Skip to content

Commit

Permalink
Stop volunteers from accessing admin urls.
Browse files Browse the repository at this point in the history
Fixes #325
  • Loading branch information
necessary129 authored and kriti21 committed Feb 12, 2018
1 parent e73efc9 commit d899878
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 18 deletions.
11 changes: 11 additions & 0 deletions vms/administrator/utils.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from functools import wraps
from django.shortcuts import render

def admin_required(func):
@wraps(func)
def wrapped_view(request, *args, **kwargs):
admin = hasattr(request.user, 'administrator')
if not admin:
return render(request, 'vms/no_admin_rights.html', status=403)
return func(request, *args, **kwargs)
return wrapped_view
20 changes: 4 additions & 16 deletions vms/administrator/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,17 @@
from django.views.generic.edit import FormView, UpdateView
from django.views.generic import View
from administrator.models import Administrator
from administrator.utils import admin_required
from django.utils.decorators import method_decorator


class AdministratorLoginRequiredMixin(object):

@method_decorator(login_required)
def dispatch(self, request, *args, **kwargs):
user = request.user
admin = None
try:
admin = user.administrator
except ObjectDoesNotExist:
pass
admin = hasattr(request.user, 'administrator')
if not admin:
return render(request, 'vms/no_admin_rights.html')
return render(request, 'vms/no_admin_rights.html', status=403)
else:
return super(AdministratorLoginRequiredMixin, self).dispatch(request, *args, **kwargs)

Expand Down Expand Up @@ -81,14 +77,6 @@ def post(self, request, *args, **kwargs):


@login_required
@admin_required
def settings(request):
user = request.user
admin = None
try:
admin = user.administrator
except ObjectDoesNotExist:
pass
if not admin:
return HttpResponse(status=403)

return HttpResponseRedirect(reverse('event:list'))
3 changes: 1 addition & 2 deletions vms/event/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
from django.shortcuts import render_to_response
from django.http import Http404


class AdministratorLoginRequiredMixin(object):

@method_decorator(login_required)
Expand Down Expand Up @@ -112,7 +111,7 @@ def post(self, request, *args, **kwargs):
return render(request, 'event/edit.html', {'form': form,})


class EventListView(LoginRequiredMixin, ListView):
class EventListView(LoginRequiredMixin, AdministratorLoginRequiredMixin, ListView):
model_form = Event
template_name = "event/list.html"

Expand Down
12 changes: 12 additions & 0 deletions vms/registration/utils.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
from functools import wraps
from django.shortcuts import render

def volunteer_denied(func):
@wraps(func)
def wrapper(request, *args, **kwargs):
if request.user.is_authenticated():
if not hasattr(request.user, 'administrator'):
return render(request, 'vms/no_admin_rights.html', status=403)
return func(request, *args, **kwargs)
return wrapper

6 changes: 6 additions & 0 deletions vms/registration/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
from django.views.generic.edit import FormView
from django.views.generic import TemplateView
from django.core.urlresolvers import reverse_lazy
from django.utils.decorators import method_decorator
from administrator.forms import AdministratorForm
from organization.services import (get_organizations_ordered_by_name,
get_organization_by_id)
Expand All @@ -14,6 +15,7 @@
from registration.forms import UserForm
from registration.phone_validate import validate_phone
from administrator.models import *
from registration.utils import volunteer_denied


class AdministratorSignupView(TemplateView):
Expand All @@ -30,6 +32,10 @@ class AdministratorSignupView(TemplateView):
organization_list = get_organizations_ordered_by_name()
phone_error = False

@method_decorator(volunteer_denied)
def dispatch(self, *args, **kwargs):
return super(AdministratorSignupView, self).dispatch(*args, **kwargs)

def get(self, request):
user_form = UserForm(prefix="usr")
administrator_form = AdministratorForm(prefix="admin")
Expand Down
2 changes: 2 additions & 0 deletions vms/volunteer/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from django.views.generic.detail import DetailView
from django.views.generic import ListView
from braces.views import LoginRequiredMixin, AnonymousRequiredMixin
from administrator.utils import admin_required
from organization.services import *
from shift.services import *
from event.services import get_signed_up_events_for_volunteer
Expand Down Expand Up @@ -162,6 +163,7 @@ def post(self, request, *args, **kwargs):
'job_list': job_list, 'event_list': event_list, 'selected_event': event_name,
'selected_job': job_name})
@login_required
@admin_required
def search(request):
if request.method == 'POST':
form = SearchVolunteerForm(request.POST)
Expand Down

0 comments on commit d899878

Please sign in to comment.