Manage own permissions with areas for operations

4 files changed, 31 insertions, 9 deletions

diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index 67c4422f6..2ebe07961 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -2693,6 +2693,15 @@ class UserProfile(models.Model):
             [unicode(area) for area in self.areas.all()]))
 
     @property
+    def query_towns(self):
+        return Town.objects.filter(
+            Q(areas__profiles=self) | Q(areas__parent__profiles=self) |
+            Q(areas__parent__parent__profiles=self) |
+            Q(areas__parent__parent__parent__profiles=self) |
+            Q(areas__parent__parent__parent__parent__profiles=self)
+        )
+
+    @property
     def area_labels(self):
         return u", ".join([unicode(area) for area in self.areas.all()])
 
@@ -2743,6 +2752,10 @@ class IshtarUser(FullSearch):
             return u""
         return unicode(profile)
 
+    @property
+    def current_profile(self):
+        return self.person.current_profile
+
     @classmethod
     def set_superuser(cls, user):
         q = cls.objects.filter(user_ptr=user)
@@ -3141,7 +3154,8 @@ m2m_changed.connect(town_child_changed, sender=Town.children.through)
 
 
 class Area(HierarchicalType):
-    towns = models.ManyToManyField(Town, verbose_name=_(u"Towns"), blank=True)
+    towns = models.ManyToManyField(Town, verbose_name=_(u"Towns"), blank=True,
+                                   related_name='areas')
     parent = models.ForeignKey(
         'self', blank=True, null=True, verbose_name=_(u"Parent"),
         help_text=_(u"Only four level of parent are managed.")
diff --git a/ishtar_common/tests.py b/ishtar_common/tests.py
index 4ee47d723..0d606476d 100644
--- a/ishtar_common/tests.py
+++ b/ishtar_common/tests.py
@@ -79,9 +79,7 @@ def create_superuser():
     return username, password, user
 
 
-def create_user():
-    username = 'username678'
-    password = 'dcbqj756aaa456!@%'
+def create_user(username='username678', password='dcbqj756aaa456!@%'):
     q = User.objects.filter(username=username)
     if q.count():
         return username, password, q.all()[0]
diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py
index b03e794d0..01b35dcef 100644
--- a/ishtar_common/utils.py
+++ b/ishtar_common/utils.py
@@ -381,7 +381,7 @@ def put_session_message(session_key, message, message_type):
     messages = []
     if 'messages' in session:
         messages = session['messages'][:]
-    messages.append((message, message_type))
+    messages.append((unicode(message), message_type))
     session['messages'] = messages
     session.save()
 
diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index 5f3da1130..9e77a0dda 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -43,7 +43,8 @@ from django.utils.safestring import mark_safe
 
 from ishtar_common import models
 from ishtar_common.forms import CustomForm, reverse_lazy
-from ishtar_common.utils import get_all_field_names, MultiValueDict
+from ishtar_common.utils import get_all_field_names, MultiValueDict, \
+    put_session_message
 
 logger = logging.getLogger(__name__)
 
@@ -69,6 +70,11 @@ def check_rights(rights=[], redirect_url='/'):
                                                          request.session):
                         kwargs['current_right'] = right
                         return view_func(request, *args, **kwargs)
+            put_session_message(
+                request.session.session_key,
+                _(u"You don't have sufficient permissions to do this action."),
+                'warning'
+            )
             return HttpResponseRedirect(redirect_url)
         return _wrapped_view
     return decorator
@@ -110,6 +116,8 @@ def _check_right(step, condition=True):
 
 def filter_no_fields_form(form, other_check=None):
     def func(self):
+        if not hasattr(self.request.user, 'ishtaruser'):
+            return False
         if issubclass(form, CustomForm):
             enabled, exc = form.check_availability_and_excluded_fields(
                 self.request.user.ishtaruser)
@@ -184,9 +192,11 @@ class Wizard(NamedUrlWizardView):
             self.steps = StepsHelper(self)
 
             current_object = self.get_current_object()
+            ishtaruser = request.user.ishtaruser \
+                if hasattr(request.user, 'ishtaruser') else None
             # not the fisrt step and current object is not owned
             if self.steps and self.steps.first != step and\
-                    current_object and not current_object.is_own(request.user):
+                    current_object and not current_object.is_own(ishtaruser):
                 self.session_reset(request, self.url_name)
                 return HttpResponseRedirect('/')
             # extra filter on forms
@@ -206,8 +216,8 @@ class Wizard(NamedUrlWizardView):
     def get_prefix(self, request, *args, **kwargs):
         """As the class name can interfere when reused prefix with the url_name
         """
-        return self.url_name + super(Wizard, self).get_prefix(
-            request, *args, **kwargs)
+        return self.url_name + super(Wizard, self).get_prefix(request, *args,
+                                                              **kwargs)
 
     def get_wizard_name(self):
         """As the class name can interfere when reused, use the url_name"""