Skip to content
Snippets Groups Projects
Commit d6e8fe77 authored by Tom Teichler's avatar Tom Teichler :beers:
Browse files

Fix permissionk

parent 143b60b2
No related branches found
No related tags found
No related merge requests found
......@@ -10,7 +10,6 @@ User = get_user_model()
@predicate
def is_own_invoice(user: User, obj: Invoice):
"""Predicate which checks if the invoice is linked to the current user."""
return obj.get_person() == user.person
......
......@@ -150,3 +150,6 @@ send_invoice_email_predicate = (
| has_object_perm("tezor.send_invoice_email")
)
rules.add_perm("tezor.send_invoice_email_rule", send_invoice_email_predicate)
view_own_invoices_predicate = has_person
rules.add_perm("tezor.view_own_invoices_list_rule", view_own_invoices_predicate)
......@@ -34,6 +34,13 @@ class GetInvoicePDF(PermissionRequiredMixin, RenderPDFView):
return context
def has_permission(self):
invoice = Invoice.objects.get(token=self.kwargs["token"])
perms = self.get_permission_required()
return self.request.user.has_perms(perms, invoice)
class DoPaymentView(PermissionRequiredMixin, View):
......@@ -238,15 +245,16 @@ class SendInvoiceEmail(PermissionRequiredMixin, View):
return redirect(url)
class MyInvoicesListView(PermissionRequiredMixin, SingleTableView):
"""Table of all invoices belonging to a user."""
model = Invoice
table_class = InvoicesTable
permission_required = "tezor.display_billing_rule"
permission_required = "tezor.view_own_invoices_list_rule"
template_name = "tezor/invoice/list.html"
def get_queryset(self, *args, **kwargs):
invoices = self.model.objects.filter(billing_email=self.request.user.person.email)
invoices = self.model.objects.filter(person=self.request.user.person)
return invoices
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment