Commit b3971b3b authored by Mikael Salson's avatar Mikael Salson Committed by Mathieu Giraud

controllers/user.py, models/VidjilAuth.py: Define can_modify_user

We don't store specific rights for modifying user yet.
For now we can only modify our own account (or all accounts
if the person is admin)
parent 4fe87a4a
......@@ -57,13 +57,13 @@ def index():
reverse=reverse)
def edit():
if auth.is_admin():
if auth.can_modify_user(int(request.vars['id'])):
user = db.auth_user[request.vars["id"]]
return dict(message=T("Edit user"), user=user)
return error_message(ACCESS_DENIED)
def edit_form():
if auth.is_admin():
if auth.can_modify_user(int(request.vars['id'])):
error = ""
if request.vars["first_name"] == "" :
error += "first name needed, "
......
......@@ -310,6 +310,15 @@ class VidjilAuth(Auth):
and (self.get_permission(PermissionEnum.admin_pre_process.value, 'pre_process', pre_process_id, user)\
or self.is_admin(user))
def can_modify_user(self, id):
'''
Returns True if the current user can modify the user
whose ID is given as parameter
:param: id should be an integer
'''
return self.is_admin() or self.user_id == id
def can_modify(self, object_of_action, id, user = None):
'''
Returns True if the user can modify the object of action whose ID id id
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment