diff --git a/schoolapps/fibu/decorators.py b/schoolapps/fibu/decorators.py
new file mode 100644
index 0000000000000000000000000000000000000000..3c944913ee6facb6d897c8eee22457a74c0f5496
--- /dev/null
+++ b/schoolapps/fibu/decorators.py
@@ -0,0 +1,24 @@
+from django.contrib.auth.decorators import user_passes_test
+from django.contrib.auth import REDIRECT_FIELD_NAME
+
+from .models import Booking
+
+
+# prevent to show aub details from foreign users
+def check_own_booking_verification(user):
+ return Booking.objects.all().filter(created_by=user)
+
+
+def check_own_booking(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
+ """
+ Decorator for views that checks that the user only gets his own bookings, redirecting
+ to the dashboard if necessary.
+ """
+ actual_decorator = user_passes_test(
+ check_own_booking_verification,
+ login_url=login_url,
+ redirect_field_name=redirect_field_name
+ )
+ if function:
+ return actual_decorator(function)
+ return actual_decorator
diff --git a/schoolapps/fibu/filters.py b/schoolapps/fibu/filters.py
index 54b341709cf98c3c3fce577fb17c77db2d8c38bc..e6ca80862169f0d0fdd037163f23b0ffdfaedd34 100644
--- a/schoolapps/fibu/filters.py
+++ b/schoolapps/fibu/filters.py
@@ -5,7 +5,7 @@ from django.db.utils import ProgrammingError
def get_fibu_users():
- """ Find all users who sends an AUB """
+ """ Find all users who requests a boooking """
try:
fibu_users = Booking.objects.values_list('contact')
users = list(User.objects.filter(id__in=fibu_users))
diff --git a/schoolapps/fibu/models.py b/schoolapps/fibu/models.py
index 50a0cd386fe66d3c2331a52dfae447d9fcb48f23..1e460fe2bb3a50f6f42e7fbee0b2214307e42182 100644
--- a/schoolapps/fibu/models.py
+++ b/schoolapps/fibu/models.py
@@ -36,9 +36,9 @@ class Costcenter(models.Model):
return "%s" % (self.name)
class Meta:
- permissions = (
- ('edit_costcenter', 'Can edit cost center'),
- )
+ permissions = [
+ ('manage_costcenter', 'Can manage costcenter'),
+ ]
class Account(models.Model):
# Buchungskonten, z.B. Fachschaften, Sekretariat, Schulleiter, Kopieren, Tafelnutzung
@@ -53,9 +53,9 @@ class Account(models.Model):
return "%s: %s" % (self.costcenter, self.name)
class Meta:
- permissions = (
- ('edit_account', 'Can edit account'),
- )
+ permissions = [
+ ('manage_account', 'Can manage account'),
+ ]
class Booking(models.Model):
account = models.ForeignKey(to=Account, on_delete=models.SET_NULL, blank=True, null=True)
@@ -81,7 +81,7 @@ class Booking(models.Model):
class Meta:
- permissions = (
- ('edit_booking', 'Can edit bookings'),
- ('apply_acquisition', 'Can apply an acquisition'),
- )
\ No newline at end of file
+ permissions = [
+ ('manage_booking', 'Can manage bookings'),
+ ('request_booking', 'Can request a booking'),
+ ]
\ No newline at end of file
diff --git a/schoolapps/fibu/views.py b/schoolapps/fibu/views.py
index 04a46b849e0fc0b77b2e204153a7cf629eb8edc8..8a66ac4779ee62b632ae0517464fab8f425a55f2 100644
--- a/schoolapps/fibu/views.py
+++ b/schoolapps/fibu/views.py
@@ -5,11 +5,12 @@ from django.shortcuts import render, redirect, get_object_or_404
from .models import Booking, Costcenter, Account
from .filters import BookingFilter
from .forms import EditBookingForm, CheckBookingForm, BookBookingForm, EditCostcenterForm, EditAccountForm
-
+from .decorators import check_own_booking
@login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.request_booking')
def index(request):
+ fibu_user = request.user
if request.method == 'POST':
if 'booking-id' in request.POST:
booking_id = request.POST['booking-id']
@@ -49,14 +50,14 @@ def index(request):
# a.save()
# return redirect('fibu_make_booking')
return redirect('fibu_index')
- bookings = Booking.objects.filter().order_by('status')
+ bookings = Booking.objects.filter(contact=fibu_user).order_by('status')
context = {'bookings': bookings, 'form': form}
return render(request, 'fibu/index.html', context)
@login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.request_booking')
def edit(request, id):
booking = get_object_or_404(Booking, id=id)
form = EditBookingForm(instance=booking)
@@ -78,7 +79,7 @@ def edit(request, id):
@login_required
-# @permission_required('fibu.check_booking')
+@permission_required('fibu.manage_booking')
def check(request):
if request.method == 'POST':
if 'booking-id' in request.POST:
@@ -110,7 +111,7 @@ def check(request):
