controllers/user.py, models/VidjilAuth.py: Define can_modify_user

We don't store specific rights for modifying user yet. For now we can only modify our own account (or all accounts if the person is admin)

controllers/user.py, models/VidjilAuth.py: Define can_modify_user
We don't store specific rights for modifying user yet. For now we can only modify our own account (or all accounts if the person is admin)
b3971b3b · Mikaël Salson · Mathieu Giraud · 4fe87a4a · b3971b3b · b3971b3b
Commit b3971b3b authored May 07, 2018 by Mikaël Salson Committed by Mathieu Giraud Oct 11, 2018
2 changed files
--- a/server/web2py/applications/vidjil/controllers/user.py
+++ b/server/web2py/applications/vidjil/controllers/user.py
@@ -57,13 +57,13 @@ def index():
    			reverse=reverse)

 def edit():
-    if auth.is_admin():
+    if auth.can_modify_user(int(request.vars['id'])):
        user = db.auth_user[request.vars["id"]]
        return dict(message=T("Edit user"), user=user)
    return error_message(ACCESS_DENIED)

 def edit_form():
-    if auth.is_admin():
+    if auth.can_modify_user(int(request.vars['id'])):
        error = ""
        if request.vars["first_name"] == "" :
            error += "first name needed, "

--- a/server/web2py/applications/vidjil/models/VidjilAuth.py
+++ b/server/web2py/applications/vidjil/models/VidjilAuth.py
@@ -310,6 +310,15 @@ class VidjilAuth(Auth):
            and (self.get_permission(PermissionEnum.admin_pre_process.value, 'pre_process', pre_process_id, user)\
            or self.is_admin(user))

+    def can_modify_user(self, id):
+        '''
+        Returns True if the current user can modify the user
+        whose ID is given as parameter
+
+        :param: id should be an integer
+        '''
+        return self.is_admin() or self.user_id == id
+
    def can_modify(self, object_of_action, id, user = None):
        '''
        Returns True if the user can modify the object of action whose ID id id