Une MAJ de sécurité est nécessaire sur notre version actuelle. Elle sera effectuée lundi 02/08 entre 12h30 et 13h. L'interruption de service devrait durer quelques minutes (probablement moins de 5 minutes).

Commit 34046837 authored by Mikaël Salson's avatar Mikaël Salson Committed by Mathieu Giraud
Browse files

controllers/user.py, models/VidjilAuth.py: Define can_modify_user

We don't store specific rights for modifying user yet.
For now we can only modify our own account (or all accounts
if the person is admin)
parent 5a4af716
Pipeline #96762 passed with stages
in 8 minutes and 21 seconds
......@@ -57,7 +57,7 @@ def index():
reverse=reverse)
def edit():
if auth.is_admin():
if auth.can_modify_user(int(request.vars['id'])):
user = db.auth_user[request.vars["id"]]
log.info("load edit form for user",
extra={'user_id': auth.user.id, 'record_id': request.vars['id'], 'table_name': 'auth_user'})
......@@ -65,7 +65,7 @@ def edit():
return error_message(ACCESS_DENIED)
def edit_form():
if auth.is_admin():
if auth.can_modify_user(int(request.vars['id'])):
error = ""
if request.vars["first_name"] == "" :
error += "first name needed, "
......
......@@ -310,6 +310,15 @@ class VidjilAuth(Auth):
and (self.get_permission(PermissionEnum.admin_pre_process.value, 'pre_process', pre_process_id, user)\
or self.is_admin(user))
def can_modify_user(self, id):
'''
Returns True if the current user can modify the user
whose ID is given as parameter
:param: id should be an integer
'''
return self.is_admin() or self.user_id == id
def can_modify(self, object_of_action, id, user = None):
'''
Returns True if the user can modify the object of action whose ID id id
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment