diff --git a/apps/member/tables.py b/apps/member/tables.py
index bc40368..a967692 100644
--- a/apps/member/tables.py
+++ b/apps/member/tables.py
@@ -43,8 +43,24 @@ class UserTable(tables.Table):
section = tables.Column(accessor='profile__section')
+ # Override the column to let replace the URL
+ email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
+
balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
+ def render_email(self, record, value):
+ # Replace the email by a dash if the user can't see the profile detail
+ # Replace also the URL
+ if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
+ value = "—"
+ record.email = value
+ return value
+
+ def render_section(self, record, value):
+ return value \
+ if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
+ else "—"
+
def render_balance(self, record, value):
return pretty_money(value)\
if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
diff --git a/apps/member/templates/member/includes/profile_info.html b/apps/member/templates/member/includes/profile_info.html
index b7f2fe7..e008ec6 100644
--- a/apps/member/templates/member/includes/profile_info.html
+++ b/apps/member/templates/member/includes/profile_info.html
@@ -25,25 +25,27 @@
- {% trans 'section'|capfirst %}
- {{ user_object.profile.section }}
+ {% if "member.view_profile"|has_perm:user_object.profile %}
+ {% trans 'section'|capfirst %}
+ {{ user_object.profile.section }}
- {% trans 'email'|capfirst %}
- {{ user_object.email }}
+ {% trans 'email'|capfirst %}
+ {{ user_object.email }}
- {% trans 'phone number'|capfirst %}
- {{ user_object.profile.phone_number }}
-
+ {% trans 'phone number'|capfirst %}
+ {{ user_object.profile.phone_number }}
+
- {% trans 'address'|capfirst %}
- {{ user_object.profile.address }}
+ {% trans 'address'|capfirst %}
+ {{ user_object.profile.address }}
- {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
- {% trans 'balance'|capfirst %}
- {{ user_object.note.balance | pretty_money }}
+ {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+ {% trans 'balance'|capfirst %}
+ {{ user_object.note.balance | pretty_money }}
- {% trans 'paid'|capfirst %}
- {{ user_object.profile.paid|yesno }}
+ {% trans 'paid'|capfirst %}
+ {{ user_object.profile.paid|yesno }}
+ {% endif %}
{% endif %}
diff --git a/apps/member/views.py b/apps/member/views.py
index 9a585ed..73569c8 100644
--- a/apps/member/views.py
+++ b/apps/member/views.py
@@ -70,10 +70,11 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
form.fields['email'].required = True
form.fields['email'].help_text = _("This address must be valid.")
- context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
- data=self.request.POST if self.request.POST else None)
- if not self.object.profile.report_frequency:
- del context['profile_form'].fields["last_report"]
+ if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
+ context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
+ data=self.request.POST if self.request.POST else None)
+ if not self.object.profile.report_frequency:
+ del context['profile_form'].fields["last_report"]
return context
@@ -677,11 +678,13 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
if not last_name:
form.add_error('last_name', _("This field is required."))
+ error = True
if not first_name:
form.add_error('first_name', _("This field is required."))
+ error = True
if not bank and credit_type.special_type == "Chèque":
form.add_error('bank', _("This field is required."))
- return self.form_invalid(form)
+ error = True
return not error
diff --git a/apps/permission/fixtures/initial.json b/apps/permission/fixtures/initial.json
index 8c7ec9b..7700f3e 100644
--- a/apps/permission/fixtures/initial.json
+++ b/apps/permission/fixtures/initial.json
@@ -2839,6 +2839,22 @@
"description": "Voir n'importe quel profil non encore inscrit"
}
},
+ {
+ "model": "permission.permission",
+ "pk": 182,
+ "fields": {
+ "model": [
+ "auth",
+ "user"
+ ],
+ "query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}",
+ "type": "view",
+ "mask": 2,
+ "field": "",
+ "permanent": false,
+ "description": "Voir n'importe quel utilisateur qui est adhérent BDE"
+ }
+ },
{
"model": "permission.role",
"pk": 1,
@@ -2971,14 +2987,14 @@
62,
127,
133,
- 135,
136,
141,
142,
150,
166,
167,
- 168
+ 168,
+ 182
]
}
},
@@ -3271,7 +3287,12 @@
170,
171,
176,
- 177
+ 177,
+ 178,
+ 179,
+ 180,
+ 181,
+ 182
]
}
},
@@ -3466,7 +3487,9 @@
56,
57,
58,
+ 137,
143,
+ 147,
150,
166,
167,
@@ -3474,7 +3497,8 @@
176,
177,
180,
- 181
+ 181,
+ 182
]
}
},
diff --git a/apps/permission/models.py b/apps/permission/models.py
index 1721489..9c1b2e6 100644
--- a/apps/permission/models.py
+++ b/apps/permission/models.py
@@ -45,6 +45,7 @@ class InstancedPermission:
with transaction.atomic():
sid = transaction.savepoint()
for o in self.model.model_class().objects.filter(pk=0).all():
+ o._no_signal = True
o._force_delete = True
Model.delete(o)
# An object with pk 0 wouldn't deleted. That's not normal, we alert admins.
@@ -62,10 +63,6 @@ class InstancedPermission:
obj._no_signal = True
Model.save(obj, force_insert=True)
ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
- # Delete testing object
- obj._no_signal = True
- obj._force_delete = True
- Model.delete(obj)
transaction.savepoint_rollback(sid)
return ret
diff --git a/apps/permission/views.py b/apps/permission/views.py
index d76a235..d77133d 100644
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@@ -51,8 +51,10 @@ class ProtectQuerysetMixin:
# No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
# a custom request.
# We could also delete the field, but some views might be affected.
+ meta = form.instance._meta
for key in form.base_fields:
- if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object):
+ if not PermissionBackend.check_perm(self.request.user,
+ f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
form.fields[key].widget = HiddenInput()
return form