From 4997a370585923bccea565e29ee6ea1d1a31b9a0 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Sat, 15 Aug 2020 23:27:58 +0200
Subject: [PATCH] Ensure that the user is authenticated before that it has the
permission to see page
---
apps/activity/views.py | 4 ++--
apps/member/views.py | 4 ++--
apps/note/views.py | 4 ++++
apps/permission/views.py | 7 ++++++-
apps/treasury/views.py | 16 ++++++++++++++--
apps/wei/views.py | 12 ++++++------
6 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/apps/activity/views.py b/apps/activity/views.py
index 3d596a3f..a0f812d9 100644
--- a/apps/activity/views.py
+++ b/apps/activity/views.py
@@ -20,7 +20,7 @@ from .models import Activity, Entry, Guest
from .tables import ActivityTable, EntryTable, GuestTable
-class ActivityCreateView(LoginRequiredMixin, ProtectedCreateView):
+class ActivityCreateView(ProtectedCreateView):
model = Activity
form_class = ActivityForm
extra_context = {"title": _("Create new activity")}
@@ -98,7 +98,7 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})
-class ActivityInviteView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
model = Guest
form_class = GuestForm
template_name = "activity/activity_invite.html"
diff --git a/apps/member/views.py b/apps/member/views.py
index 869f060d..8cb384e8 100644
--- a/apps/member/views.py
+++ b/apps/member/views.py
@@ -295,7 +295,7 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
# ******************************* #
-class ClubCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ClubCreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create Club
"""
@@ -446,7 +446,7 @@ class ClubPictureUpdateView(PictureUpdateView):
return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id})
-class ClubAddMemberView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Add a membership to a club.
"""
diff --git a/apps/note/views.py b/apps/note/views.py
index 17efdc3e..0312f11f 100644
--- a/apps/note/views.py
+++ b/apps/note/views.py
@@ -156,6 +156,10 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
table_class = HistoryTable
def dispatch(self, request, *args, **kwargs):
+ # Check that the user is authenticated
+ if not request.user.is_authenticated:
+ return self.handle_no_permission()
+
templates = TransactionTemplate.objects.filter(
PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
)
diff --git a/apps/permission/views.py b/apps/permission/views.py
index 4b59204b..6a5c9b12 100644
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@@ -3,6 +3,7 @@
from datetime import date
+from django.contrib.auth.mixins import LoginRequiredMixin
from django.core.exceptions import PermissionDenied
from django.db.models import Q
from django.forms import HiddenInput
@@ -44,7 +45,7 @@ class ProtectQuerysetMixin:
return form
-class ProtectedCreateView(CreateView):
+class ProtectedCreateView(LoginRequiredMixin, CreateView):
"""
Extends a CreateView to check is the user has the right to create a sample instance of the given Model.
If not, a 403 error is displayed.
@@ -58,6 +59,10 @@ class ProtectedCreateView(CreateView):
raise NotImplementedError
def dispatch(self, request, *args, **kwargs):
+ # Check that the user is authenticated before that he/she has the permission to access here
+ if not request.user.is_authenticated:
+ return self.handle_no_permission()
+
model_class = self.model
# noinspection PyProtectedMember
app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()
diff --git a/apps/treasury/views.py b/apps/treasury/views.py
index 351253bf..480ed290 100644
--- a/apps/treasury/views.py
+++ b/apps/treasury/views.py
@@ -29,7 +29,7 @@ from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeC
from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable
-class InvoiceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class InvoiceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create Invoice
"""
@@ -90,6 +90,10 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView):
extra_context = {"title": _("Invoices list")}
def dispatch(self, request, *args, **kwargs):
+ # Check that the user is authenticated
+ if not request.user.is_authenticated:
+ return self.handle_no_permission()
+
sample_invoice = Invoice(
id=0,
object="",
@@ -215,7 +219,7 @@ class InvoiceRenderView(LoginRequiredMixin, View):
return response
-class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class RemittanceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create Remittance
"""
@@ -251,6 +255,10 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
extra_context = {"title": _("Remittances list")}
def dispatch(self, request, *args, **kwargs):
+ # Check that the user is authenticated
+ if not request.user.is_authenticated:
+ return self.handle_no_permission()
+
sample_remittance = Remittance(
remittance_type_id=1,
comment="",
@@ -377,6 +385,10 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
extra_context = {"title": _("List of credits from the Société générale")}
def dispatch(self, request, *args, **kwargs):
+ # Check that the user is authenticated
+ if not request.user.is_authenticated:
+ return self.handle_no_permission()
+
if not self.get_queryset().exists():
raise PermissionDenied(_("You are not able to see the treasury interface."))
return super().dispatch(request, *args, **kwargs)
diff --git a/apps/wei/views.py b/apps/wei/views.py
index 74830066..978c77f7 100644
--- a/apps/wei/views.py
+++ b/apps/wei/views.py
@@ -67,7 +67,7 @@ class WEIListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
return context
-class WEICreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEICreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create WEI
"""
@@ -286,7 +286,7 @@ class WEIUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
return reverse_lazy("wei:wei_detail", kwargs={"pk": self.object.pk})
-class BusCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class BusCreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create Bus
"""
@@ -381,7 +381,7 @@ class BusManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
return context
-class BusTeamCreateView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class BusTeamCreateView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Create BusTeam
"""
@@ -474,7 +474,7 @@ class BusTeamManageView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
return context
-class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIRegister1AView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Register a new user to the WEI
"""
@@ -541,7 +541,7 @@ class WEIRegister1AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreat
return reverse_lazy("wei:wei_survey", kwargs={"pk": self.object.pk})
-class WEIRegister2AView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIRegister2AView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Register an old user to the WEI
"""
@@ -761,7 +761,7 @@ class WEIDeleteRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, Delete
return reverse_lazy('wei:wei_detail', args=(self.object.wei.pk,))
-class WEIValidateRegistrationView(ProtectQuerysetMixin, LoginRequiredMixin, ProtectedCreateView):
+class WEIValidateRegistrationView(ProtectQuerysetMixin, ProtectedCreateView):
"""
Validate WEI Registration
"""
--
GitLab