From 8900a70d2a03f54a21b8fecd918ce3d45238c244 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= Date: Tue, 19 Dec 2017 12:17:48 +0100 Subject: [PATCH] =?UTF-8?q?delete=20access=20permissions=E2=80=A6=20permis?= =?UTF-8?q?sions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/c3nav/control/templates/control/user.html | 14 ++++++++---- src/c3nav/control/views.py | 22 +++++++++++-------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/src/c3nav/control/templates/control/user.html b/src/c3nav/control/templates/control/user.html index b0ad62ee..c927a598 100644 --- a/src/c3nav/control/templates/control/user.html +++ b/src/c3nav/control/templates/control/user.html @@ -30,18 +30,24 @@ + - {% if request.user_permissions.grant_all_access %} - - {% endif %} + + {% for access_permission in user.accesspermissions.all %} + - {% if request.user_permissions.grant_all_access %} + + {% if request.user_permissions.grant_all_access or request.user == access_permission.author %} {% endif %} diff --git a/src/c3nav/control/views.py b/src/c3nav/control/views.py index 91893de2..6b7a9c95 100644 --- a/src/c3nav/control/views.py +++ b/src/c3nav/control/views.py @@ -56,21 +56,25 @@ def user_detail(request, user): qs = User.objects.select_related( 'permissions', ).prefetch_related( - Prefetch('accesspermissions', AccessPermission.objects.select_related('access_restriction')) + Prefetch('accesspermissions', AccessPermission.objects.select_related('access_restriction', 'author')) ) user = get_object_or_404(qs, pk=user) if request.method == 'POST': delete_access_permission = request.POST.get('delete_access_permission') if delete_access_permission: - try: - permission = AccessPermission.objects.get(pk=delete_access_permission) - except AccessPermission.DoesNotExist: - messages.error(request, _('Unknown access permission.')) - else: - permission.delete() - messages.success(request, _('Access Permission successfully deleted.')) - return redirect(request.path_info) + with transaction.atomic(): + try: + permission = AccessPermission.objects.select_for_update().get(pk=delete_access_permission) + except AccessPermission.DoesNotExist: + messages.error(request, _('Unknown access permission.')) + else: + if request.user_permissions.can_grant or permission.author_id == request.user.pk: + permission.delete() + messages.success(request, _('Access Permission successfully deleted.')) + else: + messages.error(request, _('You cannot delete this Access Permission.')) + return redirect(request.path_info) ctx = { 'user': user,
{% trans 'Access Restriction' %}{% trans 'author' %} {% trans 'expires' %} {% trans 'can grant' %}{% trans 'key' %}
{{ access_permission.access_restriction.title }} + {% if access_permission.author %} + {{ access_permission.author.username }} + {% endif %} + {% if access_permission.expire_date %}{{ access_permission.expire_date }}{% else %}{% trans 'never' %}{% endif %} {% if access_permission.can_grant %}{% trans 'Yes' %}{% else %}{% trans 'No' %}{% endif %}{{ access_permission. }}{% if access_permission.can_grant %}{% trans 'Yes' %}{% else %}{% trans 'No' %}{% endif %}