From 81dc5e04cd5c71c1fc0f8cd1d4be73620da8e8f0 Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Wed, 11 Sep 2019 12:19:19 +0200 Subject: Lock: do not allow lock/unlock of items locked by another user --- ishtar_common/views.py | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) (limited to 'ishtar_common/views.py') diff --git a/ishtar_common/views.py b/ishtar_common/views.py index c663eccbc..db0d3631b 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -2113,11 +2113,17 @@ class AlertList(JSONResponseMixin, LoginRequiredMixin, class QANotAvailable(IshtarMixin, LoginRequiredMixin, TemplateView): template_name = 'ishtar/forms/qa_message.html' modal_size = "small" + contexts = {"locked-by-others": _("Some items have been locked by other " + "user")} def get_context_data(self, **kwargs): data = super(QANotAvailable, self).get_context_data(**kwargs) data["page_name"] = _("Not available") data['message'] = _("Action not available for these items.") + if self.kwargs.get("context"): + context = self.kwargs.get("context") + if context in self.contexts: + data["message"] += " {}".format(self.contexts[context]) return data @@ -2134,7 +2140,7 @@ class QAItemForm(IshtarMixin, LoginRequiredMixin, FormView): # if not listed in QUICK_ACTIONS overload this method return self.model.get_quick_action_by_url(self.base_url) - def dispatch(self, request, *args, **kwargs): + def pre_dispatch(self, request, *args, **kwargs): assert self.model pks = [int(pk) for pk in kwargs.get('pks').split('-')] self.items = list(self.model.objects.filter(pk__in=pks)) @@ -2151,6 +2157,11 @@ class QAItemForm(IshtarMixin, LoginRequiredMixin, FormView): raise Http404() self.url = request.get_full_path() + + def dispatch(self, request, *args, **kwargs): + redirected = self.pre_dispatch(request, *args, **kwargs) + if redirected: + return redirected return super(QAItemForm, self).dispatch(request, *args, **kwargs) def get_form_kwargs(self): @@ -2175,15 +2186,18 @@ class QAItemEditForm(QAItemForm): def get_quick_action(self): return self.model.QA_EDIT - def dispatch(self, request, *args, **kwargs): + def pre_dispatch(self, request, *args, **kwargs): self.confirm = kwargs.get('confirm', False) and True - returned = super(QAItemEditForm, self).dispatch(request, *args, - **kwargs) + redirected = super(QAItemEditForm, self).pre_dispatch( + request, *args, **kwargs) + if redirected: + return redirected if hasattr(self.model, "locked"): for item in self.items: if item.locked: - return HttpResponseRedirect(reverse("qa-not-available")) - return returned + redirected = HttpResponseRedirect( + reverse("qa-not-available")) + return redirected def get_form_class(self): if len(self.items) > 1 and self.form_class_multi: @@ -2222,6 +2236,14 @@ class QABaseLockView(QAItemForm): form_class = forms.QALockForm page_name = _("lock/unlock") + def pre_dispatch(self, request, *args, **kwargs): + super(QABaseLockView, self).pre_dispatch( + request, *args, **kwargs) + if [True for item in self.items + if item.lock_user and item.lock_user != request.user]: + url = reverse("qa-not-available", args=["locked-by-others"]) + return HttpResponseRedirect(url) + def form_valid(self, form): form.save(self.items, self.request.user) return HttpResponseRedirect(reverse("success")) -- cgit v1.2.3