delete access permissions… permissions

2017-12-19 12:17:48 +01:00 · 2017-12-19 12:17:48 +01:00 · 8900a70d2a
commit 8900a70d2a
parent b41bc22047
2 changed files with 23 additions and 13 deletions
--- a/src/c3nav/control/templates/control/user.html
+++ b/src/c3nav/control/templates/control/user.html
@ -30,18 +30,24 @@
        <table>
            <tr>
                <th>{% trans 'Access Restriction' %}</th>
+                <th>{% trans 'author' %}</th>
                <th>{% trans 'expires' %}</th>
                <th>{% trans 'can grant' %}</th>
-                {% if request.user_permissions.grant_all_access %}
+                <th>{% trans 'key' %}</th>
                <th></th>
-                {% endif %}
            </tr>
            {% for access_permission in user.accesspermissions.all %}
                <tr>
                    <td>{{ access_permission.access_restriction.title }}</td>
+                    <td>
+                        {% if access_permission.author %}
+                            <a href="{% url 'control.users.detail' user=access_permission.author_id %}">{{ access_permission.author.username }}</a>
+                        {% endif %}
+                    </td>
                    <td>{% if access_permission.expire_date %}{{ access_permission.expire_date }}{% else %}{% trans 'never' %}{% endif %}</td>
                    <td>{% if access_permission.can_grant %}{% trans 'Yes' %}{% else %}{% trans 'No' %}{% endif %}</td>
-                    {% if request.user_permissions.grant_all_access %}
+                    <td>{{ access_permission. }}{% if access_permission.can_grant %}{% trans 'Yes' %}{% else %}{% trans 'No' %}{% endif %}</td>
+                    {% if request.user_permissions.grant_all_access or request.user == access_permission.author %}
                        <td class="button-cell"><button type="submit" name="delete_access_permission" value="{{ access_permission.pk }}">{% trans 'Delete' %}</button></td>
                    {% endif %}
                </tr>
--- a/src/c3nav/control/views.py
+++ b/src/c3nav/control/views.py
@ -56,20 +56,24 @@ def user_detail(request, user):
    qs = User.objects.select_related(
        'permissions',
    ).prefetch_related(
-        Prefetch('accesspermissions', AccessPermission.objects.select_related('access_restriction'))
+        Prefetch('accesspermissions', AccessPermission.objects.select_related('access_restriction', 'author'))
    )
    user = get_object_or_404(qs, pk=user)

    if request.method == 'POST':
        delete_access_permission = request.POST.get('delete_access_permission')
        if delete_access_permission:
+            with transaction.atomic():
                try:
-                permission = AccessPermission.objects.get(pk=delete_access_permission)
+                    permission = AccessPermission.objects.select_for_update().get(pk=delete_access_permission)
                except AccessPermission.DoesNotExist:
                    messages.error(request, _('Unknown access permission.'))
                else:
+                    if request.user_permissions.can_grant or permission.author_id == request.user.pk:
                        permission.delete()
                        messages.success(request, _('Access Permission successfully deleted.'))
+                    else:
+                        messages.error(request, _('You cannot delete this Access Permission.'))
                return redirect(request.path_info)

    ctx = {