diff --git a/vms/event/views.py b/vms/event/views.py index 0ac824868..0a7648cf0 100644 --- a/vms/event/views.py +++ b/vms/event/views.py @@ -15,6 +15,7 @@ from django.utils.decorators import method_decorator from django.shortcuts import render_to_response from django.http import Http404 +from volunteer.utils import vol_id_check class AdministratorLoginRequiredMixin(object): @@ -122,6 +123,7 @@ def get_queryset(self): @login_required +@vol_id_check def list_sign_up(request, volunteer_id): if request.method == 'POST': form = EventDateForm(request.POST) diff --git a/vms/shift/views.py b/vms/shift/views.py index 479dadd2e..ee9d3c361 100644 --- a/vms/shift/views.py +++ b/vms/shift/views.py @@ -18,7 +18,7 @@ from django.views.generic import ListView from django.utils.decorators import method_decorator from django.core.urlresolvers import reverse_lazy - +from volunteer.utils import vol_id_check class AdministratorLoginRequiredMixin(object): @@ -568,6 +568,10 @@ def sign_up(request, shift_id, volunteer_id): class ViewHoursView(LoginRequiredMixin, FormView, TemplateView): template_name = 'shift/hours_list.html' + @method_decorator(vol_id_check) + def dispatch(self, *args, **kwargs): + return super(ViewHoursView, self).dispatch(*args, **kwargs) + def get_context_data(self, **kwargs): context = super(ViewHoursView, self).get_context_data(**kwargs) volunteer_id = self.kwargs['volunteer_id'] @@ -577,36 +581,15 @@ def get_context_data(self, **kwargs): @login_required +@vol_id_check def view_volunteer_shifts(request, volunteer_id): - user = request.user - vol = None - - try: - vol = user.volunteer - except ObjectDoesNotExist: - pass + shift_list = get_unlogged_shifts_by_volunteer_id(volunteer_id) + return render( + request, + 'shift/volunteer_shifts.html', + {'shift_list': shift_list, 'volunteer_id': volunteer_id, } + ) - # check that a volunteer is logged in - if vol: - if volunteer_id: - volunteer = get_volunteer_by_id(volunteer_id) - if volunteer: - user = request.user - if int(user.volunteer.id) == int(volunteer_id): - shift_list = get_unlogged_shifts_by_volunteer_id(volunteer_id) - return render( - request, - 'shift/volunteer_shifts.html', - {'shift_list': shift_list, 'volunteer_id': volunteer_id, } - ) - else: - return HttpResponse(status=403) - else: - raise Http404 - else: - raise Http404 - else: - return HttpResponse(status=403) class VolunteerSearchView(AdministratorLoginRequiredMixin, FormView): diff --git a/vms/vms/templates/vms/no_volunteer_access.html b/vms/vms/templates/vms/no_volunteer_access.html new file mode 100644 index 000000000..8c13be65b --- /dev/null +++ b/vms/vms/templates/vms/no_volunteer_access.html @@ -0,0 +1,22 @@ +{% extends "vms/base.html" %} + +{% load i18n %} + +{% block content %} +
+ + {% csrf_token %} +
+
+

{% trans "No Access" %}

+
+
+
+ {% trans "You don't have the necessary rights to access this page." %} +
+
+ +
+
+ +{% endblock %} diff --git a/vms/volunteer/utils.py b/vms/volunteer/utils.py new file mode 100644 index 000000000..b1cfabd79 --- /dev/null +++ b/vms/volunteer/utils.py @@ -0,0 +1,19 @@ +from functools import wraps +from django.shortcuts import render +from django.http import Http404 +from volunteer.services import get_volunteer_by_id + +def vol_id_check(func): + @wraps(func) + def wrapped_view(request, volunteer_id): + vol = getattr(request.user, 'volunteer', hasattr(request.user, 'administrator')) + if not vol: + return render(request, 'vms/no_volunteer_access.html', status=403) + elif vol != True: + volunteer = get_volunteer_by_id(volunteer_id) + if not volunteer: + raise Http404 + if not int(volunteer.id) == vol.id: + return render(request, 'vms/no_volunteer_access.html', status=403) + return func(request, volunteer_id=volunteer_id) + return wrapped_view diff --git a/vms/volunteer/views.py b/vms/volunteer/views.py index 0dbb68916..c8086c5bf 100644 --- a/vms/volunteer/views.py +++ b/vms/volunteer/views.py @@ -21,7 +21,8 @@ from volunteer.validation import validate_file from django.views.generic import View from django.core.urlresolvers import reverse_lazy - +from django.utils.decorators import method_decorator +from volunteer.utils import vol_id_check @login_required def download_resume(request, volunteer_id): @@ -108,13 +109,15 @@ def form_valid(self, form): class ProfileView(LoginRequiredMixin, DetailView): template_name = 'volunteer/profile.html' + @method_decorator(vol_id_check) + def dispatch(self, *args, **kwargs): + return super(ProfileView, self).dispatch(*args, **kwargs) + def get_object(self, queryset=None): volunteer_id = self.kwargs['volunteer_id'] obj = Volunteer.objects.get(id=self.kwargs['volunteer_id']) - if obj: - return obj - else: - return HttpResponse(status=403) + return obj + ''' The view generate Report. @@ -123,6 +126,10 @@ def get_object(self, queryset=None): class GenerateReportView(LoginRequiredMixin, View): + @method_decorator(vol_id_check) + def dispatch(self, *args, **kwargs): + return super(GenerateReportView, self).dispatch(*args, **kwargs) + def get(self, request, *args, **kwargs): view = ShowFormView.as_view() return view(request, *args,**kwargs)