Enforce and test TODO_STAFF_ONLY setting
This commit is contained in:
Scot Hacker
parent
6953085285
commit
91b9a099a3
14 changed files with 81 additions and 51 deletions
|
|
@ -1,20 +1,25 @@
|
|||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.db import IntegrityError
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import redirect, render
|
||||
from django.utils.text import slugify
|
||||
|
||||
from todo.forms import AddTaskListForm
|
||||
from todo.utils import staff_only
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@staff_only
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def add_list(request) -> HttpResponse:
|
||||
"""Allow users to add a new todo list to the group they're in.
|
||||
"""
|
||||
|
||||
# Only staffers can add lists.
|
||||
if not request.user.is_staff:
|
||||
raise PermissionDenied
|
||||
|
||||
if request.POST:
|
||||
form = AddTaskListForm(request.user, request.POST)
|
||||
if form.is_valid():
|
||||
|
|
@ -33,6 +38,7 @@ def add_list(request) -> HttpResponse:
|
|||
)
|
||||
else:
|
||||
if request.user.groups.all().count() == 1:
|
||||
# FIXME: Assuming first of user's groups here; better to prompt for group
|
||||
form = AddTaskListForm(request.user, initial={"group": request.user.groups.all()[0]})
|
||||
else:
|
||||
form = AddTaskListForm(request.user)
|
||||
|
|
|
|||
|
|
@ -1,25 +1,22 @@
|
|||
import datetime
|
||||
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import render, redirect, get_object_or_404
|
||||
from django.core.exceptions import PermissionDenied
|
||||
|
||||
from todo.models import Task, TaskList
|
||||
from todo.utils import staff_only
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@staff_only
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def del_list(request, list_id: int, list_slug: str) -> HttpResponse:
|
||||
"""Delete an entire list. Only staff members should be allowed to access this view.
|
||||
"""
|
||||
task_list = get_object_or_404(TaskList, id=list_id)
|
||||
|
||||
# Ensure user has permission to delete list. Admins can delete all lists.
|
||||
# Get the group this list belongs to, and check whether current user is a member of that group.
|
||||
# FIXME: This means any group member can delete lists, which is probably too permissive.
|
||||
# Ensure user has permission to delete list. Get the group this list belongs to,
|
||||
# and check whether current user is a member of that group AND a staffer.
|
||||
if task_list.group not in request.user.groups.all() and not request.user.is_staff:
|
||||
raise PermissionDenied
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,16 @@
|
|||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import get_object_or_404, redirect
|
||||
from django.urls import reverse
|
||||
|
||||
from todo.models import Task
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def delete_task(request, task_id: int) -> HttpResponse:
|
||||
"""Delete specified task.
|
||||
Redirect to the list from which the task came.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
from django.conf import settings
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.contrib.auth.models import User
|
||||
from django.contrib.sites.models import Site
|
||||
from django.core.mail import send_mail
|
||||
|
|
@ -10,9 +10,11 @@ from django.template.loader import render_to_string
|
|||
|
||||
from todo.forms import AddExternalTaskForm
|
||||
from todo.models import TaskList
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def external_add(request) -> HttpResponse:
|
||||
"""Allow authenticated users who don't have access to the rest of the ticket system to file a ticket
|
||||
in the list specified in settings (e.g. django-todo can be used a ticket filing system for a school, where
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
import bleach
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
|
|
@ -8,10 +8,11 @@ from django.utils import timezone
|
|||
|
||||
from todo.forms import AddEditTaskForm
|
||||
from todo.models import Task, TaskList
|
||||
from todo.utils import send_notify_mail
|
||||
from todo.utils import send_notify_mail, staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def list_detail(request, list_id=None, list_slug=None, view_completed=False) -> HttpResponse:
|
||||
"""Display and manage tasks in a todo list.
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -1,15 +1,17 @@
|
|||
import datetime
|
||||
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import render
|
||||
|
||||
from todo.forms import SearchForm
|
||||
from todo.models import Task, TaskList
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def list_lists(request) -> HttpResponse:
|
||||
"""Homepage view - list of lists a user can view, and ability to add a list.
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -1,12 +1,14 @@
|
|||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.http import HttpResponse
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
|
||||
from todo.models import Task
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def reorder_tasks(request) -> HttpResponse:
|
||||
"""Handle task re-ordering (priorities) from JQuery drag/drop in list_detail.html
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -1,18 +1,22 @@
|
|||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.db.models import Q
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import render
|
||||
|
||||
from todo.models import Task
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def search(request) -> HttpResponse:
|
||||
"""Search for tasks user has permission to see.
|
||||
"""
|
||||
|
||||
query_string = ""
|
||||
|
||||
if request.GET:
|
||||
|
||||
query_string = ""
|
||||
found_tasks = None
|
||||
if ("q" in request.GET) and request.GET["q"].strip():
|
||||
query_string = request.GET["q"]
|
||||
|
|
@ -29,7 +33,6 @@ def search(request) -> HttpResponse:
|
|||
found_tasks = found_tasks.exclude(completed=True)
|
||||
|
||||
else:
|
||||
query_string = None
|
||||
found_tasks = None
|
||||
|
||||
# Only include tasks that are in groups of which this user is a member:
|
||||
|
|
|
|||
|
|
@ -2,17 +2,18 @@ import datetime
|
|||
|
||||
import bleach
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
|
||||
from todo.forms import AddEditTaskForm
|
||||
from todo.models import Comment, Task
|
||||
from todo.utils import send_email_to_thread_participants, toggle_task_completed
|
||||
from todo.utils import send_email_to_thread_participants, toggle_task_completed, staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def task_detail(request, task_id: int) -> HttpResponse:
|
||||
"""View task details. Allow task details to be edited. Process new comments on task.
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import get_object_or_404, redirect
|
||||
|
|
@ -7,9 +7,11 @@ from django.urls import reverse
|
|||
|
||||
from todo.models import Task
|
||||
from todo.utils import toggle_task_completed
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def toggle_done(request, task_id: int) -> HttpResponse:
|
||||
"""Toggle the completed status of a task from done to undone, or vice versa.
|
||||
Redirect to the list from which the task came.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue