members: make some fields only changeable with extra permissions

1 year ago · 3a862469ee
parent a225af5905
commit 3a862469ee
2 changed files with 40 additions and 10 deletions
--- a/jdav_web/contrib/admin.py
+++ b/jdav_web/contrib/admin.py
@ -13,17 +13,37 @@ from rules.permissions import perm_exists


 class FieldPermissionsAdminMixin:
-    field_permissions = {}
+    field_change_permissions = {}
+    field_view_permissions = {}
+
+    def may_view_field(self, field_desc, request, obj=None):
+        if not type(field_desc) is tuple:
+            field_desc = (field_desc,)
+        for fd in field_desc:
+            if fd not in self.field_view_permissions:
+                continue
+            if not request.user.has_perm(self.field_view_permissions[fd], obj):
+                return False
+        return True
+
+    def get_fieldsets(self, request, obj=None):
+        fieldsets = super(FieldPermissionsAdminMixin, self).get_fieldsets(request, obj)
+        d = []
+        for title, attrs in fieldsets:
+            allowed = [f for f in attrs['fields'] if self.may_view_field(f, request, obj)]
+            if len(allowed) == 0:
+                continue
+            d.append((title, dict(attrs, **{'fields': allowed})))
+        return d

    def get_fields(self, request, obj=None):
        fields = super(FieldPermissionsAdminMixin, self).get_fields(request, obj)
+        return [fd for fd in fields if self.may_view_field(fd, request, obj)]

-        def may_field(field):
-            if field not in self.field_permissions:
-                return True
-            return request.user.has_perm(self.field_permissions[field], obj)
-
-        return list(filter(may_field, fields))
+    def get_readonly_fields(self, request, obj=None):
+        readonly_fields = super(FieldPermissionsAdminMixin, self).get_readonly_fields(request, obj)
+        return list(readonly_fields) +\
+            [fd for fd, perm in self.field_change_permissions.items() if not request.user.has_perm(perm, obj)]


 class ChangeViewAdminMixin:
--- a/jdav_web/members/admin.py
+++ b/jdav_web/members/admin.py
@ -216,9 +216,19 @@ class MemberAdmin(CommonAdminMixin, admin.ModelAdmin):

    sensitive_fields = ['iban', 'registration_form', 'comments']

-    field_permissions = {
+    field_view_permissions = {
        'user': 'members.may_set_auth_user',
-        'group': 'members.may_change_group'
+        'good_conduct_certificate_presented_date': 'members.may_change_organizationals',
+        'has_key': 'members.may_change_organizationals',
+        'has_free_ticket_gym': 'members.may_change_organizationals',
+    }
+
+    field_change_permissions = {
+        'user': 'members.may_set_auth_user',
+        'group': 'members.may_change_group',
+        'good_conduct_certificate_presented_date': 'members.may_change_organizationals',
+        'has_key': 'members.may_change_organizationals',
+        'has_free_ticket_gym': 'members.may_change_organizationals',
    }

    def get_queryset(self, request):
@ -410,7 +420,7 @@ class MemberWaitingListAdmin(CommonAdminMixin, admin.ModelAdmin):
    search_fields = ('prename', 'lastname', 'email')
    list_filter = ('confirmed_mail',)
    actions = ['ask_for_registration', 'ask_for_wait_confirmation']
-    readonly_fields= ('invited_for_group', 'application_date')
+    readonly_fields= ['invited_for_group', 'application_date']

    def has_add_permission(self, request, obj=None):
        return False