From fe4363b83de2f459d1048a0e7276f49b8b55697b Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Sun, 25 Oct 2020 21:29:44 +0100
Subject: [PATCH] Don't display too much detail when a user has no right to see
a profile
---
apps/member/tables.py | 16 ++++++++++
.../member/includes/profile_info.html | 30 ++++++++++---------
2 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/apps/member/tables.py b/apps/member/tables.py
index bc40368c..a9676928 100644
--- a/apps/member/tables.py
+++ b/apps/member/tables.py
@@ -43,8 +43,24 @@ class UserTable(tables.Table):
section = tables.Column(accessor='profile__section')
+ # Override the column to let replace the URL
+ email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
+
balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
+ def render_email(self, record, value):
+ # Replace the email by a dash if the user can't see the profile detail
+ # Replace also the URL
+ if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
+ value = "—"
+ record.email = value
+ return value
+
+ def render_section(self, record, value):
+ return value \
+ if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
+ else "—"
+
def render_balance(self, record, value):
return pretty_money(value)\
if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
diff --git a/apps/member/templates/member/includes/profile_info.html b/apps/member/templates/member/includes/profile_info.html
index b7f2fe70..e008ec6a 100644
--- a/apps/member/templates/member/includes/profile_info.html
+++ b/apps/member/templates/member/includes/profile_info.html
@@ -25,25 +25,27 @@
</a>
</dd>
- <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
- <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
+ {% if "member.view_profile"|has_perm:user_object.profile %}
+ <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
+ <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
- <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
- <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
+ <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
+ <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
- <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
- <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
- </dd>
+ <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
+ <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+ </dd>
- <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
- <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+ <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
+ <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
- {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
- <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
- <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+ {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+ <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+ <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
- <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
- <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+ <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+ <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+ {% endif %}
{% endif %}
</dl>
--
GitLab