Commit 6116fd30 by Bach Dániel

Merge branch 'fix-lease-template' into 'master'

Fix lease/template

No more uhoh, if no permission to delete the template/lease.

Also fixed up Lease create (the user who created the lease didn't become owner), also removed all superuser mixins from lease views, cause they have ACL now.

See merge request !244
parents 645ad6a0 931ef81c
...@@ -2,7 +2,7 @@ $(function() { ...@@ -2,7 +2,7 @@ $(function() {
/* for template removes buttons */ /* for template removes buttons */
$('.template-delete').click(function() { $('.template-delete').click(function() {
var template_pk = $(this).data('template-pk'); var template_pk = $(this).data('template-pk');
addModalConfirmation(deleteTemplate, addModalConfirmationOrDisplayMessage(deleteTemplate,
{ 'url': '/dashboard/template/delete/' + template_pk + '/', { 'url': '/dashboard/template/delete/' + template_pk + '/',
'data': [], 'data': [],
'template_pk': template_pk, 'template_pk': template_pk,
...@@ -13,7 +13,7 @@ $(function() { ...@@ -13,7 +13,7 @@ $(function() {
/* for lease removes buttons */ /* for lease removes buttons */
$('.lease-delete').click(function() { $('.lease-delete').click(function() {
var lease_pk = $(this).data('lease-pk'); var lease_pk = $(this).data('lease-pk');
addModalConfirmation(deleteLease, addModalConfirmationOrDisplayMessage(deleteLease,
{ 'url': '/dashboard/lease/delete/' + lease_pk + '/', { 'url': '/dashboard/lease/delete/' + lease_pk + '/',
'data': [], 'data': [],
'lease_pk': lease_pk, 'lease_pk': lease_pk,
...@@ -81,3 +81,29 @@ function deleteLease(data) { ...@@ -81,3 +81,29 @@ function deleteLease(data) {
} }
}); });
} }
function addModalConfirmationOrDisplayMessage(func, data) {
$.ajax({
type: 'GET',
url: data['url'],
data: jQuery.param(data['data']),
success: function(result) {
$('body').append(result);
$('#confirmation-modal').modal('show');
$('#confirmation-modal').on('hidden.bs.modal', function() {
$('#confirmation-modal').remove();
});
$('#confirmation-modal-button').click(function() {
func(data);
$('#confirmation-modal').modal('hide');
});
},
error: function(xhr, textStatus, error) {
if(xhr.status === 403) {
addMessage(gettext("Only the owners can delete the selected object."), "warning");
} else {
addMessage(gettext("An error occurred. (") + xhr.status + ")", 'danger')
}
}
});
}
...@@ -11,7 +11,9 @@ ...@@ -11,7 +11,9 @@
<div class="col-md-7"> <div class="col-md-7">
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading"> <div class="panel-heading">
<a class="pull-right btn btn-default btn-xs" href="{% url "dashboard.views.template-list" %}">{% trans "Back" %}</a> <a class="pull-right btn btn-default btn-xs" href="{% url "dashboard.views.template-list" %}">
{% trans "Back" %}
</a>
<h3 class="no-margin"><i class="fa fa-puzzle-piece"></i> {% trans "Edit template" %}</h3> <h3 class="no-margin"><i class="fa fa-puzzle-piece"></i> {% trans "Edit template" %}</h3>
</div> </div>
<div class="panel-body"> <div class="panel-body">
...@@ -65,6 +67,18 @@ ...@@ -65,6 +67,18 @@
</div> </div>
<div class="col-md-5"> <div class="col-md-5">
{% if is_owner %}
<div class="panel panel-default">
<div class="panel-heading">
<a href="{% url "dashboard.views.template-delete" pk=object.pk %}"
class="btn btn-xs btn-danger pull-right">
{% trans "Delete" %}
</a>
<h4 class="no-margin"><i class="fa fa-times"></i> {% trans "Delete template" %}</h4>
</div>
</div>
{% endif %}
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading"> <div class="panel-heading">
<h4 class="no-margin"><i class="fa fa-group"></i> {% trans "Manage access" %}</h4> <h4 class="no-margin"><i class="fa fa-group"></i> {% trans "Manage access" %}</h4>
......
...@@ -299,7 +299,7 @@ class VmDetailTest(LoginMixin, TestCase): ...@@ -299,7 +299,7 @@ class VmDetailTest(LoginMixin, TestCase):
leases = Lease.objects.count() leases = Lease.objects.count()
response = c.post("/dashboard/lease/delete/1/") response = c.post("/dashboard/lease/delete/1/")
# redirect to the login page # redirect to the login page
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 403)
self.assertEqual(leases, Lease.objects.count()) self.assertEqual(leases, Lease.objects.count())
def test_notification_read(self): def test_notification_read(self):
......
...@@ -32,7 +32,7 @@ from django.views.generic import ( ...@@ -32,7 +32,7 @@ from django.views.generic import (
) )
from braces.views import ( from braces.views import (
LoginRequiredMixin, PermissionRequiredMixin, SuperuserRequiredMixin, LoginRequiredMixin, PermissionRequiredMixin,
) )
from django_tables2 import SingleTableView from django_tables2 import SingleTableView
...@@ -240,6 +240,16 @@ class TemplateDelete(LoginRequiredMixin, DeleteView): ...@@ -240,6 +240,16 @@ class TemplateDelete(LoginRequiredMixin, DeleteView):
else: else:
return ['dashboard/confirm/base-delete.html'] return ['dashboard/confirm/base-delete.html']
def get(self, request, *args, **kwargs):
if not self.get_object().has_level(request.user, "owner"):
message = _("Only the owners can delete the selected template.")
if request.is_ajax():
raise PermissionDenied()
else:
messages.warning(request, message)
return redirect(self.get_success_url())
return super(TemplateDelete, self).get(request, *args, **kwargs)
def delete(self, request, *args, **kwargs): def delete(self, request, *args, **kwargs):
object = self.get_object() object = self.get_object()
if not object.has_level(request.user, 'owner'): if not object.has_level(request.user, 'owner'):
...@@ -382,13 +392,17 @@ class LeaseCreate(LoginRequiredMixin, PermissionRequiredMixin, ...@@ -382,13 +392,17 @@ class LeaseCreate(LoginRequiredMixin, PermissionRequiredMixin,
def get_success_url(self): def get_success_url(self):
return reverse_lazy("dashboard.views.template-list") return reverse_lazy("dashboard.views.template-list")
def form_valid(self, form):
retval = super(LeaseCreate, self).form_valid(form)
self.object.set_level(self.request.user, "owner")
return retval
class LeaseAclUpdateView(AclUpdateView): class LeaseAclUpdateView(AclUpdateView):
model = Lease model = Lease
class LeaseDetail(LoginRequiredMixin, SuperuserRequiredMixin, class LeaseDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
SuccessMessageMixin, UpdateView):
model = Lease model = Lease
form_class = LeaseForm form_class = LeaseForm
template_name = "dashboard/lease-edit.html" template_name = "dashboard/lease-edit.html"
...@@ -404,8 +418,21 @@ class LeaseDetail(LoginRequiredMixin, SuperuserRequiredMixin, ...@@ -404,8 +418,21 @@ class LeaseDetail(LoginRequiredMixin, SuperuserRequiredMixin,
def get_success_url(self): def get_success_url(self):
return reverse_lazy("dashboard.views.lease-detail", kwargs=self.kwargs) return reverse_lazy("dashboard.views.lease-detail", kwargs=self.kwargs)
def get(self, request, *args, **kwargs):
if not self.get_object().has_level(request.user, "owner"):
message = _("Only the owners can modify the selected lease.")
messages.warning(request, message)
return redirect(reverse_lazy("dashboard.views.template-list"))
return super(LeaseDetail, self).get(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
if not self.get_object().has_level(request.user, "owner"):
raise PermissionDenied()
return super(LeaseDetail, self).post(request, *args, **kwargs)
class LeaseDelete(LoginRequiredMixin, SuperuserRequiredMixin, DeleteView): class LeaseDelete(LoginRequiredMixin, DeleteView):
model = Lease model = Lease
def get_success_url(self): def get_success_url(self):
...@@ -431,10 +458,22 @@ class LeaseDelete(LoginRequiredMixin, SuperuserRequiredMixin, DeleteView): ...@@ -431,10 +458,22 @@ class LeaseDelete(LoginRequiredMixin, SuperuserRequiredMixin, DeleteView):
c['disable_submit'] = True c['disable_submit'] = True
return c return c
def get(self, request, *args, **kwargs):
if not self.get_object().has_level(request.user, "owner"):
message = _("Only the owners can delete the selected lease.")
if request.is_ajax():
raise PermissionDenied()
else:
messages.warning(request, message)
return redirect(self.get_success_url())
return super(LeaseDelete, self).get(request, *args, **kwargs)
def delete(self, request, *args, **kwargs): def delete(self, request, *args, **kwargs):
object = self.get_object() object = self.get_object()
if (object.instancetemplate_set.count() > 0): if not object.has_level(request.user, "owner"):
raise PermissionDenied()
if object.instancetemplate_set.count() > 0:
raise SuspiciousOperation() raise SuspiciousOperation()
object.delete() object.delete()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment