Commit fa90c853 authored by Patrick's avatar Patrick

Security an cms_toolbar alignment

parent cf25b6c8
...@@ -276,9 +276,7 @@ class BankAccountAdmin(ImportExportMixin, admin.ModelAdmin): ...@@ -276,9 +276,7 @@ class BankAccountAdmin(ImportExportMixin, admin.ModelAdmin):
return False return False
def has_change_permission(self, request, bank_account=None): def has_change_permission(self, request, bank_account=None):
if request.user.groups.filter(name__in=[COORDINATION_GROUP, INVOICE_GROUP]).exists() or request.user.is_superuser: return self.has_add_permission(request)
return True
return False
def get_readonly_fields(self, request, obj=None): def get_readonly_fields(self, request, obj=None):
readonly_fields = [ readonly_fields = [
......
...@@ -168,23 +168,17 @@ class BoxAdmin(TranslatableAdmin): ...@@ -168,23 +168,17 @@ class BoxAdmin(TranslatableAdmin):
'duplicate_box' 'duplicate_box'
] ]
def has_delete_permission(self, request, obj=None): def has_delete_permission(self, request, box=None):
if request.user.groups.filter( if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser: name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True return True
return False return False
def has_add_permission(self, request): def has_add_permission(self, request):
if request.user.groups.filter( return self.has_delete_permission(request)
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, box=None):
if request.user.groups.filter( return self.has_delete_permission(request, box)
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def flip_flop_select_for_offer_status(self, request, queryset): def flip_flop_select_for_offer_status(self, request, queryset):
task_box.flip_flop_is_into_offer(queryset) task_box.flip_flop_is_into_offer(queryset)
......
...@@ -252,10 +252,13 @@ class CustomerWithUserDataAdmin(ImportExportMixin, admin.ModelAdmin): ...@@ -252,10 +252,13 @@ class CustomerWithUserDataAdmin(ImportExportMixin, admin.ModelAdmin):
return False return False
def has_add_permission(self, request): def has_add_permission(self, request):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True return self.has_add_permission(request)
def get_email(self, customer): def get_email(self, customer):
if customer.user is not None: if customer.user is not None:
......
...@@ -9,7 +9,7 @@ from django.utils.translation import ugettext_lazy as _ ...@@ -9,7 +9,7 @@ from django.utils.translation import ugettext_lazy as _
from repanier.admin.admin_filter import PurchaseFilterByProducerForThisPermanence, \ from repanier.admin.admin_filter import PurchaseFilterByProducerForThisPermanence, \
ProductFilterByDepartmentForThisProducer, OfferItemFilter ProductFilterByDepartmentForThisProducer, OfferItemFilter
from repanier.const import PERMANENCE_CLOSED, PERMANENCE_OPENED from repanier.const import PERMANENCE_CLOSED, PERMANENCE_OPENED, ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP
from repanier.models import Permanence, Product, LUT_DepartmentForCustomer, Producer from repanier.models import Permanence, Product, LUT_DepartmentForCustomer, Producer
from repanier.tools import sint, update_offer_item from repanier.tools import sint, update_offer_item
...@@ -142,7 +142,10 @@ class OfferItemClosedAdmin(admin.ModelAdmin): ...@@ -142,7 +142,10 @@ class OfferItemClosedAdmin(admin.ModelAdmin):
return False return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def get_actions(self, request): def get_actions(self, request):
actions = super(OfferItemClosedAdmin, self).get_actions(request) actions = super(OfferItemClosedAdmin, self).get_actions(request)
......
...@@ -74,7 +74,8 @@ class PermanenceDoneAdmin(TranslatableAdmin): ...@@ -74,7 +74,8 @@ class PermanenceDoneAdmin(TranslatableAdmin):
return False return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
if request.user.groups.filter(name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser: if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True return True
return False return False
......
...@@ -164,10 +164,7 @@ class PermanenceInPreparationAdmin(TranslatableAdmin): ...@@ -164,10 +164,7 @@ class PermanenceInPreparationAdmin(TranslatableAdmin):
return self.has_delete_permission(request) return self.has_delete_permission(request)
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
if request.user.groups.filter( return self.has_delete_permission(request, obj)
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def get_fields(self, request, permanence=None): def get_fields(self, request, permanence=None):
fields = [ fields = [
......
...@@ -228,10 +228,14 @@ class ProducerAdmin(ImportExportMixin, admin.ModelAdmin): ...@@ -228,10 +228,14 @@ class ProducerAdmin(ImportExportMixin, admin.ModelAdmin):
return False return False
def has_add_permission(self, request): def has_add_permission(self, request):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP,
CONTRIBUTOR_GROUP]).exists() or request.user.is_superuser:
return True
return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True return self.has_add_permission(request)
def get_urls(self): def get_urls(self):
urls = super(ProducerAdmin, self).get_urls() urls = super(ProducerAdmin, self).get_urls()
......
...@@ -308,10 +308,14 @@ class ProductAdmin(ImportExportMixin, TranslatableAdmin): ...@@ -308,10 +308,14 @@ class ProductAdmin(ImportExportMixin, TranslatableAdmin):
return False return False
def has_add_permission(self, request): def has_add_permission(self, request):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP,
CONTRIBUTOR_GROUP]).exists() or request.user.is_superuser:
return True
return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True return self.has_add_permission(request)
def flip_flop_select_for_offer_status(self, request, queryset): def flip_flop_select_for_offer_status(self, request, queryset):
task_product.flip_flop_is_into_offer(queryset) task_product.flip_flop_is_into_offer(queryset)
......
...@@ -153,7 +153,10 @@ class CustomerSendAdmin(admin.ModelAdmin): ...@@ -153,7 +153,10 @@ class CustomerSendAdmin(admin.ModelAdmin):
return False return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def get_actions(self, request): def get_actions(self, request):
actions = super(CustomerSendAdmin, self).get_actions(request) actions = super(CustomerSendAdmin, self).get_actions(request)
......
...@@ -115,7 +115,6 @@ class OfferItemSendDataForm(forms.ModelForm): ...@@ -115,7 +115,6 @@ class OfferItemSendDataForm(forms.ModelForm):
previous_unit_deposit = FormMoneyField( previous_unit_deposit = FormMoneyField(
max_digits=8, decimal_places=2, required=False, initial=REPANIER_MONEY_ZERO) max_digits=8, decimal_places=2, required=False, initial=REPANIER_MONEY_ZERO)
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
getcontext().rounding = ROUND_HALF_UP getcontext().rounding = ROUND_HALF_UP
super(OfferItemSendDataForm, self).__init__(*args, **kwargs) super(OfferItemSendDataForm, self).__init__(*args, **kwargs)
...@@ -272,7 +271,10 @@ class OfferItemSendAdmin(admin.ModelAdmin): ...@@ -272,7 +271,10 @@ class OfferItemSendAdmin(admin.ModelAdmin):
return False return False
def has_change_permission(self, request, obj=None): def has_change_permission(self, request, obj=None):
return True if request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def get_actions(self, request): def get_actions(self, request):
actions = super(OfferItemSendAdmin, self).get_actions(request) actions = super(OfferItemSendAdmin, self).get_actions(request)
......
...@@ -134,10 +134,7 @@ class StaffWithUserDataAdmin(TranslatableAdmin): ...@@ -134,10 +134,7 @@ class StaffWithUserDataAdmin(TranslatableAdmin):
return False return False
def has_change_permission(self, request, staff=None): def has_change_permission(self, request, staff=None):
if request.user.groups.filter( return self.has_add_permission(request)
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or request.user.is_superuser:
return True
return False
def get_form(self, request, obj=None, **kwargs): def get_form(self, request, obj=None, **kwargs):
form = super(StaffWithUserDataAdmin, self).get_form(request, obj, **kwargs) form = super(StaffWithUserDataAdmin, self).get_form(request, obj, **kwargs)
......
...@@ -19,66 +19,75 @@ class RepanierToolbar(CMSToolbar): ...@@ -19,66 +19,75 @@ class RepanierToolbar(CMSToolbar):
from apps import REPANIER_SETTINGS_PERMANENCES_NAME, REPANIER_SETTINGS_INVOICE from apps import REPANIER_SETTINGS_PERMANENCES_NAME, REPANIER_SETTINGS_INVOICE
if settings.DJANGO_SETTINGS_DEMO: if settings.DJANGO_SETTINGS_DEMO:
self.toolbar.get_or_create_menu("demo-menu", _('Demo (%s)') % (DEMO_EMAIL,)) self.toolbar.get_or_create_menu("demo-menu", _('Demo (%s)') % (DEMO_EMAIL,))
if self.request.user.groups.filter(
name__in=[ORDER_GROUP, INVOICE_GROUP, COORDINATION_GROUP]).exists() or self.request.user.is_superuser:
display_all = True
elif self.request.user.groups.filter(
name=CONTRIBUTOR_GROUP).exists():
display_all = False
else:
return
admin_menu = self.toolbar.get_or_create_menu(ADMIN_MENU_IDENTIFIER, _('Manage')) admin_menu = self.toolbar.get_or_create_menu(ADMIN_MENU_IDENTIFIER, _('Manage'))
position = admin_menu.get_alphabetical_insert_position( # position = admin_menu.get_alphabetical_insert_position(
_('Parameters'), # _('Parameters'),
SubMenu # SubMenu
) # )
if not position: # if not position:
# TODO : Check this part of the code position = 0
position = 0 admin_menu.add_break('custom-break', position=position)
admin_menu.add_break('custom-break', position=position) if display_all:
office_menu = admin_menu.get_or_create_menu( office_menu = admin_menu.get_or_create_menu(
'parameter-menu', 'parameter-menu',
