ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #591 from normanjaeckel/WarningRechtAufRechte

Browse Source 
Protection for participant managers, Issue #122
This commit is contained in:
Oskar Hahn 2013-04-14 16:21:19 -07:00
commit 5f120c2bf4
2 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
openslides/participant/forms.py
View File

@ -11,13 +11,13 @@
""" """
from django import forms from django import forms
from django.contrib import messages
from django.contrib.auth.models import Permission from django.contrib.auth.models import Permission
from django.utils.translation import ugettext_lazy as _ # TODO: Change this in the code from django.contrib.contenttypes.models import ContentType
from django.utils.translation import ugettext as _, ugettext_lazy
from django.conf import settings from django.conf import settings
from openslides.utils.forms import ( from openslides.utils.forms import CssClassMixin, LocalizedModelMultipleChoiceField
CssClassMixin, LocalizedModelMultipleChoiceField)
from openslides.participant.models import User, Group from openslides.participant.models import User, Group
from openslides.participant.api import get_registered_group from openslides.participant.api import get_registered_group
@ -25,7 +25,7 @@ from openslides.participant.api import get_registered_group
class UserCreateForm(forms.ModelForm, CssClassMixin): class UserCreateForm(forms.ModelForm, CssClassMixin):
groups = forms.ModelMultipleChoiceField( groups = forms.ModelMultipleChoiceField(
queryset=Group.objects.exclude(name__iexact='anonymous'), queryset=Group.objects.exclude(name__iexact='anonymous'),
label=_("Groups"), required=False) label=ugettext_lazy('Groups'), required=False)
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
if kwargs.get('instance', None) is None: if kwargs.get('instance', None) is None:
@ -42,19 +42,42 @@ class UserCreateForm(forms.ModelForm, CssClassMixin):
class UserUpdateForm(UserCreateForm): class UserUpdateForm(UserCreateForm):
"""
Form to update an user. It raises a validation error, if a non-superuser
user edits himself and removes the last group containing the permission
to manage participants.
"""
class Meta: class Meta:
model = User model = User
fields = ('username', 'title', 'first_name', 'last_name', 'gender', 'email', fields = ('username', 'title', 'first_name', 'last_name', 'gender', 'email',
'groups', 'structure_level', 'committee', 'about_me', 'comment', 'groups', 'structure_level', 'committee', 'about_me', 'comment',
'is_active', 'default_password') 'is_active', 'default_password')
def __init__(self, *args, **kwargs):
self.request = kwargs.pop('request')
return super(UserUpdateForm, self).__init__(*args, **kwargs)
def clean(self, *args, **kwargs):
"""
Raises a validation error, if a non-superuser user edits himself
and removes the last group containing the permission to manage participants.
"""
if self.request.user == self.instance and not self.instance.is_superuser:
protected_perm = Permission.objects.get(content_type=ContentType.objects.get(app_label='participant', model='user'),
codename='can_manage_participant')
if not self.cleaned_data['groups'].filter(permissions__in=[protected_perm]).exists():
error_msg = _('You can not remove the last group containing the permission to manage participants.')
messages.error(self.request, error_msg)
raise forms.ValidationError(error_msg)
return super(UserUpdateForm, self).clean(*args, **kwargs)
class GroupForm(forms.ModelForm, CssClassMixin): class GroupForm(forms.ModelForm, CssClassMixin):
permissions = LocalizedModelMultipleChoiceField( permissions = LocalizedModelMultipleChoiceField(
queryset=Permission.objects.all(), label=_("Permissions"), queryset=Permission.objects.all(), label=ugettext_lazy('Permissions'),
required=False) required=False)
users = forms.ModelMultipleChoiceField( users = forms.ModelMultipleChoiceField(
queryset=User.objects.all(), label=_("Participants"), required=False) queryset=User.objects.all(), label=ugettext_lazy('Participants'), required=False)
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
# Initial users # Initial users
@ -91,11 +114,11 @@ class GroupForm(forms.ModelForm, CssClassMixin):
# Editing the anonymous-user # Editing the anonymous-user
if self.instance.name.lower() != data.lower(): if self.instance.name.lower() != data.lower():
raise forms.ValidationError( raise forms.ValidationError(
_('You can not edit the name for this group.')) ugettext_lazy('You can not edit the name for this group.'))
else: else:
if data.lower() in ['anonymous', 'registered']: if data.lower() in ['anonymous', 'registered']:
raise forms.ValidationError( raise forms.ValidationError(
_('Group name "%s" is reserved for internal use.') % data) ugettext_lazy('Group name "%s" is reserved for internal use.') % data)
return data return data
class Meta: class Meta:
@ -113,4 +136,4 @@ class UsersettingsForm(forms.ModelForm, CssClassMixin):
class UserImportForm(forms.Form, CssClassMixin): class UserImportForm(forms.Form, CssClassMixin):
csvfile = forms.FileField(widget=forms.FileInput(attrs={'size': '50'}), csvfile = forms.FileField(widget=forms.FileInput(attrs={'size': '50'}),
label=_("CSV File")) label=ugettext_lazy('CSV File'))

5
openslides/participant/views.py
View File

@ -116,6 +116,11 @@ class UserUpdateView(UpdateView):
form_class = UserUpdateForm form_class = UserUpdateForm
success_url_name = 'user_overview' success_url_name = 'user_overview'
def get_form_kwargs(self, *args, **kwargs):
form_kwargs = super(UserUpdateView, self).get_form_kwargs(*args, **kwargs)
form_kwargs.update({'request': self.request})
return form_kwargs
class UserDeleteView(DeleteView): class UserDeleteView(DeleteView):
""" """