return render(request, 'fibu/booking/check.html', {'filter': bookings, 'form': form})
@login_required
-# @permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
def booking(request, archiv):
if archiv:
bookings = Booking.objects.filter(status=5).order_by('-status')
@@ -120,7 +121,7 @@ def booking(request, archiv):
return render(request, 'fibu/booking/index.html', context)
@login_required
-#@permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
def book(request, id):
booking = get_object_or_404(Booking, id=id)
form = BookBookingForm(instance=booking)
@@ -139,7 +140,7 @@ def book(request, id):
return render(request, template, context)
@login_required
-#@permission_required('fibu.book_booking')
+@permission_required('fibu.manage_booking')
def new_booking(request):
form = BookBookingForm()
template = 'fibu/booking/new.html'
@@ -158,7 +159,7 @@ def new_booking(request):
@login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_costcenter')
def costcenter(request):
if request.method == 'POST':
if 'costcenter-id' in request.POST:
@@ -198,7 +199,7 @@ def costcenter(request):
@login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.manage_costcenter')
def costcenter_edit(request, id):
costcenter = get_object_or_404(Costcenter, id=id)
form = EditCostcenterForm(instance=costcenter)
@@ -219,7 +220,7 @@ def costcenter_edit(request, id):
return render(request, template, context)
@login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_account')
def account(request):
if request.method == 'POST':
if 'account-id' in request.POST:
@@ -261,7 +262,7 @@ def account(request):
@login_required
-# @permission_required('aub.apply_for_aub')
+@permission_required('fibu.manage_account')
def account_edit(request, id):
account = get_object_or_404(Account, id=id)
form = EditAccountForm(instance=account)
@@ -283,12 +284,12 @@ def account_edit(request, id):
@login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_booking')
def reports(request):
return render(request, 'fibu/reports/index.html')
@login_required
-#@permission_required('fibu.view_booking')
+@permission_required('fibu.manage_booking')
def expenses(request):
costcenterlist = Costcenter.objects.filter()
costcenter_accounts = {}
diff --git a/schoolapps/templates/partials/header.html b/schoolapps/templates/partials/header.html
index db01b1d5642f59d7a93f48141c5717ac1c87d25b..fdc02b087831805c0f9dc6d969f545bad5758a04 100755
--- a/schoolapps/templates/partials/header.html
+++ b/schoolapps/templates/partials/header.html
@@ -177,38 +177,52 @@
</ul>
</div>
</li>
+
+ <li>
+ <div class="divider"></div>
+ </li>
{% endif %}
+ {% if perms.fibu.request_booking or perms.fibu.manage_booking or perms.fibu.manage_costcenter or perms.fibu.manage.account %}
<li class="bold url-fibu_index url-booking-check url-booking_book">
<a class="collapsible-header waves-effect waves-primary" href="{% url 'fibu_index' %}"><i class="material-icons">euro_symbol</i>
Finanzen
</a>
<div class="collapsible-body">
<ul>
+ {% if perms.fibu.request_booking %}
<li class="url-booking_check">
<a href="{% url 'booking_check' %}"><i class="material-icons">done</i>Anträge</a>
</li>
+ {% endif %}
+ {% if perms.fibu.manage_booking %}
<li class="url-booking">
<a href="{% url 'booking' 0 %}"><i class="material-icons">done</i>Buchungen</a>
</li>
+ {% endif %}
+ {% if perms.fibu.manage_costcenter %}
<li class="url-costcenter">
<a href="{% url 'costcenter' %}"><i class="material-icons">done</i>Kostenstellen</a>
</li>
<li class="url-account">
<a href="{% url 'account' %}"><i class="material-icons">done</i>Buchungskonten</a>
</li>
+ {% endif %}
+ {% if perms.fibu.manage_booking %}
<li class="url-reports url-expenses">
<a href="{% url 'reports' %}"><i class="material-icons">done</i>Berichte</a>
</li>
+ {% endif %}
</ul>
</div>
</li>
+
</ul>
</li>
<li>
<div class="divider"></div>
</li>
-
+ {% endif %}
{% if perms.timetable.show_plan %}
<li class="bold">
<a class="collapsible-header waves-effect waves-primary"><i class="material-icons">school</i>
@@ -254,11 +268,11 @@
</ul>
</div>
</li>
- {% endif %}
<li>
<div class="divider"></div>
</li>
+ {% endif %}
<li>
<a href="{% url 'menu_show_current' %}" target="_blank">
@@ -266,7 +280,6 @@
</a>
</li>
-
{% if perms.menu.add_menu %}
<li class="url-menu_index url-menu_upload url-menu_index_msg">
<a href="{% url 'menu_index' %}">