Rework complet de account_update

This commit is contained in:
Ludovic Stephan 2021-02-20 15:46:44 +01:00
parent aac94afcd0
commit 1450b65dcd

View file

@ -16,7 +16,12 @@ from django.core.exceptions import SuspiciousOperation
from django.db import transaction
from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum
from django.forms import formset_factory
from django.http import Http404, HttpResponseBadRequest, JsonResponse
from django.http import (
Http404,
HttpResponseBadRequest,
HttpResponseForbidden,
JsonResponse,
)
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse, reverse_lazy
from django.utils import timezone
@ -36,7 +41,6 @@ from kfet.forms import (
AccountNegativeForm,
AccountNoTriForm,
AccountPwdForm,
AccountRestrictForm,
AccountStatForm,
AccountTriForm,
AddcostForm,
@ -332,108 +336,88 @@ def account_read(request, trigramme):
# Account - Update
@login_required
@teamkfet_required
@kfet_password_auth
def account_update(request, trigramme):
account = get_object_or_404(Account, trigramme=trigramme)
# Checking permissions
if not account.editable or (
not request.user.has_perm("kfet.is_team") and request.user != account.user
):
raise Http404
if not account.editable:
# Plus de leak de trigramme !
return HttpResponseForbidden
user_info_form = UserInfoForm(instance=account.user)
if request.user.has_perm("kfet.is_team"):
group_form = UserGroupForm(instance=account.user)
account_form = AccountForm(instance=account)
pwd_form = AccountPwdForm()
if account.balance < 0 and not hasattr(account, "negative"):
AccountNegative.objects.create(account=account, start=timezone.now())
account.refresh_from_db()
if hasattr(account, "negative"):
negative_form = AccountNegativeForm(instance=account.negative)
else:
negative_form = None
else:
account_form = AccountRestrictForm(instance=account)
group_form = None
negative_form = None
pwd_form = None
if request.method == "POST":
# Update attempt
success = False
missing_perm = True
if request.user.has_perm("kfet.is_team"):
self_update = request.user == account.user
account_form = AccountForm(request.POST, instance=account)
group_form = UserGroupForm(request.POST, instance=account.user)
pwd_form = AccountPwdForm(request.POST)
pwd_form = AccountPwdForm(request.POST, account=account)
forms = []
warnings = []
if self_update or request.user.has_perm("kfet.change_account"):
forms.append(account_form)
elif account_form.has_changed():
warnings.append("compte")
if request.user.has_perm("kfet.manage_perms"):
forms.append(group_form)
elif group_form.has_changed():
warnings.append("statut d'équipe")
if hasattr(account, "negative"):
negative_form = AccountNegativeForm(
request.POST, instance=account.negative
negative_form = AccountNegativeForm(request.POST, instance=account.negative)
if request.user.has_perm("kfet.change_accountnegative"):
forms.append(negative_form)
elif negative_form.has_changed():
warnings.append("négatifs")
# Il ne faut pas valider `pwd_form` si elle est inchangée
if pwd_form.has_changed():
if self_update or request.user.has_perm("kfet.change_account_password"):
forms.append(pwd_form)
else:
warnings.append("mot de passe")
# Updating account info
if forms == []:
messages.error(
request, "Informations non mises à jour : permission refusée"
)
else:
if all(form.is_valid() for form in forms):
for form in forms:
form.save()
if request.user.has_perm("kfet.change_account") and account_form.is_valid():
missing_perm = False
# Updating
account_form.save()
# Checking perm to update password
if (
request.user.has_perm("kfet.change_account_password")
and pwd_form.is_valid()
):
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Mot de passe mis à jour")
# Checking perm to manage perms
if request.user.has_perm("kfet.manage_perms") and group_form.is_valid():
group_form.save()
if (
hasattr(account, "negative")
and request.user.has_perm("kfet.change_accountnegative")
and negative_form.is_valid()
):
negative_form.save()
success = True
if len(warnings):
messages.warning(
request,
"Permissions insuffisantes pour modifier"
" les informations suivantes : {}.".format(", ".join(warnings)),
)
if self_update:
messages.success(request, "Vos informations ont été mises à jour !")
else:
messages.success(
request,
"Informations du compte %s mises à jour" % account.trigramme,
)
# Modification de ses propres informations
if request.user == account.user:
missing_perm = False
account.refresh_from_db()
account_form = AccountRestrictForm(request.POST, instance=account)
pwd_form = AccountPwdForm(request.POST)
if account_form.is_valid():
account_form.save()
success = True
messages.success(request, "Vos informations ont été mises à jour")
if request.user.has_perm("kfet.is_team") and pwd_form.is_valid():
pwd = pwd_form.cleaned_data["pwd1"]
account.change_pwd(pwd)
account.save()
messages.success(request, "Votre mot de passe a été mis à jour")
if missing_perm:
messages.error(request, "Permission refusée")
if success:
return redirect("kfet.account.read", account.trigramme)
else:
messages.error(
request, "Informations non mises à jour. Corrigez les erreurs"
request, "Informations non mises à jour : corrigez les erreurs"
)
return render(
@ -449,7 +433,8 @@ def account_update(request, trigramme):
},
)
# Account - Delete
# Account - Delete
class AccountDelete(PermissionRequiredMixin, DeleteView):