server : show buttons only if user have the required permission

cd49e1c5 · Marc Duez · 7eeb2f37 · cd49e1c5 · cd49e1c5 · cd49e1c5
Commit cd49e1c5 authored Sep 10, 2014 by Marc Duez
--- a/server/web2py/applications/vidjil/controllers/default.py
+++ b/server/web2py/applications/vidjil/controllers/default.py
@@ -45,7 +45,9 @@ def run_request():
        error += "id sequence file needed, "
    if not "config_id" in request.vars:
        error += "id config needed, "
-        
+    if not auth.has_permission("run", "data_file") :
+        error += "permission needed"
+    
    id_patient = db.sequence_file[request.vars["sequence_file_id"]].patient_id
    
    if not auth.has_permission('admin', 'patient', id_patient) :

--- a/server/web2py/applications/vidjil/views/patient/index.html
+++ b/server/web2py/applications/vidjil/views/patient/index.html
@@ -39,12 +39,11 @@ query = db(
                    <td> {{=row.patient.info }} </td>
                    <td> {{=row[count]}}</td>
                    {{if auth.has_membership("admin"):}}
-                    <td onclick="db.call('patient/permission', {'id' :'{{=row.patient.id}}'} )" > p </td>
-                    {{else:}}
-                    <td></td>
-                    {{pass}}
+                    <td onclick="db.call('patient/permission', {'id' :'{{=row.patient.id}}'} )" > p </td> {{else:}} <td></td> {{pass}}
+                    {{if (auth.has_permission('admin', 'patient', row.patient.id) ):}}
                    <td onclick="db.call('patient/edit', {'id' :'{{=row.patient.id}}'} )" > e </td>
                    <td onclick="db.call('patient/confirm', {'id' :'{{=row.patient.id}}'} )" > X </td>  
+                    {{else:}}  <td></td><td></td>{{pass}}
                </tr>
            {{pass}}
        </table>

--- a/server/web2py/applications/vidjil/views/patient/info.html
+++ b/server/web2py/applications/vidjil/views/patient/info.html
@@ -113,9 +113,10 @@ query = db(
                    <td> {{if filename != '':}}<a href="{{=URL('patient','download', scheme='https', args=row.sequence_file.data_file)}}" >dl</a>{{pass}}</td>
                    <td> {{=row.sequence_file.sampling_date}} </td>
                    <td> {{=row.sequence_file.info}} </td>
-                    <td onclick="db.call('file/edit', {'id' :'{{=row.sequence_file.id}}', 'patient_id' :'{{=request.vars['id']}}'} )" > e </td>
-                    <td onclick="db.call('file/confirm', {'id' :'{{=row.sequence_file.id}}', 'patient_id' :'{{=request.vars['id']}}'} )" > X </td>
-                     
+                    {{if (auth.has_permission('admin', 'patient', request.vars["id"]) ):}}
+                        <td onclick="db.call('file/edit', {'id' :'{{=row.sequence_file.id}}', 'patient_id' :'{{=request.vars['id']}}'} )" > e </td>
+                        <td onclick="db.call('file/confirm', {'id' :'{{=row.sequence_file.id}}', 'patient_id' :'{{=request.vars['id']}}'} )" > X </td>
+                    {{else:}}<td></td><td></td>{{pass}}
                    <td class="column_sep"></td>
                     
                    <td> {{if row.data_file.run_date :}}{{=row.data_file.run_date }}{{pass}} </td>
@@ -128,7 +129,7 @@ query = db(
                                <span class="button inactive" title="you don't have permission to schedule runs"> run >> </span>
                                {{pass}}
                            {{else:}}
-                            {{=status}}
+                                {{=status}}
                            {{pass}}
                        {{pass}}
                    </td>