From 33ab4e481d2dde349ff6fd2907a4b89ebe47a9ee Mon Sep 17 00:00:00 2001 From: Christian Merten Date: Sun, 6 Apr 2025 18:49:19 +0200 Subject: [PATCH] fix(finance/admin): check existence and permission in finance admin views --- jdav_web/finance/admin.py | 35 ++++++++++++++----- .../finance/locale/de/LC_MESSAGES/django.po | 10 +++++- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/jdav_web/finance/admin.py b/jdav_web/finance/admin.py index 0f5237d..e24b5e9 100644 --- a/jdav_web/finance/admin.py +++ b/jdav_web/finance/admin.py @@ -40,6 +40,23 @@ class BillOnStatementInline(CommonAdminInlineMixin, admin.TabularInline): form = BillOnStatementInlineForm +def decorate_statement_view(model, perm=None): + def decorator(fun): + def aux(self, request, object_id): + try: + statement = model.objects.get(pk=object_id) + except model.DoesNotExist: + messages.error(request, _('Statement not found.')) + return HttpResponseRedirect(reverse('admin:%s_%s_changelist' % (self.opts.app_label, self.opts.model_name))) + permitted = self.has_change_permission(request, statement) if not perm else request.user.has_perm(perm) + if not permitted: + messages.error(request, _('Insufficient permissions.')) + return HttpResponseRedirect(reverse('admin:%s_%s_changelist' % (self.opts.app_label, self.opts.model_name))) + return fun(self, request, statement) + return aux + return decorator + + @admin.register(StatementUnSubmitted) class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin): fields = ['short_description', 'explanation', 'excursion', 'submitted'] @@ -77,8 +94,8 @@ class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin): ] return custom_urls + urls - def submit_view(self, request, object_id): - statement = Statement.objects.get(pk=object_id) + @decorate_statement_view(Statement) + def submit_view(self, request, statement): if statement.submitted: messages.error(request, _("%(name)s is already submitted.") % {'name': str(statement)}) @@ -89,7 +106,7 @@ class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin): messages.success(request, _("Successfully submited %(name)s. The finance department will notify the requestors as soon as possible.") % {'name': str(statement)}) return HttpResponseRedirect(reverse('admin:%s_%s_changelist' % (self.opts.app_label, self.opts.model_name))) - + if statement.excursion: memberlist = statement.excursion context = dict(self.admin_site.each_context(request), @@ -183,8 +200,8 @@ class StatementSubmittedAdmin(admin.ModelAdmin): ] return custom_urls + urls - def overview_view(self, request, object_id): - statement = StatementSubmitted.objects.get(pk=object_id) + @decorate_statement_view(StatementSubmitted) + def overview_view(self, request, statement): if not statement.submitted: messages.error(request, _("%(name)s is not yet submitted.") % {'name': str(statement)}) @@ -259,8 +276,8 @@ class StatementSubmittedAdmin(admin.ModelAdmin): return render(request, 'admin/overview_submitted_statement.html', context=context) - def reduce_transactions_view(self, request, object_id): - statement = StatementSubmitted.objects.get(pk=object_id) + @decorate_statement_view(StatementSubmitted) + def reduce_transactions_view(self, request, statement): statement.reduce_transactions() messages.success(request, _("Successfully reduced transactions for %(name)s.") % {'name': str(statement)}) @@ -307,8 +324,8 @@ class StatementConfirmedAdmin(admin.ModelAdmin): ] return custom_urls + urls - def unconfirm_view(self, request, object_id): - statement = StatementConfirmed.objects.get(pk=object_id) + @decorate_statement_view(StatementConfirmed, perm='finance.may_manage_confirmed_statements') + def unconfirm_view(self, request, statement): if not statement.confirmed: messages.error(request, _("%(name)s is not yet confirmed.") % {'name': str(statement)}) diff --git a/jdav_web/finance/locale/de/LC_MESSAGES/django.po b/jdav_web/finance/locale/de/LC_MESSAGES/django.po index b4ba049..2a6f1a6 100644 --- a/jdav_web/finance/locale/de/LC_MESSAGES/django.po +++ b/jdav_web/finance/locale/de/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2025-02-01 21:11+0100\n" +"POT-Creation-Date: 2025-04-06 18:46+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -18,6 +18,14 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" +#: finance/admin.py +msgid "Statement not found." +msgstr "Abrechnung nicht gefunden." + +#: finance/admin.py +msgid "Insufficient permissions." +msgstr "Unzureichende Berechtigungen." + #: finance/admin.py #, python-format msgid "%(name)s is already submitted."