Rework complet de account_update

This commit is contained in:
Ludovic Stephan 2021-02-20 15:46:44 +01:00
parent aac94afcd0
commit 1450b65dcd

View file

@ -16,7 +16,12 @@ from django.core.exceptions import SuspiciousOperation
from django.db import transaction from django.db import transaction
from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum
from django.forms import formset_factory from django.forms import formset_factory
from django.http import Http404, HttpResponseBadRequest, JsonResponse from django.http import (
Http404,
HttpResponseBadRequest,
HttpResponseForbidden,
JsonResponse,
)
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse, reverse_lazy from django.urls import reverse, reverse_lazy
from django.utils import timezone from django.utils import timezone
@ -36,7 +41,6 @@ from kfet.forms import (
AccountNegativeForm, AccountNegativeForm,
AccountNoTriForm, AccountNoTriForm,
AccountPwdForm, AccountPwdForm,
AccountRestrictForm,
AccountStatForm, AccountStatForm,
AccountTriForm, AccountTriForm,
AddcostForm, AddcostForm,
@ -332,108 +336,88 @@ def account_read(request, trigramme):
# Account - Update # Account - Update
@login_required @teamkfet_required
@kfet_password_auth @kfet_password_auth
def account_update(request, trigramme): def account_update(request, trigramme):
account = get_object_or_404(Account, trigramme=trigramme) account = get_object_or_404(Account, trigramme=trigramme)
# Checking permissions # Checking permissions
if not account.editable or ( if not account.editable:
not request.user.has_perm("kfet.is_team") and request.user != account.user # Plus de leak de trigramme !
): return HttpResponseForbidden
raise Http404
user_info_form = UserInfoForm(instance=account.user) user_info_form = UserInfoForm(instance=account.user)
if request.user.has_perm("kfet.is_team"):
group_form = UserGroupForm(instance=account.user) group_form = UserGroupForm(instance=account.user)
account_form = AccountForm(instance=account) account_form = AccountForm(instance=account)
pwd_form = AccountPwdForm() pwd_form = AccountPwdForm()
if account.balance < 0 and not hasattr(account, "negative"):
AccountNegative.objects.create(account=account, start=timezone.now())
account.refresh_from_db()
if hasattr(account, "negative"): if hasattr(account, "negative"):
negative_form = AccountNegativeForm(instance=account.negative) negative_form = AccountNegativeForm(instance=account.negative)
else: else:
negative_form = None negative_form = None
else:
account_form = AccountRestrictForm(instance=account)
group_form = None
negative_form = None
pwd_form = None
if request.method == "POST": if request.method == "POST":
# Update attempt self_update = request.user == account.user
success = False
missing_perm = True
if request.user.has_perm("kfet.is_team"):
account_form = AccountForm(request.POST, instance=account) account_form = AccountForm(request.POST, instance=account)
group_form = UserGroupForm(request.POST, instance=account.user) group_form = UserGroupForm(request.POST, instance=account.user)
pwd_form = AccountPwdForm(request.POST) pwd_form = AccountPwdForm(request.POST, account=account)
forms = []
warnings = []
if self_update or request.user.has_perm("kfet.change_account"):
forms.append(account_form)
elif account_form.has_changed():
warnings.append("compte")
if request.user.has_perm("kfet.manage_perms"):
forms.append(group_form)
elif group_form.has_changed():
warnings.append("statut d'équipe")
if hasattr(account, "negative"): if hasattr(account, "negative"):
negative_form = AccountNegativeForm( negative_form = AccountNegativeForm(request.POST, instance=account.negative)
request.POST, instance=account.negative
if request.user.has_perm("kfet.change_accountnegative"):
forms.append(negative_form)
elif negative_form.has_changed():
warnings.append("négatifs")
# Il ne faut pas valider `pwd_form` si elle est inchangée
if pwd_form.has_changed():
if self_update or request.user.has_perm("kfet.change_account_password"):
forms.append(pwd_form)
else:
warnings.append("mot de passe")
# Updating account info
if forms == []:
messages.error(
request, "Informations non mises à jour : permission refusée"
) )
else:
if all(form.is_valid() for form in forms):
for form in forms:
form.save()
if request.user.has_perm("kfet.change_account") and account_form.is_valid(): if len(warnings):
missing_perm = False messages.warning(
request,
# Updating "Permissions insuffisantes pour modifier"
account_form.save() " les informations suivantes : {}.".format(", ".join(warnings)),
)
# Checking perm to update password if self_update:
if ( messages.success(request, "Vos informations ont été mises à jour !")
request.user.has_perm("kfet.change_account_password") else:
and pwd_form.is_valid()
):
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Mot de passe mis à jour")
# Checking perm to manage perms
if request.user.has_perm("kfet.manage_perms") and group_form.is_valid():
group_form.save()
if (
hasattr(account, "negative")
and request.user.has_perm("kfet.change_accountnegative")
and negative_form.is_valid()
):
negative_form.save()
success = True
messages.success( messages.success(
request, request,
"Informations du compte %s mises à jour" % account.trigramme, "Informations du compte %s mises à jour" % account.trigramme,
) )
# Modification de ses propres informations
if request.user == account.user:
missing_perm = False
account.refresh_from_db()
account_form = AccountRestrictForm(request.POST, instance=account)
pwd_form = AccountPwdForm(request.POST)
if account_form.is_valid():
account_form.save()
success = True
messages.success(request, "Vos informations ont été mises à jour")
if request.user.has_perm("kfet.is_team") and pwd_form.is_valid():
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Votre mot de passe a été mis à jour")
if missing_perm:
messages.error(request, "Permission refusée")
if success:
return redirect("kfet.account.read", account.trigramme) return redirect("kfet.account.read", account.trigramme)
else: else:
messages.error( messages.error(
request, "Informations non mises à jour. Corrigez les erreurs" request, "Informations non mises à jour : corrigez les erreurs"
) )
return render( return render(
@ -449,7 +433,8 @@ def account_update(request, trigramme):
}, },
) )
# Account - Delete
# Account - Delete
class AccountDelete(PermissionRequiredMixin, DeleteView): class AccountDelete(PermissionRequiredMixin, DeleteView):