_('Parameters ...'), _('Parameters ...'),
position=position position=position
) )
# add_sideframe_item # add_sideframe_item
config = Configuration.objects.filter(id=DECIMAL_ONE).only('id').first() config = Configuration.objects.filter(id=DECIMAL_ONE).only('id').first()
url = reverse('admin:repanier_configuration_change', args=(config.id,)) url = reverse('admin:repanier_configuration_change', args=(config.id,))
office_menu.add_sideframe_item(_('Configuration'), url=url) office_menu.add_sideframe_item(_('Configuration'), url=url)
url = reverse('admin:repanier_staff_changelist') url = reverse('admin:repanier_staff_changelist')
office_menu.add_sideframe_item(_('Staff Member List'), url=url) office_menu.add_sideframe_item(_('Staff Member List'), url=url)
url = reverse('admin:repanier_lut_permanencerole_changelist') url = reverse('admin:repanier_lut_permanencerole_changelist')
office_menu.add_sideframe_item(_('Permanence Role List'), url=url) office_menu.add_sideframe_item(_('Permanence Role List'), url=url)
url = reverse('admin:repanier_lut_productionmode_changelist') url = reverse('admin:repanier_lut_productionmode_changelist')
office_menu.add_sideframe_item(_('Production Mode List'), url=url) office_menu.add_sideframe_item(_('Production Mode List'), url=url)
url = reverse('admin:repanier_lut_deliverypoint_changelist') url = reverse('admin:repanier_lut_deliverypoint_changelist')
office_menu.add_sideframe_item(_('Delivery Point List'), url=url) office_menu.add_sideframe_item(_('Delivery Point List'), url=url)
url = reverse('admin:repanier_lut_departmentforcustomer_changelist') url = reverse('admin:repanier_lut_departmentforcustomer_changelist')
office_menu.add_sideframe_item(_('Departement for Customer List'), url=url) office_menu.add_sideframe_item(_('Departement for Customer List'), url=url)
position += 1
position += 1 url = reverse('admin:repanier_customer_changelist')
url = reverse('admin:repanier_customer_changelist') admin_menu.add_sideframe_item(_('Customer List'), url=url, position=position)
admin_menu.add_sideframe_item(_('Customer List'), url=url, position=position) position += 1
position += 1
url = reverse('admin:repanier_producer_changelist') url = reverse('admin:repanier_producer_changelist')
admin_menu.add_sideframe_item(_('Producer List'), url=url, position=position) admin_menu.add_sideframe_item(_('Producer List'), url=url, position=position)
position += 1 if display_all:
url = "%s?is_into_offer__exact=1" % reverse('admin:repanier_box_changelist')
admin_menu.add_sideframe_item(_('Box List'), url=url, position=position)
position += 1
url = reverse('admin:repanier_permanenceinpreparation_changelist')
admin_menu.add_sideframe_item(
_("%(name)s in preparation list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME},
url=url, position=position)
if REPANIER_SETTINGS_INVOICE:
position += 1 position += 1
url = reverse('admin:repanier_permanencedone_changelist') url = "%s?is_into_offer__exact=1" % reverse('admin:repanier_box_changelist')
admin_menu.add_sideframe_item( admin_menu.add_sideframe_item(_('Box List'), url=url, position=position)
_("%(name)s done list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME},
url=url, position=position)
position += 1 position += 1
url = reverse('admin:repanier_bankaccount_changelist') url = reverse('admin:repanier_permanenceinpreparation_changelist')
admin_menu.add_sideframe_item(_('Bank Account List'), url=url, position=position)
else:
position += 1
url = reverse('admin:repanier_permanencedone_changelist')
admin_menu.add_sideframe_item( admin_menu.add_sideframe_item(
_("%(name)s archived list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME}, _("%(name)s in preparation list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME},
url=url, position=position) url=url, position=position)
if REPANIER_SETTINGS_INVOICE:
position += 1
url = reverse('admin:repanier_permanencedone_changelist')
admin_menu.add_sideframe_item(
_("%(name)s done list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME},
url=url, position=position)
position += 1
url = reverse('admin:repanier_bankaccount_changelist')
admin_menu.add_sideframe_item(_('Bank Account List'), url=url, position=position)
else:
position += 1
url = reverse('admin:repanier_permanencedone_changelist')
admin_menu.add_sideframe_item(
_("%(name)s archived list") % {'name': REPANIER_SETTINGS_PERMANENCES_NAME},
url=url, position=position)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment