mirror of https://github.com/snachodog/mybuddy.git
Only allow staff members to manage users.
This commit is contained in:
parent
a4b07c054c
commit
183a30b0a3
|
@ -0,0 +1,14 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
|
from django.contrib.auth.mixins import AccessMixin
|
||||||
|
|
||||||
|
|
||||||
|
class StaffOnlyMixin(AccessMixin):
|
||||||
|
"""
|
||||||
|
Verify the current user is staff.
|
||||||
|
"""
|
||||||
|
def dispatch(self, request, *args, **kwargs):
|
||||||
|
if not request.user.is_staff:
|
||||||
|
return self.handle_no_permission()
|
||||||
|
return super().dispatch(request, *args, **kwargs)
|
|
@ -184,10 +184,8 @@
|
||||||
<a href="{% url 'api:api-root' %}"
|
<a href="{% url 'api:api-root' %}"
|
||||||
class="dropdown-item"
|
class="dropdown-item"
|
||||||
target="_blank">API Browser</a>
|
target="_blank">API Browser</a>
|
||||||
{% if perms.admin.add_user %}
|
|
||||||
<a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
|
|
||||||
{% endif %}
|
|
||||||
{% if request.user.is_staff %}
|
{% if request.user.is_staff %}
|
||||||
|
<a href="{% url 'babybuddy:user-list' %}" class="dropdown-item">Users</a>
|
||||||
<a href="{% url 'admin:index' %}"
|
<a href="{% url 'admin:index' %}"
|
||||||
class="dropdown-item"
|
class="dropdown-item"
|
||||||
target="_blank">Backend Admin</a>
|
target="_blank">Backend Admin</a>
|
||||||
|
|
|
@ -56,6 +56,8 @@ class FormsTestCase(TestCase):
|
||||||
self.assertEqual(page.status_code, 200)
|
self.assertEqual(page.status_code, 200)
|
||||||
|
|
||||||
def test_user_forms(self):
|
def test_user_forms(self):
|
||||||
|
self.user.is_staff = True
|
||||||
|
self.user.save()
|
||||||
self.c.login(**self.credentials)
|
self.c.login(**self.credentials)
|
||||||
|
|
||||||
params = {
|
params = {
|
||||||
|
|
|
@ -62,6 +62,12 @@ class ViewsTestCase(TestCase):
|
||||||
self.assertEqual(page.status_code, 200)
|
self.assertEqual(page.status_code, 200)
|
||||||
|
|
||||||
def test_user_views(self):
|
def test_user_views(self):
|
||||||
|
# Staff setting is required to access user management.
|
||||||
|
page = self.c.get('/users/')
|
||||||
|
self.assertEqual(page.status_code, 302)
|
||||||
|
self.user.is_staff = True
|
||||||
|
self.user.save()
|
||||||
|
|
||||||
page = self.c.get('/users/')
|
page = self.c.get('/users/')
|
||||||
self.assertEqual(page.status_code, 200)
|
self.assertEqual(page.status_code, 200)
|
||||||
page = self.c.get('/users/add/')
|
page = self.c.get('/users/add/')
|
||||||
|
|
|
@ -17,6 +17,7 @@ from django.views.generic.edit import CreateView, UpdateView, DeleteView
|
||||||
from django_filters.views import FilterView
|
from django_filters.views import FilterView
|
||||||
|
|
||||||
from babybuddy import forms
|
from babybuddy import forms
|
||||||
|
from babybuddy.mixins import StaffOnlyMixin
|
||||||
from core import models
|
from core import models
|
||||||
|
|
||||||
|
|
||||||
|
@ -40,16 +41,16 @@ class RootRouter(LoginRequiredMixin, RedirectView):
|
||||||
return super(RootRouter, self).get_redirect_url(self, *args, **kwargs)
|
return super(RootRouter, self).get_redirect_url(self, *args, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
class UserList(PermissionRequiredMixin, FilterView):
|
class UserList(StaffOnlyMixin, FilterView):
|
||||||
model = User
|
model = User
|
||||||
template_name = 'babybuddy/user_list.html'
|
template_name = 'babybuddy/user_list.html'
|
||||||
ordering = 'username'
|
ordering = 'username'
|
||||||
permission_required = ('admin.add_user',)
|
|
||||||
paginate_by = 10
|
paginate_by = 10
|
||||||
filter_fields = ('username', 'first_name', 'last_name', 'email')
|
filter_fields = ('username', 'first_name', 'last_name', 'email')
|
||||||
|
|
||||||
|
|
||||||
class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView):
|
class UserAdd(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
|
||||||
|
CreateView):
|
||||||
model = User
|
model = User
|
||||||
template_name = 'babybuddy/user_form.html'
|
template_name = 'babybuddy/user_form.html'
|
||||||
permission_required = ('admin.add_user',)
|
permission_required = ('admin.add_user',)
|
||||||
|
@ -58,7 +59,8 @@ class UserAdd(PermissionRequiredMixin, SuccessMessageMixin, CreateView):
|
||||||
success_message = 'User %(username)s added!'
|
success_message = 'User %(username)s added!'
|
||||||
|
|
||||||
|
|
||||||
class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView):
|
class UserUpdate(StaffOnlyMixin, PermissionRequiredMixin, SuccessMessageMixin,
|
||||||
|
UpdateView):
|
||||||
model = User
|
model = User
|
||||||
template_name = 'babybuddy/user_form.html'
|
template_name = 'babybuddy/user_form.html'
|
||||||
permission_required = ('admin.change_user',)
|
permission_required = ('admin.change_user',)
|
||||||
|
@ -67,7 +69,8 @@ class UserUpdate(PermissionRequiredMixin, SuccessMessageMixin, UpdateView):
|
||||||
success_message = 'User %(username)s updated.'
|
success_message = 'User %(username)s updated.'
|
||||||
|
|
||||||
|
|
||||||
class UserDelete(PermissionRequiredMixin, DeleteView):
|
class UserDelete(StaffOnlyMixin, PermissionRequiredMixin,
|
||||||
|
DeleteView):
|
||||||
model = User
|
model = User
|
||||||
template_name = 'babybuddy/user_confirm_delete.html'
|
template_name = 'babybuddy/user_confirm_delete.html'
|
||||||
permission_required = ('admin.delete_user',)
|
permission_required = ('admin.delete_user',)
|
||||||
|
|
Loading…
Reference in New Issue