Skip to content
Snippets Groups Projects
Commit 4d30e080 authored by Tom Teichler's avatar Tom Teichler :beers:
Browse files

Check object permissions

parent 92b04d83
No related branches found
No related tags found
2 merge requests!8Resolve "Add payment processing UI",!6Add rules
Pipeline #59044 failed
Stage: prepare
Stage: test
Stage: build
Stage: publish
Stage: docker
Hide whitespace changes
Inline Side-by-side
aleksis/apps/tezor/rules.py
+ 25
31
View file @ 4d30e080
...@@ -11,11 +11,17 @@ view_clients_predicate = has_person & ( ...@@ -11,11 +11,17 @@ view_clients_predicate = has_person & (
) )
rules.add_perm("tezor.view_clients_rule", view_clients_predicate) rules.add_perm("tezor.view_clients_rule", view_clients_predicate)
# View client
view_client_predicate = has_person & (
has_global_perm("tezor.view_client") | has_object_perm("tezor.view_client")
)
rules.add_perm("tezor.view_client_rule", view_client_predicate)
# Edit clients # Edit clients
edit_clients_predicate = has_person & ( edit_client_predicate = has_person & (
has_global_perm("tezor.edit_client") | has_any_object("tezor.edit_client", Client) has_global_perm("tezor.edit_client") | has_object_perm("tezor.edit_client")
) )
rules.add_perm("tezor.edit_clients_rule", edit_clients_predicate) rules.add_perm("tezor.edit_client_rule", edit_clients_predicate)
# Create clients # Create clients
create_clients_predicate = has_person & ( create_clients_predicate = has_person & (
...@@ -24,10 +30,10 @@ create_clients_predicate = has_person & ( ...@@ -24,10 +30,10 @@ create_clients_predicate = has_person & (
rules.add_perm("tezor.create_clients_rule", create_clients_predicate) rules.add_perm("tezor.create_clients_rule", create_clients_predicate)
# Delete clients # Delete clients
delete_clients_predicate = has_person & ( delete_client_predicate = has_person & (
has_global_perm("tezor.delete_client") | has_any_object("tezor.delete_client", Client) has_global_perm("tezor.delete_client") | has_object_perm("tezor.delete_client")
) )
rules.add_perm("tezor.delete_clients_rule", delete_clients_predicate) rules.add_perm("tezor.delete_client_rule", delete_client_predicate)
# View invoice groups # View invoice groups
view_invoice_groups_predicate = has_person & ( view_invoice_groups_predicate = has_person & (
...@@ -35,11 +41,17 @@ view_invoice_groups_predicate = has_person & ( ...@@ -35,11 +41,17 @@ view_invoice_groups_predicate = has_person & (
) )
rules.add_perm("tezor.view_invoice_groups_rule", view_invoice_groups_predicate) rules.add_perm("tezor.view_invoice_groups_rule", view_invoice_groups_predicate)
# View invoice_group
view_invoice_group_predicate = has_person & (
has_global_perm("tezor.view_invoice_group") | has_object_perm("tezor.view_invoice_group")
)
rules.add_perm("tezor.view_invoice_group_rule", view_invoice_group_predicate)
# Edit invoice groups # Edit invoice groups
edit_invoice_groups_predicate = has_person & ( edit_invoice_group_predicate = has_person & (
has_global_perm("tezor.edit_invoice_group") | has_any_object("tezor.edit_invoice_group", InvoiceGroup) has_global_perm("tezor.edit_invoice_group") | has_object_perm("tezor.edit_invoice_group")
) )
rules.add_perm("tezor.edit_invoice_groups_rule", edit_invoice_groups_predicate) rules.add_perm("tezor.edit_invoice_group_rule", edit_invoice_group_predicate)
# Create invoice groups # Create invoice groups
create_invoice_groups_predicate = has_person & ( create_invoice_groups_predicate = has_person & (
...@@ -53,26 +65,8 @@ delete_invoice_groups_predicate = has_person & ( ...@@ -53,26 +65,8 @@ delete_invoice_groups_predicate = has_person & (
) )
rules.add_perm("tezor.delete_invoice_groups_rule", delete_invoice_groups_predicate) rules.add_perm("tezor.delete_invoice_groups_rule", delete_invoice_groups_predicate)
# View invoices # View invoice
view_invoices_predicate = has_person & ( view_invoice_predicate = has_person & (
has_global_perm("tezor.view_invoice") | has_any_object("tezor.view_invoice", Invoice) has_global_perm("tezor.view_invoice") | has_object_perm("tezor.view_invoice")
)
rules.add_perm("tezor.view_invoices_rule", view_invoices_predicate)
# Edit invoices
edit_invoices_predicate = has_person & (
has_global_perm("tezor.edit_invoice") | has_any_object("tezor.edit_invoice", Invoice)
)
rules.add_perm("tezor.edit_invoices_rule", edit_invoices_predicate)
# Create invoices
create_invoices_predicate = has_person & (
has_global_perm("tezor.create_invoice") | has_any_object("tezor.create_invoice", Invoice)
)
rules.add_perm("tezor.create_invoices_rule", create_invoices_predicate)
# Delete invoices
delete_invoices_predicate = has_person & (
has_global_perm("tezor.delete_invoice") | has_any_object("tezor.delete_invoice", Invoice)
) )
rules.add_perm("tezor.delete_invoices_rule", delete_invoices_predicate) rules.add_perm("tezor.view_invoice_rule", view_invoice_predicate)
aleksis/apps/tezor/views.py
+ 7
7
View file @ 4d30e080
...@@ -59,7 +59,7 @@ class ClientEditView(PermissionRequiredMixin, AdvancedEditView): ...@@ -59,7 +59,7 @@ class ClientEditView(PermissionRequiredMixin, AdvancedEditView):
model = Client model = Client
form_class = EditClientForm form_class = EditClientForm
permission_required = "tezor.edit_clients_rule" permission_required = "tezor.edit_client_rule"
template_name = "tezor/client/edit.html" template_name = "tezor/client/edit.html"
success_url = reverse_lazy("clients") success_url = reverse_lazy("clients")
success_message = _("The client has been saved.") success_message = _("The client has been saved.")
