dashboard: more strict user profile

8e6400ed · Kálmán Viktor · 84346f55 · 8e6400ed · 8e6400ed
Commit 8e6400ed authored Jun 04, 2014 by Kálmán Viktor
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 17 deletions

circle/dashboard/templates/dashboard/profile.html
+13 -11

circle/dashboard/views.py
+21 -6

No files found.
--- a/circle/dashboard/templates/dashboard/profile.html
+++ b/circle/dashboard/templates/dashboard/profile.html
@@ -35,17 +35,19 @@
          <div class="clearfix"></div>
        </div>
-        <hr />
+        {% if perm_group_list %}
-        <h4>
+          <hr />
-          <i class="icon-group"></i> Groups
+          <h4>
-        </h4>
+            <i class="icon-group"></i> Groups
-        <ul class="dashboard-profile-group-list">
+          </h4>
-        {% for g in groups %}
+          <ul class="dashboard-profile-group-list">
-          <li>{{ g.name }}</li>
+          {% for g in groups %}
-          {% empty %}
+            <li>{{ g.name }}</li>
-          {% trans "This user is not in any group." %}
+            {% empty %}
-        {% endfor %}
+            {% trans "This user is not in any group." %}
-        </ul>
+          {% endfor %}
+          </ul>
+        {% endif %}
        <hr />

--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -2663,12 +2663,9 @@ class ProfileView(DetailView):
        context['instances_owned'] = Instance.get_objects_with_level(
            "owner", self.get_object(), disregard_superuser=True
        ).filter(destroyed_at=None)
-        context['instances_with_access'] = [
+        context['instances_with_access'] = Instance.get_objects_with_level(
-            inst for inst in Instance.get_objects_with_level(
+            "user", self.get_object(), disregard_superuser=True
-                "user", self.get_object(), disregard_superuser=True
+        ).filter(destroyed_at=None).exclude(pk__in=context['instances_owned'])
-            ).filter(destroyed_at=None)
-            if inst not in context['instances_owned']
-        ]
        group_profiles = GroupProfile.get_objects_with_level(
            "operator", self.request.user)
@@ -2677,6 +2674,24 @@ class ProfileView(DetailView):
            g for g in self.get_object().groups.all() if g in groups
        ]
+        # permissions
+        # show groups only if the user is superuser, or have access
+        # to any of the groups the user belongs to
+        context['perm_group_list'] = (
+            self.request.user.is_superuser or len(context['groups']) > 0)
+        # filter the virtual machine list
+        # if the logged in user is not superuser or not the user itself
+        # filter the list so only those virtual machines are shown that are
+        # originated from templates the logged in user is operator or higher
+        if (not (self.request.user.is_superuser
+                 or self.request.user == self.get_object())):
+            it = InstanceTemplate.get_objects_with_level("operator",
+                                                         self.request.user)
+            context['instances_owned'] = context['instances_owned'].filter(
+                template__in=it)
+            context['instances_with_access'] = context[
+                'instances_with_access'].filter(template__in=it)
        return context
    def get_avatar_url(self):