Merge pull request #408 from necessary129/vol-acc-fix

Stop volunteers from accessing each other's urls.

Author: smarshy

vms/event/views.py

@@ -15,6 +15,7 @@
 from django.utils.decorators import method_decorator
 from django.shortcuts import render_to_response
 from django.http import Http404
+from volunteer.utils import vol_id_check
 
 class AdministratorLoginRequiredMixin(object):
 
@@ -121,6 +122,7 @@ def get_queryset(self):
 
 
 @login_required
+@vol_id_check
 def list_sign_up(request, volunteer_id):
     if request.method == 'POST':
         form = EventDateForm(request.POST)

vms/shift/tests/test_viewVolunteerShift.py

@@ -67,7 +67,7 @@ def test_access_another_existing_volunteer_view(self):
     def test_access_another_nonexisting_volunteer_view(self):
         upcoming_shift_page = self.upcoming_shift_page
         upcoming_shift_page.get_page(self.live_server_url, upcoming_shift_page.view_shift_page + '65459')
-        found = re.search('Not Found', self.driver.page_source)
+        found = re.search('You don\'t have the necessary rights to access this page', self.driver.page_source)
         self.assertNotEqual(found, None)
 
     def test_view_without_any_assigned_shift(self):

vms/shift/views.py

@@ -18,7 +18,7 @@
 from django.views.generic import ListView
 from django.utils.decorators import method_decorator
 from django.core.urlresolvers import reverse_lazy
-
+from volunteer.utils import vol_id_check
 
 class AdministratorLoginRequiredMixin(object):
 
@@ -573,6 +573,10 @@ def sign_up(request, shift_id, volunteer_id):
 class ViewHoursView(LoginRequiredMixin, FormView, TemplateView):
     template_name = 'shift/hours_list.html'
 
+    @method_decorator(vol_id_check)
+    def dispatch(self, *args, **kwargs):
+        return super(ViewHoursView, self).dispatch(*args, **kwargs)
+
     def get_context_data(self, **kwargs):
         context = super(ViewHoursView, self).get_context_data(**kwargs)
         volunteer_id = self.kwargs['volunteer_id']
@@ -582,36 +586,15 @@ def get_context_data(self, **kwargs):
 
 
 @login_required
+@vol_id_check
 def view_volunteer_shifts(request, volunteer_id):
-    user = request.user
-    vol = None
-
-    try:
-        vol = user.volunteer
-    except ObjectDoesNotExist:
-        pass
+    shift_list = get_unlogged_shifts_by_volunteer_id(volunteer_id)
+    return render(
+        request,
+        'shift/volunteer_shifts.html',
+        {'shift_list': shift_list, 'volunteer_id': volunteer_id, }
+        )
 
-    # check that a volunteer is logged in
-    if vol:
-        if volunteer_id:
-            volunteer = get_volunteer_by_id(volunteer_id)
-            if volunteer:
-                user = request.user
-                if int(user.volunteer.id) == int(volunteer_id):
-                    shift_list = get_unlogged_shifts_by_volunteer_id(volunteer_id)
-                    return render(
-                        request,
-                        'shift/volunteer_shifts.html',
-                        {'shift_list': shift_list, 'volunteer_id': volunteer_id, }
-                        )
-                else:
-                    return HttpResponse(status=403)
-            else:
-                raise Http404
-        else:
-            raise Http404
-    else:
-        return HttpResponse(status=403)
 
 
 class VolunteerSearchView(AdministratorLoginRequiredMixin, FormView):

vms/vms/templates/vms/no_volunteer_access.html

@@ -0,0 +1,22 @@
+{% extends "vms/base.html" %}
+
+{% load i18n %}
+
+{% block content %}
+    <div class="spacer"></div>
+   
+        {% csrf_token %}
+        <div class="panel panel-danger">
+            <div class="panel-heading">
+                <h3 class="panel-title">{% trans "No Access" %}</h3>
+            </div>
+            <div class="panel-body">
+                <br>
+                {% trans "You don't have the necessary rights to access this page." %}
+                <br>
+                <br>
+                <input type="button" class="btn btn-default" value="{% blocktrans %}Return to Previous Page{% endblocktrans %}" onClick="javascript:history.go(-1);">
+            </div>
+        </div>
+   
+{% endblock %}

vms/volunteer/utils.py

@@ -0,0 +1,19 @@
+from functools import wraps
+from django.shortcuts import render
+from django.http import Http404
+from volunteer.services import get_volunteer_by_id
+
+def vol_id_check(func):
+    @wraps(func)
+    def wrapped_view(request, volunteer_id):
+        vol = getattr(request.user, 'volunteer', hasattr(request.user, 'administrator'))
+        if not vol:
+            return render(request, 'vms/no_volunteer_access.html', status=403)
+        elif vol != True:
+            volunteer = get_volunteer_by_id(volunteer_id)
+            if not volunteer:
+                return render(request, 'vms/no_volunteer_access.html', status=403)
+            if not int(volunteer.id) == vol.id:
+                return render(request, 'vms/no_volunteer_access.html', status=403)
+        return func(request, volunteer_id=volunteer_id)
+    return wrapped_view

vms/volunteer/views.py

@@ -22,7 +22,8 @@
 from volunteer.validation import validate_file
 from django.views.generic import View
 from django.core.urlresolvers import reverse_lazy
-
+from django.utils.decorators import method_decorator
+from volunteer.utils import vol_id_check
 
 @login_required
 def download_resume(request, volunteer_id):
@@ -109,13 +110,15 @@ def form_valid(self, form):
 class ProfileView(LoginRequiredMixin, DetailView):
     template_name = 'volunteer/profile.html'
 
+    @method_decorator(vol_id_check)
+    def dispatch(self, *args, **kwargs):
+        return super(ProfileView, self).dispatch(*args, **kwargs)
+
     def get_object(self, queryset=None):
         volunteer_id = self.kwargs['volunteer_id']
         obj = Volunteer.objects.get(id=self.kwargs['volunteer_id'])
-        if obj:
-            return obj
-        else:
-            return HttpResponse(status=403)
+        return obj
+
 
 '''
   The view generate Report.
@@ -124,6 +127,10 @@ def get_object(self, queryset=None):
 
 class GenerateReportView(LoginRequiredMixin, View):
 
+    @method_decorator(vol_id_check)
+    def dispatch(self, *args, **kwargs):
+        return super(GenerateReportView, self).dispatch(*args, **kwargs)
+
     def get(self, request, *args, **kwargs):
         view = ShowFormView.as_view()
         return view(request, *args,**kwargs)