Stop volunteers from accessing admin urls.

Fixes #325

Author: necessary129

vms/administrator/utils.py

@@ -0,0 +1,11 @@
+from functools import wraps
+from django.shortcuts import render
+
+def admin_required(func):
+    @wraps(func)
+    def wrapped_view(request, *args, **kwargs):
+        admin = hasattr(request.user, 'administrator')
+        if not admin:
+            return render(request, 'vms/no_admin_rights.html', status=403)
+        return func(request, *args, **kwargs)
+    return wrapped_view

vms/administrator/views.py

@@ -13,21 +13,17 @@
 from django.views.generic.edit import FormView, UpdateView
 from django.views.generic import View
 from administrator.models import Administrator
+from administrator.utils import admin_required
 from django.utils.decorators import method_decorator
 
 
 class AdministratorLoginRequiredMixin(object):
 
     @method_decorator(login_required)
     def dispatch(self, request, *args, **kwargs):
-        user = request.user
-        admin = None
-        try:
-            admin = user.administrator
-        except ObjectDoesNotExist:
-            pass
+        admin = hasattr(request.user, 'administrator')
         if not admin:
-            return render(request, 'vms/no_admin_rights.html')
+            return render(request, 'vms/no_admin_rights.html', status=403)
         else:
             return super(AdministratorLoginRequiredMixin, self).dispatch(request, *args, **kwargs)
 
@@ -81,14 +77,6 @@ def post(self, request, *args, **kwargs):
 
 
 @login_required
+@admin_required
 def settings(request):
-    user = request.user
-    admin = None
-    try:
-        admin = user.administrator
-    except ObjectDoesNotExist:
-        pass
-    if not admin:
-        return HttpResponse(status=403)
-
     return HttpResponseRedirect(reverse('event:list'))

vms/event/views.py

@@ -16,7 +16,6 @@
 from django.shortcuts import render_to_response
 from django.http import Http404
 
-
 class AdministratorLoginRequiredMixin(object):
 
     @method_decorator(login_required)
@@ -112,7 +111,7 @@ def post(self, request, *args, **kwargs):
                 return render(request, 'event/edit.html', {'form': form,})
 
 
-class EventListView(LoginRequiredMixin, ListView):
+class EventListView(LoginRequiredMixin, AdministratorLoginRequiredMixin, ListView):
     model_form = Event
     template_name = "event/list.html"
 

vms/registration/utils.py

@@ -0,0 +1,12 @@
+from functools import wraps
+from django.shortcuts import render
+
+def volunteer_denied(func):
+    @wraps(func)
+    def wrapper(request, *args, **kwargs):
+        if request.user.is_authenticated():
+            if not hasattr(request.user, 'administrator'):
+                return render(request, 'vms/no_admin_rights.html', status=403)
+        return func(request, *args, **kwargs)
+    return wrapper
+    

vms/registration/views.py

@@ -6,6 +6,7 @@
 from django.views.generic.edit import FormView
 from django.views.generic import TemplateView
 from django.core.urlresolvers import reverse_lazy
+from django.utils.decorators import method_decorator
 from administrator.forms import AdministratorForm
 from organization.services import (get_organizations_ordered_by_name,
                                    get_organization_by_id)
@@ -14,6 +15,7 @@
 from registration.forms import UserForm
 from registration.phone_validate import validate_phone
 from administrator.models import *
+from registration.utils import volunteer_denied
 
 
 class AdministratorSignupView(TemplateView):
@@ -30,6 +32,10 @@ class AdministratorSignupView(TemplateView):
     organization_list = get_organizations_ordered_by_name()
     phone_error = False
 
+    @method_decorator(volunteer_denied)
+    def dispatch(self, *args, **kwargs):
+      return super(AdministratorSignupView, self).dispatch(*args, **kwargs)
+
     def get(self, request):
         user_form = UserForm(prefix="usr")
         administrator_form = AdministratorForm(prefix="admin")

vms/volunteer/views.py

@@ -10,6 +10,7 @@
 from django.views.generic.detail import DetailView
 from django.views.generic import ListView
 from braces.views import LoginRequiredMixin, AnonymousRequiredMixin
+from administrator.utils import admin_required
 from organization.services import *
 from shift.services import *
 from event.services import get_signed_up_events_for_volunteer
@@ -162,6 +163,7 @@ def post(self, request, *args, **kwargs):
                        'job_list': job_list, 'event_list': event_list, 'selected_event': event_name,
                        'selected_job': job_name})
 @login_required
+@admin_required
 def search(request):
     if request.method == 'POST':
         form = SearchVolunteerForm(request.POST)