Improve permissions handling

2024-11-21 23:58:02 +01:00 · 2022-04-25 17:30:49 +02:00 · 2022-04-25 17:30:49 +02:00 · 31077516ae
commit 31077516ae
parent 284943e1b6
4 changed files with 19 additions and 4 deletions
--- a/src/common/templates/403.html
+++ b/src/common/templates/403.html
@ -0,0 +1,5 @@
+{% extends "common/base.html" %}
+{% block content %}
+    <h1>Permission denied</h1>
+    <p>You're not allowed to access this page.</p>
+{% endblock %}
--- a/src/common/templates/common/navbar.html
+++ b/src/common/templates/common/navbar.html
@ -6,12 +6,12 @@
        </button>
        <div class="collapse navbar-collapse" id="navbarSupportedContent">
            <ul class="navbar-nav me-auto mb-2 mb-lg-0">
-                {% if perms.purchase.can_view_basket %}
+                {% if perms.purchase.view_basket %}
                    <li class="nav-item">
                        <a href="{% url "purchase:list" %}" class="nav-link">Baskets</a>
                    </li>
                {% endif %}
-                {% if perms.purchase.can_add_basket %}
+                {% if perms.purchase.add_basket %}
                    <li class="nav-item">
                        <a href="{% url "purchase:new" %}" class="nav-link">New basket</a>
                    </li>
--- a/src/purchase/templates/purchase/basket_list.html
+++ b/src/purchase/templates/purchase/basket_list.html
@ -12,8 +12,12 @@
                            {{ basket.price_display }}<br>
                            {{ basket.payment_method }}
                        </p>
-                        <a href="{% url "purchase:update" basket.id %}" class="btn btn-sm btn-primary">Edit</a>
-                        <a href="{% url "purchase:delete" basket.id %}" class="btn btn-sm btn-danger">Delete</a>
+                        {% if perms.purchase.change_basket %}
+                            <a href="{% url "purchase:update" basket.id %}" class="btn btn-sm btn-primary">Edit</a>
+                        {% endif %}
+                        {% if perms.purchase.delete_basket %}
+                            <a href="{% url "purchase:delete" basket.id %}" class="btn btn-sm btn-danger">Delete</a>
+                        {% endif %}
                    </div>
                </div>
            </div>
--- a/src/purchase/views.py
+++ b/src/purchase/views.py
@ -17,6 +17,12 @@ class NewBasketView(ProtectedViewsMixin, SuccessMessageMixin, CreateView):
    form_class = BasketForm
    success_message = "Successfully created basket."

+    def get_success_url(self):
+        if self.request.user.has_perm("purchase.change_basket"):
+            return super().get_success_url()
+        else:
+            return reverse("purchase:new")
+

 class UpdateBasketView(ProtectedViewsMixin, SuccessMessageMixin, UpdateView):
    permission_required = ["purchase.change_basket", "purchase.view_basket"]