...@@ -69,7 +69,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView): ...@@ -69,7 +69,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
"""Delete view for client.""" """Delete view for client."""
model = Client model = Client
permission_required = "tezor.delete_clients_rule" permission_required = "tezor.delete_client_rule"
template_name = "core/pages/delete.html" template_name = "core/pages/delete.html"
success_url = reverse_lazy("clients") success_url = reverse_lazy("clients")
success_message = _("The client has been deleted.") success_message = _("The client has been deleted.")
...@@ -78,7 +78,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView): ...@@ -78,7 +78,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
class ClientDetailView(PermissionRequiredMixin, DetailView): class ClientDetailView(PermissionRequiredMixin, DetailView):
model = Client model = Client
permission_required = "tezor.view_clients_rule" permission_required = "tezor.view_client_rule"
template_name = "tezor/client/full.html" template_name = "tezor/client/full.html"
def get_context_data(self, object): def get_context_data(self, object):
...@@ -94,7 +94,7 @@ class ClientDetailView(PermissionRequiredMixin, DetailView): ...@@ -94,7 +94,7 @@ class ClientDetailView(PermissionRequiredMixin, DetailView):
class InvoiceGroupDetailView(PermissionRequiredMixin, DetailView): class InvoiceGroupDetailView(PermissionRequiredMixin, DetailView):
model = InvoiceGroup model = InvoiceGroup
permission_required = "tezor.view_invoice_groups_rule" permission_required = "tezor.view_invoice_group_rule"
template_name = "tezor/invoice_group/full.html" template_name = "tezor/invoice_group/full.html"
def get_context_data(self, object): def get_context_data(self, object):
...@@ -132,7 +132,7 @@ class InvoiceGroupEditView(PermissionRequiredMixin, AdvancedEditView): ...@@ -132,7 +132,7 @@ class InvoiceGroupEditView(PermissionRequiredMixin, AdvancedEditView):
model = InvoiceGroup model = InvoiceGroup
form_class = EditInvoiceGroupForm form_class = EditInvoiceGroupForm
permission_required = "tezor.edit_invoice_groups_rule" permission_required = "tezor.edit_invoice_group_rule"
template_name = "tezor/invoice_group/edit.html" template_name = "tezor/invoice_group/edit.html"
success_url = reverse_lazy("invoice_groups") success_url = reverse_lazy("invoice_groups")
success_message = _("The invoice_group has been saved.") success_message = _("The invoice_group has been saved.")
...@@ -142,7 +142,7 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView): ...@@ -142,7 +142,7 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
"""Delete view for invoice_group.""" """Delete view for invoice_group."""
model = InvoiceGroup model = InvoiceGroup
permission_required = "tezor.delete_invoice_groups_rule" permission_required = "tezor.delete_invoice_group_rule"
template_name = "core/pages/delete.html" template_name = "core/pages/delete.html"
success_url = reverse_lazy("invoice_groups") success_url = reverse_lazy("invoice_groups")
success_message = _("The invoice_group has been deleted.") success_message = _("The invoice_group has been deleted.")
...@@ -151,5 +151,5 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView): ...@@ -151,5 +151,5 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
class InvoiceDetailView(PermissionRequiredMixin, DetailView): class InvoiceDetailView(PermissionRequiredMixin, DetailView):
model = Invoice model = Invoice
permission_required = "tezor.view_invoices_rule" permission_required = "tezor.view_invoice_rule"
template_name = "tezor/invoice/full.html" template_name = "tezor/invoice/full.html"
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment