
"
,
perm
)
This diff is collapsed.
Click to expand it.
Jonathan Weth
@hansegucker
mentioned in commit
e12f4f1d
·
3 years ago
mentioned in commit
e12f4f1d
mentioned in commit e12f4f1dd94ee5f0cc1c91ee4ec79b7377291365
Toggle commit list
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
