delete view is not protected to wrong kind of users

Felipe Henrique de Almeida Bormann
1 parent 91238933
Showing 1 changed file with 17 additions and 1 deletions Show diff stats
categories/views.py
@@ -3,7 +3,7 @@ from django.views.generic import ListView, CreateView, DeleteView, UpdateView
 from .models import Category
 from django.core.urlresolvers import reverse_lazy
 from rolepermissions.verifications import has_role
-
+from django.db.models import Q
 from django.contrib import messages
 from django.http import HttpResponse, JsonResponse
 from django.utils.translation import ugettext_lazy as _
@@ -142,6 +142,22 @@ class DeleteCategory(LoginRequiredMixin, LogMixin, DeleteView):
     model = Category
     template_name = 'categories/delete.html'
+    def dispatch(self, request, *args, **kwargs):
+        pk = request.user.pk
+
+        if not request.user.is_staff:
+            category = Category.objects.filter(Q(coordinators__pk = pk) & Q(slug = kwargs['slug']))
+            if category.count() == 0:
+                if request.META.get('HTTP_REFERER'):
+                    return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
+                else:
+                    return redirect('subjects:index')
+        if request.method.lower() in self.http_method_names:
+            handler = getattr(self, request.method.lower(), self.http_method_not_allowed)
+        else:
+            handler = self.http_method_not_allowed
+        return handler(request, *args, **kwargs)
+
     def delete(self, request, *args, **kwargs):
         category = get_object_or_404(Category, slug = self.kwargs.get('slug'))
         subjects = Subject.objects.filter(category = category)
	@@ -3,7 +3,7 @@ from django.views.generic import ListView, CreateView, DeleteView, UpdateView		@@ -3,7 +3,7 @@ from django.views.generic import ListView, CreateView, DeleteView, UpdateView
3	from .models import Category	3	from .models import Category
4	from django.core.urlresolvers import reverse_lazy	4	from django.core.urlresolvers import reverse_lazy
5	from rolepermissions.verifications import has_role	5	from rolepermissions.verifications import has_role
6	-	6	+from django.db.models import Q
7	from django.contrib import messages	7	from django.contrib import messages
8	from django.http import HttpResponse, JsonResponse	8	from django.http import HttpResponse, JsonResponse
9	from django.utils.translation import ugettext_lazy as _	9	from django.utils.translation import ugettext_lazy as _
	@@ -142,6 +142,22 @@ class DeleteCategory(LoginRequiredMixin, LogMixin, DeleteView):		@@ -142,6 +142,22 @@ class DeleteCategory(LoginRequiredMixin, LogMixin, DeleteView):
142	model = Category	142	model = Category
143	template_name = 'categories/delete.html'	143	template_name = 'categories/delete.html'
144		144
		145	+ def dispatch(self, request, args, *kwargs):
		146	+ pk = request.user.pk
		147	+
		148	+ if not request.user.is_staff:
		149	+ category = Category.objects.filter(Q(coordinators__pk = pk) & Q(slug = kwargs['slug']))
		150	+ if category.count() == 0:
		151	+ if request.META.get('HTTP_REFERER'):
		152	+ return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
		153	+ else:
		154	+ return redirect('subjects:index')
		155	+ if request.method.lower() in self.http_method_names:
		156	+ handler = getattr(self, request.method.lower(), self.http_method_not_allowed)
		157	+ else:
		158	+ handler = self.http_method_not_allowed
		159	+ return handler(request, args, *kwargs)
		160	+
145	def delete(self, request, args, *kwargs):	161	def delete(self, request, args, *kwargs):
146	category = get_object_or_404(Category, slug = self.kwargs.get('slug'))	162	category = get_object_or_404(Category, slug = self.kwargs.get('slug'))
147	subjects = Subject.objects.filter(category = category)	163	subjects = Subject.objects.filter(category = category)