digitales
/
kompass
4
1
Fork 1
Code Issues 45 Pull Requests 2 Packages Projects Releases Wiki Activity

fix(finance/admin): check existence and permission in finance admin views

Browse Source
MK/finance_workflow
Christian Merten 8 months ago
parent d913c8049d
commit 33ab4e481d
Signed by: christian.merten
GPG Key ID: D953D69721B948B3
2 changed files with 35 additions and 10 deletions
Show Stats Download Patch File Download Diff File

33
jdav_web/finance/admin.py
Unescape Escape View File

@ -40,6 +40,23 @@ class BillOnStatementInline(CommonAdminInlineMixin, admin.TabularInline):
form = BillOnStatementInlineForm form = BillOnStatementInlineForm
def decorate_statement_view(model, perm=None):
def decorator(fun):
def aux(self, request, object_id):
try:
statement = model.objects.get(pk=object_id)
except model.DoesNotExist:
messages.error(request, _('Statement not found.'))
return HttpResponseRedirect(reverse('admin:%s_%s_changelist' % (self.opts.app_label, self.opts.model_name)))
permitted = self.has_change_permission(request, statement) if not perm else request.user.has_perm(perm)
if not permitted:
messages.error(request, _('Insufficient permissions.'))
return HttpResponseRedirect(reverse('admin:%s_%s_changelist' % (self.opts.app_label, self.opts.model_name)))
return fun(self, request, statement)
return aux
return decorator
@admin.register(StatementUnSubmitted) @admin.register(StatementUnSubmitted)
class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin): class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin):
fields = ['short_description', 'explanation', 'excursion', 'submitted'] fields = ['short_description', 'explanation', 'excursion', 'submitted']
@ -77,8 +94,8 @@ class StatementUnSubmittedAdmin(CommonAdminMixin, admin.ModelAdmin):
] ]
return custom_urls + urls return custom_urls + urls
def submit_view(self, request, object_id): @decorate_statement_view(Statement)
statement = Statement.objects.get(pk=object_id) def submit_view(self, request, statement):
if statement.submitted: if statement.submitted:
messages.error(request, messages.error(request,
_("%(name)s is already submitted.") % {'name': str(statement)}) _("%(name)s is already submitted.") % {'name': str(statement)})
@ -183,8 +200,8 @@ class StatementSubmittedAdmin(admin.ModelAdmin):
] ]
return custom_urls + urls return custom_urls + urls
def overview_view(self, request, object_id): @decorate_statement_view(StatementSubmitted)
statement = StatementSubmitted.objects.get(pk=object_id) def overview_view(self, request, statement):
if not statement.submitted: if not statement.submitted:
messages.error(request, messages.error(request,
_("%(name)s is not yet submitted.") % {'name': str(statement)}) _("%(name)s is not yet submitted.") % {'name': str(statement)})
@ -259,8 +276,8 @@ class StatementSubmittedAdmin(admin.ModelAdmin):
return render(request, 'admin/overview_submitted_statement.html', context=context) return render(request, 'admin/overview_submitted_statement.html', context=context)
def reduce_transactions_view(self, request, object_id): @decorate_statement_view(StatementSubmitted)
statement = StatementSubmitted.objects.get(pk=object_id) def reduce_transactions_view(self, request, statement):
statement.reduce_transactions() statement.reduce_transactions()
messages.success(request, messages.success(request,
_("Successfully reduced transactions for %(name)s.") % {'name': str(statement)}) _("Successfully reduced transactions for %(name)s.") % {'name': str(statement)})
@ -307,8 +324,8 @@ class StatementConfirmedAdmin(admin.ModelAdmin):
] ]
return custom_urls + urls return custom_urls + urls
def unconfirm_view(self, request, object_id): @decorate_statement_view(StatementConfirmed, perm='finance.may_manage_confirmed_statements')
statement = StatementConfirmed.objects.get(pk=object_id) def unconfirm_view(self, request, statement):
if not statement.confirmed: if not statement.confirmed:
messages.error(request, messages.error(request,
_("%(name)s is not yet confirmed.") % {'name': str(statement)}) _("%(name)s is not yet confirmed.") % {'name': str(statement)})

10
jdav_web/finance/locale/de/LC_MESSAGES/django.po
Unescape Escape View File

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-02-01 21:11+0100\n" "POT-Creation-Date: 2025-04-06 18:46+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -18,6 +18,14 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n" "Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n"
#: finance/admin.py
msgid "Statement not found."
msgstr "Abrechnung nicht gefunden."
#: finance/admin.py
msgid "Insufficient permissions."
msgstr "Unzureichende Berechtigungen."
#: finance/admin.py #: finance/admin.py
#, python-format #, python-format
msgid "%(name)s is already submitted." msgid "%(name)s is already submitted."

Write Preview
Loading…
Cancel
Save