Commit ec62e456 authored by LEVY-FALK Hugo's avatar LEVY-FALK Hugo Committed by root

Pas de requête directement dans @can_edit. On récupère l'instance dans...

Pas de requête directement dans @can_edit. On récupère l'instance dans model.get_instance et on la transmet à model.can_edit et à la vue.
parent 56e93f4d
......@@ -68,28 +68,26 @@ def can_create(model):
return decorator
def can_edit(model, *instance_id):
def can_edit(model):
"""Decorator to check if an user can edit a model.
It assumes that a valid user exists in the request and that the model has a
method can_create(user) which returns true if the user can create this kind
It tries to get an instance of the model, using
`model.get_instance(*args, **kwargs)` and assumes that the model has a method
`can_create(user)` which returns `true` if the user can create this kind
of models.
"""
def decorator(view):
def wrapper(request, *args, **kwargs):
instances = {}
for i in instance_id:
try:
instances[i] = model.objects.get(pk=kwargs[i])
except model.DoesNotExist:
messages.error(request, u"Entrée inexistante")
return redirect(reverse('users:index'))
kwargs['instances'] = instances
can = all(model.can_edit(instances[i], request.user) for i in instances)
if not can:
try:
instance = model.get_instance(*args, **kwargs)
except model.DoesNotExist:
messages.error(request, u"Entrée inexistante")
return redirect(reverse('users:index'))
if not model.can_edit(instance, request.user):
messages.error(request, "Vous ne pouvez pas accéder à ce menu")
return redirect(reverse('users:profil',
kwargs={'userid':str(request.user.id)}
))
kwargs['instance'] = instance
return view(request, *args, **kwargs)
return wrapper
return decorator
......
......@@ -784,6 +784,9 @@ class User(AbstractBaseUser):
else:
return self == user or user.has_perms(('cableur',))
def get_instance(userid):
return User.objects.get(pk=userid)
def __str__(self):
return self.pseudo
......
......@@ -203,23 +203,23 @@ def select_user_edit_form(request, user):
@login_required
@can_edit(User, 'userid')
def edit_info(request, userid, **kwargs):
@can_edit(User)
def edit_info(request, userid, instance):
""" Edite un utilisateur à partir de son id,
si l'id est différent de request.user, vérifie la
possession du droit cableur """
try:
user = User.objects.get(pk=userid)
except User.DoesNotExist:
messages.error(request, "Utilisateur inexistant")
return redirect(reverse('users:index'))
if not user.can_edit(request.user):
messages.error(request, "Vous ne pouvez pas accéder à ce menu")
return redirect(reverse(
'users:profil',
kwargs={'userid':str(request.user.id)}
))
user = select_user_edit_form(request, user)
# try:
# user = User.objects.get(pk=userid)
# except User.DoesNotExist:
# messages.error(request, "Utilisateur inexistant")
# return redirect(reverse('users:index'))
# if not user.can_edit(request.user):
# messages.error(request, "Vous ne pouvez pas accéder à ce menu")
# return redirect(reverse(
# 'users:profil',
# kwargs={'userid':str(request.user.id)}
# ))
user = select_user_edit_form(request, instance)
if user.is_valid():
with transaction.atomic(), reversion.create_revision():
user.save()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment