From 1eecf2118328562801097847e457e8ac601d7e2f Mon Sep 17 00:00:00 2001 From: Andrea Lepori Date: Mon, 3 Oct 2022 18:36:29 +0200 Subject: initial modification to support superuser account --- server/views.py | 99 +++++++++++++++++++-------------------------------------- 1 file changed, 33 insertions(+), 66 deletions(-) (limited to 'server/views.py') diff --git a/server/views.py b/server/views.py index 12b79e9..9babb92 100644 --- a/server/views.py +++ b/server/views.py @@ -45,15 +45,20 @@ def isCapi_enabled(user): else: return False +# function to get group list based on permissions of user +def getGroups(user): + if user.is_staff: + groups = user.groups.all() + else: + groups = user.groups.all()[1:] + + return groups + @user_passes_test(isStaff) def index(request): context = {} - # if user is staff of not primary show only public types - if request.user.is_staff: - groups = request.user.groups.all() - else: - groups = request.user.groups.all()[1:] + groups = getGroups(request.user) q_obj = Q(group__in=groups) @@ -180,11 +185,7 @@ def docapprove(request): context = {} data = [] - # if user not staff of primary has only control of non primary groups - if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - else: - groups = request.user.groups.values_list('name', flat=True)[1:] + groups = getGroups(request.user) # setup variables for error text and success text error = False @@ -295,10 +296,7 @@ def docapprove(request): @staff_member_required def approve_direct(request): # get groups that the user is manager of - if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - else: - groups = request.user.groups.values_list('name', flat=True)[1:] + groups = getGroups(request.user) if request.method == "POST" and "doc_code" in request.POST: # if user submitted the form to approve a document @@ -358,8 +356,7 @@ def approve_direct(request): def ulist(request): context = {} # group name and obj - parent_group = request.user.groups.values_list('name', flat=True)[0] - group = Group.objects.get(name=parent_group) + group = getGroups(request.user)[0] if request.method == "POST": # request to download document @@ -426,7 +423,7 @@ def ulist(request): # list users with their documents permission = Permission.objects.get(codename="approved") - usercodes = UserCode.objects.filter(Q(user__user_permissions=permission) | Q(user__is_staff=True)).filter(user__groups__name__contains=parent_group).select_related("user", "medic").order_by("user__last_name") + usercodes = UserCode.objects.filter(Q(user__user_permissions=permission) | Q(user__is_staff=True)).filter(user__groups__contains=group).select_related("user", "medic").order_by("user__last_name") vac_file = ["/server/media/", "/vac_certificate/usercode"] health_file = ["/server/media/", "/health_care_certificate/usercode"] @@ -466,11 +463,7 @@ def doctype(request): group_check = 'checked="checked"' # if user not staff of primary get only non primary groups - if request.user.is_staff: - parent_groups = request.user.groups.values_list('name', flat=True) - else: - parent_groups = request.user.groups.values_list('name', flat=True)[ - 1:] + groups = getGroups(request.user) if request.method == "POST": # check if request to edit @@ -478,7 +471,7 @@ def doctype(request): document_type = DocumentType.objects.get(id=request.POST["action"][1:]) # check if user has permission on the document - if document_type.group.name not in parent_groups: + if document_type.group not in groups: return enabled_check = 'checked="checked"' if document_type.enabled else "" @@ -504,7 +497,7 @@ def doctype(request): document_type = DocumentType.objects.get(id=request.POST["action"][1:]) # check if user has permission on the document - if document_type.group.name not in parent_groups: + if document_type.group not in groups: return docs = Document.objects.filter(document_type=document_type).select_related("personal_data", "medical_data", "user") @@ -578,7 +571,7 @@ def doctype(request): document_type = DocumentType.objects.get(id=request.POST["action"][1:]) # check if user has permission on the document - if document_type.group.name not in parent_groups: + if document_type.group not in groups: return docs = Document.objects.filter(document_type=document_type) @@ -660,7 +653,7 @@ def doctype(request): if i.isdigit(): docc = DocumentType.objects.get(id=i) # check if user has permission - if docc.group.name in parent_groups: + if docc.group in groups: # execute action if request.POST["action"] == 'delete': try: @@ -700,7 +693,7 @@ def doctype(request): group_bool = True # get documents from the list - q_obj = Q(group__name__in=parent_groups) + q_obj = Q(group__in=groups) public_types = DocumentType.objects.filter(q_obj) @@ -774,22 +767,17 @@ def custom_parameters_preview(request): def doccreate(request): context = {} + groups = getGroups(request.user).values_list('name', flat=True) # if user is not staff of primary set default group to secondary and default public type if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - parent_group = request.user.groups.values_list('name', flat=True)[ - 0] group_private = False private_check = 'checked="checked"' else: - groups = request.user.groups.values_list('name', flat=True)[1:] - parent_group = request.user.groups.values_list('name', flat=True)[ - 1] group_private = True private_check = '' # get group obj - group = Group.objects.get(name=parent_group) + group = groups[0] # init checkboxes enabled = False @@ -914,22 +902,15 @@ def docedit(request): @user_passes_test(isStaff) def docedit_wrapper(request, context): + groups = getGroups(request.user).values_list('name', flat=True) + group = Group.objects.get(name=groups[0]) if request.user.is_staff and "group" in context.keys(): - base_group = request.user.groups.values_list('name', flat=True)[0] - if context["group"] == base_group: + if context["group"] == groups[0]: context["group"] = "" if request.method == "POST": if "action" not in request.POST.keys(): - # get groups on which the user has control - if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - else: - groups = request.user.groups.values_list('name', flat=True)[1:] - - group = Group.objects.get(name=groups[0]) - # get document doc = DocumentType.objects.get(id=request.POST["doc"]) @@ -1022,15 +1003,7 @@ def doclist(request): context = {} # group name and obj - parent_group = request.user.groups.values_list('name', flat=True)[ - 0] - group = Group.objects.get(name=parent_group) - - # if user not staff of primary get secondary groups - if request.user.is_staff: - parent_groups = request.user.groups.values_list('name', flat=True) - else: - parent_groups = request.user.groups.values_list('name', flat=True)[1:] + parent_groups = getGroups(request.user).values_list('name', flat=True) # create typezone zurich = pytz.timezone('Europe/Zurich') @@ -1211,7 +1184,7 @@ def doclist(request): # get types and users for chips autocompletation if request.user.is_staff: auto_types = DocumentType.objects.filter( - Q(group_private=False) | Q(group=group)) + Q(group_private=False) | Q(group=getGroups(request.user)[0])) else: auto_types = DocumentType.objects.filter(Q(group_private=False)) @@ -1560,10 +1533,7 @@ def zip_documents(docs, session_key): @user_passes_test(isStaff) def upload_doc(request): # setup group based on staff primary or not - if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - else: - groups = request.user.groups.values_list('name', flat=True)[1:] + groups = getGroups(request.user).values_list('name', flat=True) # setup variables for error text and success text error = False @@ -1632,10 +1602,7 @@ def upload_doc(request): def docpreview(request): context = {} # check for permissions - if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - else: - groups = request.user.groups.values_list('name', flat=True)[1:] + groups = getGroups(request.user).values_list('name', flat=True) if request.method == "POST": # get document code @@ -1685,7 +1652,7 @@ def docpreview(request): @user_passes_test(isStaff) def data_request(request): context = {} - parent_group = request.user.groups.values_list('name', flat=True)[0] + parent_group = getGroups(request.user).values_list('name', flat=True)[0] if request.method == "POST": if "request" not in request.POST.keys(): @@ -1798,8 +1765,8 @@ def media_request(request, id=0, t="", flag=""): if flag == "usercode": usercode = UserCode.objects.get(id=id) if request.user.is_staff: - groups = request.user.groups.values_list('name', flat=True) - usercode_group = usercode.user.groups.values_list('name', flat=True)[0] + groups = getGroups(request.user) + usercode_group = usercode.user.groups[0] if usercode_group not in groups: return else: @@ -1815,7 +1782,7 @@ def media_request(request, id=0, t="", flag=""): doc = Document.objects.get(id=id) doc_group = doc.group.name - groups = request.user.groups.values_list('name', flat=True) + groups = getGroups(request.user).values_list('name', flat=True) group_view = "capi" in groups and GroupSettings.objects.filter(group__name=doc_group).filter(view_documents=True).count() != 0 # check if user can view media -- cgit v1.2.1 From c1e45c32a191311452f80a7d874ea00144fff98e Mon Sep 17 00:00:00 2001 From: Andrea Lepori Date: Tue, 4 Oct 2022 19:31:16 +0200 Subject: complete custom group support for superuser --- server/views.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'server/views.py') diff --git a/server/views.py b/server/views.py index 9babb92..8b1d4fd 100644 --- a/server/views.py +++ b/server/views.py @@ -119,9 +119,8 @@ def uapprove(request): data = [] if request.method == "POST": # get group name and obj - parent_group = request.user.groups.values_list('name', flat=True)[ - 0] - group = Group.objects.get(name=parent_group) + group = getGroups(request.user)[0] + parent_group = group.name # get permission object permission = Permission.objects.get(codename='approved') @@ -423,7 +422,7 @@ def ulist(request): # list users with their documents permission = Permission.objects.get(codename="approved") - usercodes = UserCode.objects.filter(Q(user__user_permissions=permission) | Q(user__is_staff=True)).filter(user__groups__contains=group).select_related("user", "medic").order_by("user__last_name") + usercodes = UserCode.objects.filter(Q(user__user_permissions=permission) | Q(user__is_staff=True)).filter(user__groups__name__contains=group.name).select_related("user", "medic").order_by("user__last_name") vac_file = ["/server/media/", "/vac_certificate/usercode"] health_file = ["/server/media/", "/health_care_certificate/usercode"] -- cgit v1.2.1 From a5c2bbe834d95b107aeb25cfcabc5c50290ee036 Mon Sep 17 00:00:00 2001 From: Andrea Lepori Date: Mon, 21 Nov 2022 22:07:30 +0100 Subject: new way to select groups that can be overridden --- server/views.py | 56 ++++++++++++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 26 deletions(-) (limited to 'server/views.py') diff --git a/server/views.py b/server/views.py index 8b1d4fd..e9ca0c2 100644 --- a/server/views.py +++ b/server/views.py @@ -48,9 +48,13 @@ def isCapi_enabled(user): # function to get group list based on permissions of user def getGroups(user): if user.is_staff: - groups = user.groups.all() + groups = list(user.groups.all()) else: - groups = user.groups.all()[1:] + groups = list(user.groups.all())[1:] + + if user.is_superuser: + groups = list(Group.objects.all()) + print(groups) return groups @@ -766,7 +770,7 @@ def custom_parameters_preview(request): def doccreate(request): context = {} - groups = getGroups(request.user).values_list('name', flat=True) + groups = getGroups(request.user) # if user is not staff of primary set default group to secondary and default public type if request.user.is_staff: group_private = False @@ -852,7 +856,7 @@ def doccreate(request): context["error"] = "true" context["error_text"] = "Non puoi creare un documento non pubblico per un gruppo non primario" return render(request, 'server/doc_create.html', context) - if custom_group not in groups: + if custom_group not in map(lambda x: x.name, groups): context["error"] = "true" context["error_text"] = "Non puoi creare un tipo assegnato ad un gruppo di cui non fai parte" return render(request, 'server/doc_create.html', context) @@ -901,11 +905,11 @@ def docedit(request): @user_passes_test(isStaff) def docedit_wrapper(request, context): - groups = getGroups(request.user).values_list('name', flat=True) - group = Group.objects.get(name=groups[0]) + groups = getGroups(request.user) + group = groups[0] if request.user.is_staff and "group" in context.keys(): - if context["group"] == groups[0]: + if context["group"] == group.name: context["group"] = "" if request.method == "POST": @@ -914,7 +918,7 @@ def docedit_wrapper(request, context): doc = DocumentType.objects.get(id=request.POST["doc"]) # check if user can edit type - if doc.group.name not in groups: + if doc.group not in groups: # user is cheating abort return @@ -972,7 +976,7 @@ def docedit_wrapper(request, context): context["error"] = "true" context["error_text"] = "Non puoi creare un documento non pubblico per un gruppo non primario" return render(request, 'server/doc_edit.html', context) - if custom_group not in groups: + if custom_group not in map(lambda x: x.name, groups): context["error"] = "true" context["error_text"] = "Non puoi creare un tipo assegnato ad un gruppo di cui non fai parte" return render(request, 'server/doc_edit.html', context) @@ -1002,7 +1006,7 @@ def doclist(request): context = {} # group name and obj - parent_groups = getGroups(request.user).values_list('name', flat=True) + parent_groups = getGroups(request.user) # create typezone zurich = pytz.timezone('Europe/Zurich') @@ -1041,7 +1045,7 @@ def doclist(request): if request.POST["action"][0] == 'k': document = Document.objects.get(id=request.POST["action"][1:]) # check if user has permission to view doc - if document.group.name in parent_groups: + if document.group in parent_groups: vac_file = "" health_file = "" sign_doc_file = "" @@ -1080,7 +1084,7 @@ def doclist(request): for i in request.POST.keys(): if i.isdigit(): docc = Document.objects.get(id=i) - if docc.group.name in parent_groups: + if docc.group in parent_groups: selected.append(docc) # execute action on selected documents @@ -1135,7 +1139,7 @@ def doclist(request): groups = [] # filter documents based on group of staff and date range - q_obj = Q(group__name__in=parent_groups) & Q(compilation_date__range=[newer, older]) + q_obj = Q(group__in=parent_groups) & Q(compilation_date__range=[newer, older]) # filter documents if not hidden: @@ -1532,7 +1536,7 @@ def zip_documents(docs, session_key): @user_passes_test(isStaff) def upload_doc(request): # setup group based on staff primary or not - groups = getGroups(request.user).values_list('name', flat=True) + groups = getGroups(request.user) # setup variables for error text and success text error = False @@ -1553,7 +1557,7 @@ def upload_doc(request): elif Document.objects.filter(code=data).count() == 0: error_text = "Codice invalido" error = True - elif Document.objects.filter(code=data)[0].group.name not in groups: + elif Document.objects.filter(code=data)[0].group not in groups: error_text = "Codice invalido" error = True else: @@ -1601,7 +1605,7 @@ def upload_doc(request): def docpreview(request): context = {} # check for permissions - groups = getGroups(request.user).values_list('name', flat=True) + groups = getGroups(request.user) if request.method == "POST": # get document code @@ -1612,12 +1616,12 @@ def docpreview(request): return render(request, 'server/download_doc.html', context) if Document.objects.filter(code=code).count() == 0: return render(request, 'server/download_doc.html', context) - if Document.objects.filter(code=code)[0].group.name not in groups: + if Document.objects.filter(code=code)[0].group not in groups: return render(request, 'server/download_doc.html', context) # get document document = Document.objects.filter(code=code)[0] - parent_group = document.user.groups.values_list('name', flat=True)[0] + parent_group = document.user.groups[0] # user has not permission to view document if parent_group not in groups: @@ -1651,23 +1655,23 @@ def docpreview(request): @user_passes_test(isStaff) def data_request(request): context = {} - parent_group = getGroups(request.user).values_list('name', flat=True)[0] + parent_group = getGroups(request.user)[0] if request.method == "POST": if "request" not in request.POST.keys(): context["error"] = "Selezionare una richesta" elif request.POST["request"] == "email_all": perm = Permission.objects.get(codename="approved") - users_email = User.objects.filter(groups__name=parent_group, user_permissions=perm).values_list("email", flat=True) + users_email = User.objects.filter(groups=parent_group, user_permissions=perm).values_list("email", flat=True) data = ", ".join(users_email) context["data"] = data elif request.POST["request"] == "email_non_staff": perm = Permission.objects.get(codename="approved") - users_email = User.objects.filter(groups__name=parent_group, user_permissions=perm).exclude(groups__name="capi").values_list("email", flat=True) + users_email = User.objects.filter(groups=parent_group, user_permissions=perm).exclude(groups__name="capi").values_list("email", flat=True) data = ", ".join(users_email) context["data"] = data elif request.POST["request"] == "data_user": - users = User.objects.filter(groups__name=parent_group) + users = User.objects.filter(groups=parent_group) # get time for filename current_time = datetime.strftime(datetime.now(), "%H_%M__%d_%m_%y") @@ -1703,7 +1707,7 @@ def data_request(request): return response elif request.POST["request"] == "data_user_medic": - users = User.objects.filter(groups__name=parent_group) + users = User.objects.filter(groups=parent_group) # get time for filename current_time = datetime.strftime(datetime.now(), "%H_%M__%d_%m_%y") @@ -1779,10 +1783,10 @@ def media_request(request, id=0, t="", flag=""): elif flag == "doc": doc = Document.objects.get(id=id) - doc_group = doc.group.name + doc_group = doc.group - groups = getGroups(request.user).values_list('name', flat=True) - group_view = "capi" in groups and GroupSettings.objects.filter(group__name=doc_group).filter(view_documents=True).count() != 0 + groups = getGroups(request.user) + group_view = Group.objects.filter(name="capi") in groups and GroupSettings.objects.filter(group__name=doc_group).filter(view_documents=True).count() != 0 # check if user can view media if request.user.is_staff: -- cgit v1.2.1 From 45cadf46d65e5d8f0620a8412bbc90cf23ab5c74 Mon Sep 17 00:00:00 2001 From: Andrea Lepori Date: Thu, 29 Dec 2022 12:45:35 +0100 Subject: superuser mode --- server/views.py | 56 +++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 17 deletions(-) (limited to 'server/views.py') diff --git a/server/views.py b/server/views.py index d295de6..481c177 100644 --- a/server/views.py +++ b/server/views.py @@ -46,14 +46,21 @@ def isCapi_enabled(user): return False # function to get group list based on permissions of user -def getGroups(user): +def getGroups(request): + user = request.user if user.is_staff: groups = list(user.groups.all()) else: groups = list(user.groups.all())[1:] - if user.is_superuser: + if user.is_superuser and request.session.get("superuser"): groups = list(Group.objects.all()) + if "superuser_group" in request.session: + su_group = Group.objects.get(name=request.session["superuser_group"]) + if su_group in groups: + groups.remove(su_group) + groups = [su_group] + groups + print(groups) return groups @@ -62,7 +69,7 @@ def getGroups(user): def index(request): context = {} - groups = getGroups(request.user) + groups = getGroups(request) q_obj = Q(group__in=groups) @@ -90,6 +97,21 @@ def index(request): # check if changing settings if request.method == "POST" and request.user.is_staff: + if request.user.is_superuser and "su_status" in request.POST: + action = request.POST["su_status"] + if action == "change": + if "superuser" not in request.session: + request.session["superuser"] = True + else: + request.session["superuser"] = not request.session["superuser"] + + if "superuser_group" not in request.session: + request.session["superuser_group"] = "reparto" + elif action in ["diga", "muta", "reparto", "posto", "clan"]: + request.session["superuser_group"] = action + + return HttpResponseRedirect("/server") + for i in groups: settings = GroupSettings.objects.filter(group=i) @@ -123,7 +145,7 @@ def uapprove(request): data = [] if request.method == "POST": # get group name and obj - group = getGroups(request.user)[0] + group = getGroups(request)[0] parent_group = group.name # get permission object @@ -188,7 +210,7 @@ def docapprove(request): context = {} data = [] - groups = getGroups(request.user) + groups = getGroups(request) # setup variables for error text and success text error = False @@ -299,7 +321,7 @@ def docapprove(request): @staff_member_required def approve_direct(request): # get groups that the user is manager of - groups = getGroups(request.user) + groups = getGroups(request) if request.method == "POST" and "doc_code" in request.POST: # if user submitted the form to approve a document @@ -359,7 +381,7 @@ def approve_direct(request): def ulist(request): context = {} # group name and obj - group = getGroups(request.user)[0] + group = getGroups(request)[0] if request.method == "POST": # request to download document @@ -466,7 +488,7 @@ def doctype(request): group_check = 'checked="checked"' # if user not staff of primary get only non primary groups - groups = getGroups(request.user) + groups = getGroups(request) if request.method == "POST": # check if request to edit @@ -770,7 +792,7 @@ def custom_parameters_preview(request): def doccreate(request): context = {} - groups = getGroups(request.user) + groups = getGroups(request) # if user is not staff of primary set default group to secondary and default public type if request.user.is_staff: group_private = False @@ -905,7 +927,7 @@ def docedit(request): @user_passes_test(isStaff) def docedit_wrapper(request, context): - groups = getGroups(request.user) + groups = getGroups(request) group = groups[0] if request.user.is_staff and "group" in context.keys(): @@ -1006,7 +1028,7 @@ def doclist(request): context = {} # group name and obj - parent_groups = getGroups(request.user) + parent_groups = getGroups(request) # create typezone zurich = pytz.timezone('Europe/Zurich') @@ -1183,7 +1205,7 @@ def doclist(request): # get types and users for chips autocompletation if request.user.is_staff: auto_types = DocumentType.objects.filter( - Q(group_private=False) | Q(group=getGroups(request.user)[0])) + Q(group_private=False) | Q(group=getGroups(request)[0])) else: auto_types = DocumentType.objects.filter(Q(group_private=False)) @@ -1532,7 +1554,7 @@ def zip_documents(docs, session_key): @user_passes_test(isStaff) def upload_doc(request): # setup group based on staff primary or not - groups = getGroups(request.user) + groups = getGroups(request) # setup variables for error text and success text error = False @@ -1601,7 +1623,7 @@ def upload_doc(request): def docpreview(request): context = {} # check for permissions - groups = getGroups(request.user) + groups = getGroups(request) if request.method == "POST": # get document code @@ -1652,7 +1674,7 @@ def docpreview(request): @user_passes_test(isStaff) def data_request(request): context = {} - parent_group = getGroups(request.user)[0] + parent_group = getGroups(request)[0] if request.method == "POST": if "request" not in request.POST.keys(): @@ -1788,7 +1810,7 @@ def media_request(request, id=0, t="", flag=""): if flag == "usercode": usercode = UserCode.objects.get(id=id) if request.user.is_staff: - groups = getGroups(request.user) + groups = getGroups(request) usercode_group = usercode.user.groups[0] if usercode_group not in groups: return @@ -1805,7 +1827,7 @@ def media_request(request, id=0, t="", flag=""): doc = Document.objects.get(id=id) doc_group = doc.group - groups = getGroups(request.user) + groups = getGroups(request) group_view = Group.objects.filter(name="capi") in groups and GroupSettings.objects.filter(group__name=doc_group).filter(view_documents=True).count() != 0 # check if user can view media -- cgit v1.2.1 From 1b2624e91702db091d273efbd3c09fc87e2f7d39 Mon Sep 17 00:00:00 2001 From: Andrea Lepori Date: Thu, 29 Dec 2022 12:45:55 +0100 Subject: remove debug print of groups --- server/views.py | 2 -- 1 file changed, 2 deletions(-) (limited to 'server/views.py') diff --git a/server/views.py b/server/views.py index 481c177..6d332a6 100644 --- a/server/views.py +++ b/server/views.py @@ -61,8 +61,6 @@ def getGroups(request): groups.remove(su_group) groups = [su_group] + groups - print(groups) - return groups @user_passes_test(isStaff) -- cgit v1.2.1