Skip to content
Snippets Groups Projects
Commit 3d46ee8f authored by Hangzhi Yu's avatar Hangzhi Yu
Browse files

Add permission check using django-rules if user wants to mark notification as read

parent ce812669
No related branches found
No related tags found
1 merge request!243Resolve "Rewrite notification_mark_read with rules and permissions"
Pipeline #1885 passed with warnings
Stage: test
Stage: build
Hide whitespace changes
Inline Side-by-side
aleksis/core/rules.py
+ 5
0
View file @ 3d46ee8f
...@@ -8,6 +8,7 @@ from .util.predicates import ( ...@@ -8,6 +8,7 @@ from .util.predicates import (
is_current_person, is_current_person,
has_object_perm, has_object_perm,
is_group_owner, is_group_owner,
is_notification_recipient,
) )
...@@ -104,6 +105,10 @@ add_perm("core.manage_school", manage_school_predicate) ...@@ -104,6 +105,10 @@ add_perm("core.manage_school", manage_school_predicate)
manage_data_predicate = has_person & has_global_perm("core.manage_data") manage_data_predicate = has_person & has_global_perm("core.manage_data")
add_perm("core.manage_data", manage_data_predicate) add_perm("core.manage_data", manage_data_predicate)
# Mark notification as read
mark_notification_as_read_predicate = has_person & is_notification_recipient
add_perm("core.mark_notification_as_read", mark_notification_as_read_predicate)
# View announcements # View announcements
view_announcements_predicate = has_person & ( view_announcements_predicate = has_person & (
has_global_perm("core.view_announcement") | has_any_object("core.view_announcement", Announcement) has_global_perm("core.view_announcement") | has_any_object("core.view_announcement", Announcement)
......
aleksis/core/util/predicates.py
+ 6
0
View file @ 3d46ee8f
...@@ -90,3 +90,9 @@ def is_group_owner(user: User, group: Group) -> bool: ...@@ -90,3 +90,9 @@ def is_group_owner(user: User, group: Group) -> bool:
return group.owners.filter(owners=user.person).exists() return group.owners.filter(owners=user.person).exists()
@predicate
def is_notification_recipient(user: User, obj: Model) -> bool:
""" Predicate which checks whether the recipient of the notification a user wants to mark read is this user """
return user == obj.recipient.user
aleksis/core/views.py
+ 8
6
View file @ 3d46ee8f
...@@ -301,18 +301,20 @@ def system_status(request: HttpRequest) -> HttpResponse: ...@@ -301,18 +301,20 @@ def system_status(request: HttpRequest) -> HttpResponse:
return render(request, "core/system_status.html", context) return render(request, "core/system_status.html", context)
def get_notification_by_pk(request: HttpRequest, pk: int):
return get_object_or_404(Notification, pk=pk)
@permission_required("core.mark_notification_as_read", fn=get_notification_by_pk)
def notification_mark_read(request: HttpRequest, id_: int) -> HttpResponse: def notification_mark_read(request: HttpRequest, id_: int) -> HttpResponse:
""" Mark a notification read """ """ Mark a notification read """
context = {} context = {}
notification = get_object_or_404(Notification, pk=id_) notification = get_notification_by_pk(request, id_)
if notification.recipient.user == request.user: notification.read = True
notification.read = True notification.save()
notification.save()
else:
raise PermissionDenied(_("You are not allowed to mark notifications from other users as read!"))
# Redirect to dashboard as this is only used from there if JavaScript is unavailable # Redirect to dashboard as this is only used from there if JavaScript is unavailable
return redirect("index") return redirect("index")
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment