Enforce and test TODO_STAFF_ONLY setting
This commit is contained in:
Scot Hacker
parent
6953085285
commit
91b9a099a3
14 changed files with 81 additions and 51 deletions
|
|
@ -1,25 +1,22 @@
|
|||
import datetime
|
||||
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import render, redirect, get_object_or_404
|
||||
from django.core.exceptions import PermissionDenied
|
||||
|
||||
from todo.models import Task, TaskList
|
||||
from todo.utils import staff_only
|
||||
from todo.utils import staff_check
|
||||
|
||||
|
||||
@staff_only
|
||||
@login_required
|
||||
@user_passes_test(staff_check)
|
||||
def del_list(request, list_id: int, list_slug: str) -> HttpResponse:
|
||||
"""Delete an entire list. Only staff members should be allowed to access this view.
|
||||
"""
|
||||
task_list = get_object_or_404(TaskList, id=list_id)
|
||||
|
||||
# Ensure user has permission to delete list. Admins can delete all lists.
|
||||
# Get the group this list belongs to, and check whether current user is a member of that group.
|
||||
# FIXME: This means any group member can delete lists, which is probably too permissive.
|
||||
# Ensure user has permission to delete list. Get the group this list belongs to,
|
||||
# and check whether current user is a member of that group AND a staffer.
|
||||
if task_list.group not in request.user.groups.all() and not request.user.is_staff:
|
||||
raise PermissionDenied
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue