Merge branch 'fix-lease-template' into 'master'

Fix lease/template No more uhoh, if no permission to delete the template/lease. Also fixed up Lease create (the user who created the lease didn't become owner), also removed all superuser mixins from lease views, cause they have ACL now. See merge request !244

Merge branch 'fix-lease-template' into 'master'
Fix lease/template No more uhoh, if no permission to delete the template/lease. Also fixed up Lease create (the user who created the lease didn't become owner), also removed all superuser mixins from lease views, cause they have ACL now. See merge request !244
6116fd30 · Bach Dániel · 645ad6a0 · 931ef81c · 6116fd30 · 6116fd30
Commit 6116fd30 authored Oct 20, 2014 by Bach Dániel
Showing with 88 additions and 9 deletions

circle/dashboard/static/dashboard/template-list.js
+28 -2

circle/dashboard/templates/dashboard/template-edit.html
+15 -1

circle/dashboard/tests/test_views.py
+1 -1

circle/dashboard/views/template.py
+44 -5

No files found.
--- a/circle/dashboard/static/dashboard/template-list.js
+++ b/circle/dashboard/static/dashboard/template-list.js
@@ -2,7 +2,7 @@ $(function() {
  /* for template removes buttons */
  $('.template-delete').click(function() {
    var template_pk = $(this).data('template-pk');
-    addModalConfirmation(deleteTemplate,
+    addModalConfirmationOrDisplayMessage(deleteTemplate,
      { 'url': '/dashboard/template/delete/' + template_pk + '/',
        'data': [],
        'template_pk': template_pk,
@@ -13,7 +13,7 @@ $(function() {
  /* for lease removes buttons */
  $('.lease-delete').click(function() {
    var lease_pk = $(this).data('lease-pk');
-    addModalConfirmation(deleteLease,
+    addModalConfirmationOrDisplayMessage(deleteLease,
      { 'url': '/dashboard/lease/delete/' + lease_pk + '/',
        'data': [],
        'lease_pk': lease_pk,
@@ -81,3 +81,29 @@ function deleteLease(data) {
    }
  });
 }
+function addModalConfirmationOrDisplayMessage(func, data) {
+  $.ajax({
+    type: 'GET',
+    url: data['url'],
+    data: jQuery.param(data['data']),
+    success: function(result) {
+      $('body').append(result);
+      $('#confirmation-modal').modal('show');
+      $('#confirmation-modal').on('hidden.bs.modal', function() {
+        $('#confirmation-modal').remove();
+      });
+      $('#confirmation-modal-button').click(function() {
+        func(data);
+        $('#confirmation-modal').modal('hide');
+      });
+    },
+    error: function(xhr, textStatus, error) {
+      if(xhr.status === 403) {
+        addMessage(gettext("Only the owners can delete the selected object."), "warning");
+      } else {
+        addMessage(gettext("An error occurred. (") + xhr.status + ")", 'danger')
+      }
+    }
+  });
+}
--- a/circle/dashboard/templates/dashboard/template-edit.html
+++ b/circle/dashboard/templates/dashboard/template-edit.html
@@ -11,7 +11,9 @@
  <div class="col-md-7">
    <div class="panel panel-default">
      <div class="panel-heading">
-        <a class="pull-right btn btn-default btn-xs" href="{% url "dashboard.views.template-list" %}">{% trans "Back" %}</a>
+        <a class="pull-right btn btn-default btn-xs" href="{% url "dashboard.views.template-list" %}">
+          {% trans "Back" %}
+        </a>
        <h3 class="no-margin"><i class="fa fa-puzzle-piece"></i> {% trans "Edit template" %}</h3>
      </div>
      <div class="panel-body">
@@ -65,6 +67,18 @@
  </div>
  <div class="col-md-5">
+    {% if is_owner %}
+    <div class="panel panel-default">
+      <div class="panel-heading">
+        <a href="{% url "dashboard.views.template-delete" pk=object.pk %}" 
+         class="btn btn-xs btn-danger pull-right">
+          {% trans "Delete" %}
+        </a>
+        <h4 class="no-margin"><i class="fa fa-times"></i> {% trans "Delete template"  %}</h4>
+      </div>
+    </div>
+    {% endif %}
    <div class="panel panel-default">
      <div class="panel-heading">
        <h4 class="no-margin"><i class="fa fa-group"></i> {% trans "Manage access"  %}</h4>

--- a/circle/dashboard/tests/test_views.py
+++ b/circle/dashboard/tests/test_views.py
@@ -299,7 +299,7 @@ class VmDetailTest(LoginMixin, TestCase):
        leases = Lease.objects.count()
        response = c.post("/dashboard/lease/delete/1/")
        # redirect to the login page
-        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.status_code, 403)
        self.assertEqual(leases, Lease.objects.count())
    def test_notification_read(self):

--- a/circle/dashboard/views/template.py
+++ b/circle/dashboard/views/template.py
@@ -32,7 +32,7 @@ from django.views.generic import (
 )
 from braces.views import (
-    LoginRequiredMixin, PermissionRequiredMixin, SuperuserRequiredMixin,
+    LoginRequiredMixin, PermissionRequiredMixin,
 )
 from django_tables2 import SingleTableView
@@ -240,6 +240,16 @@ class TemplateDelete(LoginRequiredMixin, DeleteView):
        else:
            return ['dashboard/confirm/base-delete.html']
+    def get(self, request, *args, **kwargs):
+        if not self.get_object().has_level(request.user, "owner"):
+            message = _("Only the owners can delete the selected template.")
+            if request.is_ajax():
+                raise PermissionDenied()
+            else:
+                messages.warning(request, message)
+                return redirect(self.get_success_url())
+        return super(TemplateDelete, self).get(request, *args, **kwargs)
    def delete(self, request, *args, **kwargs):
        object = self.get_object()
        if not object.has_level(request.user, 'owner'):
@@ -382,13 +392,17 @@ class LeaseCreate(LoginRequiredMixin, PermissionRequiredMixin,
    def get_success_url(self):
        return reverse_lazy("dashboard.views.template-list")
+    def form_valid(self, form):
+        retval = super(LeaseCreate, self).form_valid(form)
+        self.object.set_level(self.request.user, "owner")
+        return retval
 class LeaseAclUpdateView(AclUpdateView):
    model = Lease
-class LeaseDetail(LoginRequiredMixin, SuperuserRequiredMixin,
+class LeaseDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
-                  SuccessMessageMixin, UpdateView):
    model = Lease
    form_class = LeaseForm
    template_name = "dashboard/lease-edit.html"
@@ -404,8 +418,21 @@ class LeaseDetail(LoginRequiredMixin, SuperuserRequiredMixin,
    def get_success_url(self):
        return reverse_lazy("dashboard.views.lease-detail", kwargs=self.kwargs)
+    def get(self, request, *args, **kwargs):
+        if not self.get_object().has_level(request.user, "owner"):
+            message = _("Only the owners can modify the selected lease.")
+            messages.warning(request, message)
+            return redirect(reverse_lazy("dashboard.views.template-list"))
+        return super(LeaseDetail, self).get(request, *args, **kwargs)
+    def post(self, request, *args, **kwargs):
+        if not self.get_object().has_level(request.user, "owner"):
+            raise PermissionDenied()
+        return super(LeaseDetail, self).post(request, *args, **kwargs)
-class LeaseDelete(LoginRequiredMixin, SuperuserRequiredMixin, DeleteView):
+class LeaseDelete(LoginRequiredMixin, DeleteView):
    model = Lease
    def get_success_url(self):
@@ -431,10 +458,22 @@ class LeaseDelete(LoginRequiredMixin, SuperuserRequiredMixin, DeleteView):
            c['disable_submit'] = True
        return c
+    def get(self, request, *args, **kwargs):
+        if not self.get_object().has_level(request.user, "owner"):
+            message = _("Only the owners can delete the selected lease.")
+            if request.is_ajax():
+                raise PermissionDenied()
+            else:
+                messages.warning(request, message)
+                return redirect(self.get_success_url())
+        return super(LeaseDelete, self).get(request, *args, **kwargs)
    def delete(self, request, *args, **kwargs):
        object = self.get_object()
-        if (object.instancetemplate_set.count() > 0):
+        if not object.has_level(request.user, "owner"):
+            raise PermissionDenied()
+        if object.instancetemplate_set.count() > 0:
            raise SuspiciousOperation()
        object.delete()