Stop volunteers from accessing admin urls.

necessary129 · necessary129 · commit 0c02af8fb0ea · 2016-12-06T21:53:11.000+05:30
Fixes #325
diff --git a/vms/administrator/utils.py b/vms/administrator/utils.py
@@ -0,0 +1,11 @@
+from functools import wraps
+from django.shortcuts import render
+
+def admin_required(func):
+    @wraps(func)
+    def wrapped_view(request, *args, **kwargs):
+        admin = hasattr(request.user, 'administrator')
+        if not admin:
+            return render(request, 'vms/no_admin_rights.html', status=403)
+        return func(request, *args, **kwargs)
+    return wrapped_view
diff --git a/vms/administrator/views.py b/vms/administrator/views.py
@@ -13,21 +13,17 @@
 from django.views.generic.edit import FormView, UpdateView
 from django.views.generic import View
 from administrator.models import Administrator
+from administrator.utils import admin_required
 from django.utils.decorators import method_decorator
 
 
 class AdministratorLoginRequiredMixin(object):
 
     @method_decorator(login_required)
     def dispatch(self, request, *args, **kwargs):
-        user = request.user
-        admin = None
-        try:
-            admin = user.administrator
-        except ObjectDoesNotExist:
-            pass
+        admin = hasattr(request.user, 'administrator')
         if not admin:
-            return render(request, 'vms/no_admin_rights.html')
+            return render(request, 'vms/no_admin_rights.html', status=403)
         else:
             return super(AdministratorLoginRequiredMixin, self).dispatch(request, *args, **kwargs)
 
@@ -81,6 +77,7 @@ def post(self, request, *args, **kwargs):
 
 
 @login_required
+@admin_required
 def settings(request):
     user = request.user
     admin = None
diff --git a/vms/registration/views.py b/vms/registration/views.py
@@ -16,7 +16,7 @@
 from administrator.models import *
 
 
-class AdministratorSignupView(TemplateView):
+class AdministratorSignupView(AnonymousRequiredMixin, TemplateView):
     """
     Administrator and Volunteer signup is implemented as a TemplateView that
     displays the signup form.
diff --git a/vms/volunteer/views.py b/vms/volunteer/views.py
@@ -10,6 +10,7 @@
 from django.views.generic.detail import DetailView
 from django.views.generic import ListView
 from braces.views import LoginRequiredMixin, AnonymousRequiredMixin
+from administrator.utils import admin_required
 from organization.services import *
 from shift.services import *
 from event.services import get_signed_up_events_for_volunteer
@@ -162,6 +163,7 @@ def post(self, request, *args, **kwargs):
                        'job_list': job_list, 'event_list': event_list, 'selected_event': event_name,
                        'selected_job': job_name})
 @login_required
+@admin_required
 def search(request):
     if request.method == 'POST':
         form = SearchVolunteerForm(request.POST)
