From 1450b65dcde895a37524324f55223810cf30a2d1 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 20 Feb 2021 15:46:44 +0100 Subject: [PATCH] Rework complet de `account_update` --- kfet/views.py | 155 +++++++++++++++++++++++--------------------------- 1 file changed, 70 insertions(+), 85 deletions(-) diff --git a/kfet/views.py b/kfet/views.py index 5322082c..992db0ec 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -16,7 +16,12 @@ from django.core.exceptions import SuspiciousOperation from django.db import transaction from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum from django.forms import formset_factory -from django.http import Http404, HttpResponseBadRequest, JsonResponse +from django.http import ( + Http404, + HttpResponseBadRequest, + HttpResponseForbidden, + JsonResponse, +) from django.shortcuts import get_object_or_404, redirect, render from django.urls import reverse, reverse_lazy from django.utils import timezone @@ -36,7 +41,6 @@ from kfet.forms import ( AccountNegativeForm, AccountNoTriForm, AccountPwdForm, - AccountRestrictForm, AccountStatForm, AccountTriForm, AddcostForm, @@ -332,109 +336,89 @@ def account_read(request, trigramme): # Account - Update -@login_required +@teamkfet_required @kfet_password_auth def account_update(request, trigramme): account = get_object_or_404(Account, trigramme=trigramme) # Checking permissions - if not account.editable or ( - not request.user.has_perm("kfet.is_team") and request.user != account.user - ): - raise Http404 + if not account.editable: + # Plus de leak de trigramme ! + return HttpResponseForbidden user_info_form = UserInfoForm(instance=account.user) - if request.user.has_perm("kfet.is_team"): - group_form = UserGroupForm(instance=account.user) - account_form = AccountForm(instance=account) - pwd_form = AccountPwdForm() - if account.balance < 0 and not hasattr(account, "negative"): - AccountNegative.objects.create(account=account, start=timezone.now()) - account.refresh_from_db() - if hasattr(account, "negative"): - negative_form = AccountNegativeForm(instance=account.negative) - else: - negative_form = None + group_form = UserGroupForm(instance=account.user) + account_form = AccountForm(instance=account) + pwd_form = AccountPwdForm() + if hasattr(account, "negative"): + negative_form = AccountNegativeForm(instance=account.negative) else: - account_form = AccountRestrictForm(instance=account) - group_form = None negative_form = None - pwd_form = None if request.method == "POST": - # Update attempt - success = False - missing_perm = True + self_update = request.user == account.user + account_form = AccountForm(request.POST, instance=account) + group_form = UserGroupForm(request.POST, instance=account.user) + pwd_form = AccountPwdForm(request.POST, account=account) - if request.user.has_perm("kfet.is_team"): - account_form = AccountForm(request.POST, instance=account) - group_form = UserGroupForm(request.POST, instance=account.user) - pwd_form = AccountPwdForm(request.POST) - if hasattr(account, "negative"): - negative_form = AccountNegativeForm( - request.POST, instance=account.negative - ) + forms = [] + warnings = [] - if request.user.has_perm("kfet.change_account") and account_form.is_valid(): - missing_perm = False + if self_update or request.user.has_perm("kfet.change_account"): + forms.append(account_form) + elif account_form.has_changed(): + warnings.append("compte") - # Updating - account_form.save() + if request.user.has_perm("kfet.manage_perms"): + forms.append(group_form) + elif group_form.has_changed(): + warnings.append("statut d'équipe") - # Checking perm to update password - if ( - request.user.has_perm("kfet.change_account_password") - and pwd_form.is_valid() - ): - pwd = pwd_form.cleaned_data["pwd1"] - account.change_pwd(pwd) - account.save() - messages.success(request, "Mot de passe mis à jour") + if hasattr(account, "negative"): + negative_form = AccountNegativeForm(request.POST, instance=account.negative) - # Checking perm to manage perms - if request.user.has_perm("kfet.manage_perms") and group_form.is_valid(): - group_form.save() + if request.user.has_perm("kfet.change_accountnegative"): + forms.append(negative_form) + elif negative_form.has_changed(): + warnings.append("négatifs") - if ( - hasattr(account, "negative") - and request.user.has_perm("kfet.change_accountnegative") - and negative_form.is_valid() - ): - negative_form.save() + # Il ne faut pas valider `pwd_form` si elle est inchangée + if pwd_form.has_changed(): + if self_update or request.user.has_perm("kfet.change_account_password"): + forms.append(pwd_form) + else: + warnings.append("mot de passe") - success = True - messages.success( - request, - "Informations du compte %s mises à jour" % account.trigramme, - ) - - # Modification de ses propres informations - if request.user == account.user: - missing_perm = False - account.refresh_from_db() - account_form = AccountRestrictForm(request.POST, instance=account) - pwd_form = AccountPwdForm(request.POST) - - if account_form.is_valid(): - account_form.save() - success = True - messages.success(request, "Vos informations ont été mises à jour") - - if request.user.has_perm("kfet.is_team") and pwd_form.is_valid(): - pwd = pwd_form.cleaned_data["pwd1"] - account.change_pwd(pwd) - account.save() - messages.success(request, "Votre mot de passe a été mis à jour") - - if missing_perm: - messages.error(request, "Permission refusée") - if success: - return redirect("kfet.account.read", account.trigramme) - else: + # Updating account info + if forms == []: messages.error( - request, "Informations non mises à jour. Corrigez les erreurs" + request, "Informations non mises à jour : permission refusée" ) + else: + if all(form.is_valid() for form in forms): + for form in forms: + form.save() + + if len(warnings): + messages.warning( + request, + "Permissions insuffisantes pour modifier" + " les informations suivantes : {}.".format(", ".join(warnings)), + ) + if self_update: + messages.success(request, "Vos informations ont été mises à jour !") + else: + messages.success( + request, + "Informations du compte %s mises à jour" % account.trigramme, + ) + + return redirect("kfet.account.read", account.trigramme) + else: + messages.error( + request, "Informations non mises à jour : corrigez les erreurs" + ) return render( request, @@ -449,7 +433,8 @@ def account_update(request, trigramme): }, ) - # Account - Delete + +# Account - Delete class AccountDelete(PermissionRequiredMixin, DeleteView):