Rework complet de account_update

This commit is contained in:
Ludovic Stephan 2021-02-20 15:46:44 +01:00
parent aac94afcd0
commit 1450b65dcd

View file

@ -16,7 +16,12 @@ from django.core.exceptions import SuspiciousOperation
from django.db import transaction from django.db import transaction
from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum
from django.forms import formset_factory from django.forms import formset_factory
from django.http import Http404, HttpResponseBadRequest, JsonResponse from django.http import (
Http404,
HttpResponseBadRequest,
HttpResponseForbidden,
JsonResponse,
)
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse, reverse_lazy from django.urls import reverse, reverse_lazy
from django.utils import timezone from django.utils import timezone
@ -36,7 +41,6 @@ from kfet.forms import (
AccountNegativeForm, AccountNegativeForm,
AccountNoTriForm, AccountNoTriForm,
AccountPwdForm, AccountPwdForm,
AccountRestrictForm,
AccountStatForm, AccountStatForm,
AccountTriForm, AccountTriForm,
AddcostForm, AddcostForm,
@ -332,109 +336,89 @@ def account_read(request, trigramme):
# Account - Update # Account - Update
@login_required @teamkfet_required
@kfet_password_auth @kfet_password_auth
def account_update(request, trigramme): def account_update(request, trigramme):
account = get_object_or_404(Account, trigramme=trigramme) account = get_object_or_404(Account, trigramme=trigramme)
# Checking permissions # Checking permissions
if not account.editable or ( if not account.editable:
not request.user.has_perm("kfet.is_team") and request.user != account.user # Plus de leak de trigramme !
): return HttpResponseForbidden
raise Http404
user_info_form = UserInfoForm(instance=account.user) user_info_form = UserInfoForm(instance=account.user)
if request.user.has_perm("kfet.is_team"): group_form = UserGroupForm(instance=account.user)
group_form = UserGroupForm(instance=account.user) account_form = AccountForm(instance=account)
account_form = AccountForm(instance=account) pwd_form = AccountPwdForm()
pwd_form = AccountPwdForm() if hasattr(account, "negative"):
if account.balance < 0 and not hasattr(account, "negative"): negative_form = AccountNegativeForm(instance=account.negative)
AccountNegative.objects.create(account=account, start=timezone.now())
account.refresh_from_db()
if hasattr(account, "negative"):
negative_form = AccountNegativeForm(instance=account.negative)
else:
negative_form = None
else: else:
account_form = AccountRestrictForm(instance=account)
group_form = None
negative_form = None negative_form = None
pwd_form = None
if request.method == "POST": if request.method == "POST":
# Update attempt self_update = request.user == account.user
success = False account_form = AccountForm(request.POST, instance=account)
missing_perm = True group_form = UserGroupForm(request.POST, instance=account.user)
pwd_form = AccountPwdForm(request.POST, account=account)
if request.user.has_perm("kfet.is_team"): forms = []
account_form = AccountForm(request.POST, instance=account) warnings = []
group_form = UserGroupForm(request.POST, instance=account.user)
pwd_form = AccountPwdForm(request.POST)
if hasattr(account, "negative"):
negative_form = AccountNegativeForm(
request.POST, instance=account.negative
)
if request.user.has_perm("kfet.change_account") and account_form.is_valid(): if self_update or request.user.has_perm("kfet.change_account"):
missing_perm = False forms.append(account_form)
elif account_form.has_changed():
warnings.append("compte")
# Updating if request.user.has_perm("kfet.manage_perms"):
account_form.save() forms.append(group_form)
elif group_form.has_changed():
warnings.append("statut d'équipe")
# Checking perm to update password if hasattr(account, "negative"):
if ( negative_form = AccountNegativeForm(request.POST, instance=account.negative)
request.user.has_perm("kfet.change_account_password")
and pwd_form.is_valid()
):
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Mot de passe mis à jour")
# Checking perm to manage perms if request.user.has_perm("kfet.change_accountnegative"):
if request.user.has_perm("kfet.manage_perms") and group_form.is_valid(): forms.append(negative_form)
group_form.save() elif negative_form.has_changed():
warnings.append("négatifs")
if ( # Il ne faut pas valider `pwd_form` si elle est inchangée
hasattr(account, "negative") if pwd_form.has_changed():
and request.user.has_perm("kfet.change_accountnegative") if self_update or request.user.has_perm("kfet.change_account_password"):
and negative_form.is_valid() forms.append(pwd_form)
): else:
negative_form.save() warnings.append("mot de passe")
success = True # Updating account info
messages.success( if forms == []:
request,
"Informations du compte %s mises à jour" % account.trigramme,
)
# Modification de ses propres informations
if request.user == account.user:
missing_perm = False
account.refresh_from_db()
account_form = AccountRestrictForm(request.POST, instance=account)
pwd_form = AccountPwdForm(request.POST)
if account_form.is_valid():
account_form.save()
success = True
messages.success(request, "Vos informations ont été mises à jour")
if request.user.has_perm("kfet.is_team") and pwd_form.is_valid():
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Votre mot de passe a été mis à jour")
if missing_perm:
messages.error(request, "Permission refusée")
if success:
return redirect("kfet.account.read", account.trigramme)
else:
messages.error( messages.error(
request, "Informations non mises à jour. Corrigez les erreurs" request, "Informations non mises à jour : permission refusée"
) )
else:
if all(form.is_valid() for form in forms):
for form in forms:
form.save()
if len(warnings):
messages.warning(
request,
"Permissions insuffisantes pour modifier"
" les informations suivantes : {}.".format(", ".join(warnings)),
)
if self_update:
messages.success(request, "Vos informations ont été mises à jour !")
else:
messages.success(
request,
"Informations du compte %s mises à jour" % account.trigramme,
)
return redirect("kfet.account.read", account.trigramme)
else:
messages.error(
request, "Informations non mises à jour : corrigez les erreurs"
)
return render( return render(
request, request,
@ -449,7 +433,8 @@ def account_update(request, trigramme):
}, },
) )
# Account - Delete
# Account - Delete
class AccountDelete(PermissionRequiredMixin, DeleteView): class AccountDelete(PermissionRequiredMixin, DeleteView):