add view users permission

2024-12-12 22:29:14 +00:00 · 2024-12-12 22:29:14 +00:00 · ddcac55ba1
commit ddcac55ba1
parent b32626c6ca
4 changed files with 32 additions and 1 deletions
--- a/src/c3nav/control/migrations/0015_userpermissions_view_users_and_more.py
+++ b/src/c3nav/control/migrations/0015_userpermissions_view_users_and_more.py
@ -0,0 +1,23 @@
 # Generated by Django 5.0.8 on 2024-12-12 22:28
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('control', '0014_userpermissions_sources_access'),
    ]
    operations = [
        migrations.AddField(
            model_name='userpermissions',
            name='view_users',
            field=models.BooleanField(default=False, verbose_name='view user list in control panel'),
        ),
        migrations.AlterField(
            model_name='userpermissions',
            name='max_changeset_changes',
            field=models.PositiveSmallIntegerField(default=20, verbose_name='max changes per changeset'),
        ),
    ]
--- a/src/c3nav/control/models.py
+++ b/src/c3nav/control/models.py
@ -26,6 +26,7 @@ class UserPermissions(models.Model):
    manage_map_updates = models.BooleanField(default=False, verbose_name=_('manage map updates'))
    control_panel = models.BooleanField(default=False, verbose_name=_('can access control panel'))
    view_users = models.BooleanField(default=False, verbose_name=_('view user list in control panel'))
    grant_permissions = models.BooleanField(default=False, verbose_name=_('can grant control permissions'))
    manage_announcements = models.BooleanField(default=False, verbose_name=_('manage announcements'))
    grant_all_access = models.BooleanField(default=False, verbose_name=_('can grant access to everything'))
--- a/src/c3nav/control/templates/control/base.html
+++ b/src/c3nav/control/templates/control/base.html
@ -16,7 +16,9 @@
    <nav>
        <p>
            <a href="{% url 'control.index' %}">{% trans 'Overview' %}</a> &middot;
-            <a href="{% url 'control.users' %}">{% trans 'Users' %}</a> &middot;
+            {% if request.user_permissions.view_users %}
                <a href="{% url 'control.users' %}">{% trans 'Users' %}</a> &middot;
            {% endif %}
            <a href="{% url 'control.access' %}">{% trans 'Access' %}</a> &middot;
            {% if request.user_permissions.manage_announcements %}
                <a href="{% url 'control.announcements' %}">{% trans 'Announcements' %}</a> &middot;
--- a/src/c3nav/control/views/users.py
+++ b/src/c3nav/control/views/users.py
@ -1,6 +1,7 @@
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
 from django.core.exceptions import PermissionDenied
 from django.db import IntegrityError, transaction
 from django.db.models import Prefetch
 from django.shortcuts import get_object_or_404, redirect, render
@ -21,6 +22,7 @@ class UserListView(ControlPanelMixin, ListView):
    template_name = "control/users.html"
    ordering = "id"
    context_object_name = "users"
    user_permission = "view_users"
    def get_queryset(self):
        qs = super().get_queryset()
@ -33,6 +35,9 @@ class UserListView(ControlPanelMixin, ListView):
@login_required(login_url='site.login')
@control_panel_view
 def user_detail(request, user):  # todo: make class based view
    if not (request.user_permissions.view_users or user == request.user.pk):
        raise PermissionDenied
    qs = User.objects.select_related(
        'permissions',
    ).prefetch_related(