From 533c65562d6ad96e77d2281868065a8f73e44e77 Mon Sep 17 00:00:00 2001 From: Emanuel Schuetze Date: Thu, 8 Nov 2012 18:57:53 +0100 Subject: [PATCH] Don't allow to deactivate or delete the superuser or yourself. Otherwise it's very danger to lock out your current (superuser) session. --- .../templates/participant/overview.html | 2 ++ openslides/participant/views.py | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/openslides/participant/templates/participant/overview.html b/openslides/participant/templates/participant/overview.html index 2ab17289f..4a9aa133b 100644 --- a/openslides/participant/templates/participant/overview.html +++ b/openslides/participant/templates/participant/overview.html @@ -93,6 +93,7 @@ + {% if user != request_user and not user.is_superuser %} @@ -102,6 +103,7 @@ + {% endif %} {% endif %} diff --git a/openslides/participant/views.py b/openslides/participant/views.py index 974d7d183..b1131ee5c 100644 --- a/openslides/participant/views.py +++ b/openslides/participant/views.py @@ -127,12 +127,13 @@ class UserOverview(ListView): # list of all existing categories details = [p['detail'] for p in User.objects.values('detail') .exclude(detail='').distinct()] - # list of all existing committees committees = [p['committee'] for p in User.objects.values('committee') .exclude(committee='').distinct()] + # context vars context.update({ 'allusers': all_users, + 'request_user': self.request.user, 'percent': round(percent, 1), 'details': details, 'committees': committees, @@ -204,6 +205,13 @@ class UserDeleteView(DeleteView): model = User url = 'user_overview' + def pre_redirect(self, request, *args, **kwargs): + if self.get_object() == self.request.user: + messages.error(request, _("You can not delete yourself.")) + elif self.get_object().is_superuser: + messages.error(request, _("You can not delete the administrator.")) + else: + super(DeleteView, self).pre_redirect(request, *args, **kwargs) class SetUserStatusView(RedirectView, SingleObjectMixin): """ @@ -220,6 +228,12 @@ class SetUserStatusView(RedirectView, SingleObjectMixin): if action == 'activate': self.object.is_active = True elif action == 'deactivate': + if self.get_object().user == self.request.user: + messages.error(request, _("You can not deactivate yourself.")) + return + elif self.get_object().is_superuser: + messages.error(request, _("You can not deactivate the administrator.")) + return self.object.is_active = False elif action == 'toggle': self.object.is_active = not self.object.is_active