add permissions, show own bookings only

a3c88687 · Frank Poetzsch-Heffter · e819f322 · a3c88687 · a3c88687 · a3c88687
Commit a3c88687 authored 5 years ago by Frank Poetzsch-Heffter
--- a/schoolapps/fibu/decorators.py
+++ b/schoolapps/fibu/decorators.py
+from django.contrib.auth.decorators import user_passes_test
+from django.contrib.auth import REDIRECT_FIELD_NAME
+
+from .models import Booking
+
+
+# prevent to show aub details from foreign users
+def check_own_booking_verification(user):
+    return Booking.objects.all().filter(created_by=user)
+
+
+def check_own_booking(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
+    """
+    Decorator for views that checks that the user only gets his own bookings, redirecting
+    to the dashboard if necessary.
+    """
+    actual_decorator = user_passes_test(
+        check_own_booking_verification,
+        login_url=login_url,
+        redirect_field_name=redirect_field_name
+    )
+    if function:
+        return actual_decorator(function)
+    return actual_decorator
--- a/schoolapps/fibu/filters.py
+++ b/schoolapps/fibu/filters.py
@@ -5,7 +5,7 @@ from django.db.utils import ProgrammingError


 def get_fibu_users():
-    """ Find all users who sends an AUB """
+    """ Find all users who requests a boooking """
    try:
        fibu_users = Booking.objects.values_list('contact')
        users = list(User.objects.filter(id__in=fibu_users))

--- a/schoolapps/fibu/models.py
+++ b/schoolapps/fibu/models.py
@@ -36,9 +36,9 @@ class Costcenter(models.Model):
        return "%s" % (self.name)

    class Meta:
-        permissions = (
-            ('edit_costcenter', 'Can edit cost center'),
-        )
+        permissions = [
+            ('manage_costcenter', 'Can manage costcenter'),
+        ]

 class Account(models.Model):
    # Buchungskonten, z.B. Fachschaften, Sekretariat, Schulleiter, Kopieren, Tafelnutzung
@@ -53,9 +53,9 @@ class Account(models.Model):
        return "%s: %s" % (self.costcenter, self.name)

    class Meta:
-        permissions = (
-            ('edit_account', 'Can edit account'),
-        )
+        permissions = [
+            ('manage_account', 'Can manage account'),
+        ]

 class Booking(models.Model):
    account         = models.ForeignKey(to=Account, on_delete=models.SET_NULL, blank=True, null=True)
@@ -81,7 +81,7 @@ class Booking(models.Model):


    class Meta:
-        permissions = (
-            ('edit_booking', 'Can edit bookings'),
-            ('apply_acquisition', 'Can apply an acquisition'),
-        )
\ No newline at end of file
+        permissions = [
+            ('manage_booking', 'Can manage bookings'),
+            ('request_booking', 'Can request a booking'),
+        ]
\ No newline at end of file
--- a/schoolapps/fibu/views.py
+++ b/schoolapps/fibu/views.py
@@ -5,11 +5,12 @@ from django.shortcuts import render, redirect, get_object_or_404
 from .models import Booking, Costcenter, Account
 from .filters import BookingFilter
 from .forms import EditBookingForm, CheckBookingForm, BookBookingForm, EditCostcenterForm, EditAccountForm
-
+from .decorators import check_own_booking

 @login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.request_booking')
 def index(request):
+    fibu_user = request.user
    if request.method == 'POST':
        if 'booking-id' in request.POST:
            booking_id = request.POST['booking-id']
@@ -49,14 +50,14 @@ def index(request):
        # a.save()
        # return redirect('fibu_make_booking')
        return redirect('fibu_index')
-    bookings = Booking.objects.filter().order_by('status')
+    bookings = Booking.objects.filter(contact=fibu_user).order_by('status')

    context = {'bookings': bookings, 'form': form}
    return render(request, 'fibu/index.html', context)


 @login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.request_booking')
 def edit(request, id):
    booking = get_object_or_404(Booking, id=id)
    form = EditBookingForm(instance=booking)
@@ -78,7 +79,7 @@ def edit(request, id):


 @login_required
-# @permission_required('fibu.check_booking')
+@permission_required('fibu.manage_booking')
 def check(request):
    if request.method == 'POST':
        if 'booking-id' in request.POST:
@@ -110,7 +111,7 @@ def check(request):
    return render(request, 'fibu/booking/check.html', {'filter': bookings, 'form': form})

 @login_required
-# @permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
 def booking(request, archiv):
    if archiv:
        bookings = Booking.objects.filter(status=5).order_by('-status')
@@ -120,7 +121,7 @@ def booking(request, archiv):
    return render(request, 'fibu/booking/index.html', context)

 @login_required
-#@permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
 def book(request, id):
    booking = get_object_or_404(Booking, id=id)
    form = BookBookingForm(instance=booking)
@@ -139,7 +140,7 @@ def book(request, id):
    return render(request, template, context)

 @login_required
-#@permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
 def new_booking(request):
    form = BookBookingForm()
    template = 'fibu/booking/new.html'
@@ -158,7 +159,7 @@ def new_booking(request):


 @login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_costcenter')
 def costcenter(request):
    if request.method == 'POST':
        if 'costcenter-id' in request.POST:
@@ -198,7 +199,7 @@ def costcenter(request):


 @login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.manage_costcenter')
 def costcenter_edit(request, id):
    costcenter = get_object_or_404(Costcenter, id=id)
    form = EditCostcenterForm(instance=costcenter)
@@ -219,7 +220,7 @@ def costcenter_edit(request, id):
    return render(request, template, context)

 @login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_account')
 def account(request):
    if request.method == 'POST':
        if 'account-id' in request.POST:
@@ -261,7 +262,7 @@ def account(request):


 @login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.manage_account')
 def account_edit(request, id):
    account = get_object_or_404(Account, id=id)
    form = EditAccountForm(instance=account)
@@ -283,12 +284,12 @@ def account_edit(request, id):


 @login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_booking')
 def reports(request):
    return render(request, 'fibu/reports/index.html')

 @login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_booking')
 def expenses(request):
    costcenterlist = Costcenter.objects.filter()
    costcenter_accounts = {}

--- a/schoolapps/templates/partials/header.html
+++ b/schoolapps/templates/partials/header.html
@@ -177,38 +177,52 @@
                    </ul>
                    </div>
                </li>
+
+            <li>
+                <div class="divider"></div>
+            </li>
            {% endif %}
+            {% if perms.fibu.request_booking  or perms.fibu.manage_booking or perms.fibu.manage_costcenter or perms.fibu.manage.account %}
                <li class="bold url-fibu_index url-booking-check url-booking_book">
                    <a class="collapsible-header waves-effect waves-primary" href="{% url 'fibu_index' %}"><i class="material-icons">euro_symbol</i>
                        Finanzen
                    </a>
                    <div class="collapsible-body">
                        <ul>
+                            {% if perms.fibu.request_booking %}
                            <li class="url-booking_check">
                                <a href="{% url 'booking_check' %}"><i class="material-icons">done</i>Anträge</a>
                            </li>
+                            {% endif %}
+                            {% if perms.fibu.manage_booking %}
                            <li class="url-booking">
                                <a href="{% url 'booking' 0 %}"><i class="material-icons">done</i>Buchungen</a>
                            </li>
+                            {% endif %}
+                            {% if perms.fibu.manage_costcenter %}
                            <li class="url-costcenter">
                                <a href="{% url 'costcenter' %}"><i class="material-icons">done</i>Kostenstellen</a>
                            </li>
                            <li class="url-account">
                                <a href="{% url 'account' %}"><i class="material-icons">done</i>Buchungskonten</a>
                            </li>
+                            {% endif %}
+                            {% if perms.fibu.manage_booking %}
                            <li class="url-reports url-expenses">
                                <a href="{% url 'reports' %}"><i class="material-icons">done</i>Berichte</a>
                            </li>
+                            {% endif %}
                        </ul>
                    </div>
                </li>
+
            </ul>
            </li>

            <li>
                <div class="divider"></div>
            </li>
-
+            {% endif %}
            {% if perms.timetable.show_plan %}
                <li class="bold">
                    <a class="collapsible-header waves-effect waves-primary"><i class="material-icons">school</i>
@@ -254,11 +268,11 @@
                        </ul>
                    </div>
                </li>
-            {% endif %}

            <li>
                <div class="divider"></div>
            </li>
+            {% endif %}

            <li>
                <a href="{% url 'menu_show_current' %}" target="_blank">
@@ -266,7 +280,6 @@
                </a>
            </li>

-
            {% if perms.menu.add_menu %}
                <li class="url-menu_index url-menu_upload url-menu_index_msg">
                    <a href="{% url 'menu_index' %}">