From 7ab945464b2c96ac4eb358cbb72b10a8c3f47935 Mon Sep 17 00:00:00 2001 From: Tanshu Date: Mon, 29 Oct 2012 01:02:22 +0530 Subject: [PATCH] Voucher permissions done (hopefully). Backdated voucher check still pending --- brewman/brewman/static/partial/issue.html | 6 +-- brewman/brewman/static/partial/journal.html | 6 +-- brewman/brewman/static/partial/payment.html | 6 +-- brewman/brewman/static/partial/purchase.html | 6 +-- brewman/brewman/static/partial/receipt.html | 6 +-- brewman/brewman/static/scripts/issue.js | 12 ++++++ brewman/brewman/static/scripts/journal.js | 41 +++++++++++++++---- brewman/brewman/static/scripts/overlord.js | 4 +- brewman/brewman/static/scripts/payment.js | 12 ++++++ brewman/brewman/static/scripts/purchase.js | 12 ++++++ brewman/brewman/static/scripts/receipt.js | 12 ++++++ brewman/brewman/views/services/session.py | 2 +- .../views/services/voucher/__init__.py | 22 +++++++++- .../views/services/voucher/update_voucher.py | 18 ++++++-- 14 files changed, 135 insertions(+), 30 deletions(-) diff --git a/brewman/brewman/static/partial/issue.html b/brewman/brewman/static/partial/issue.html index da2e7d9a..a11ec941 100644 --- a/brewman/brewman/static/partial/issue.html +++ b/brewman/brewman/static/partial/issue.html @@ -118,18 +118,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted + Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted by {{voucher.Poster}}
\ No newline at end of file diff --git a/brewman/brewman/static/partial/journal.html b/brewman/brewman/static/partial/journal.html index 9f36d3f5..c4e5d397 100644 --- a/brewman/brewman/static/partial/journal.html +++ b/brewman/brewman/static/partial/journal.html @@ -69,18 +69,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted + Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted by {{voucher.Poster}}
diff --git a/brewman/brewman/static/partial/payment.html b/brewman/brewman/static/partial/payment.html index 47a6d26d..2872a0a7 100644 --- a/brewman/brewman/static/partial/payment.html +++ b/brewman/brewman/static/partial/payment.html @@ -78,18 +78,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted + Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted by {{voucher.Poster}}
diff --git a/brewman/brewman/static/partial/purchase.html b/brewman/brewman/static/partial/purchase.html index c7482218..9895e82e 100644 --- a/brewman/brewman/static/partial/purchase.html +++ b/brewman/brewman/static/partial/purchase.html @@ -93,18 +93,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. + Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted by {{voucher.Poster}}
diff --git a/brewman/brewman/static/partial/receipt.html b/brewman/brewman/static/partial/receipt.html index d3bad6be..df8a2d40 100644 --- a/brewman/brewman/static/partial/receipt.html +++ b/brewman/brewman/static/partial/receipt.html @@ -78,18 +78,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted + Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted by {{voucher.Poster}}
diff --git a/brewman/brewman/static/scripts/issue.js b/brewman/brewman/static/scripts/issue.js index f73cb8cc..ee0d087e 100644 --- a/brewman/brewman/static/scripts/issue.js +++ b/brewman/brewman/static/scripts/issue.js @@ -115,6 +115,18 @@ }); }; + $scope.preventAlteration = function (voucher) { + if (typeof voucher.VoucherID === 'undefined') { + return !$scope.perms['Issue']; + } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) { + return true; + } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) { + return true; + } else { + return false; + } + }; + $scope.get = function (voucherid) { $scope.voucher = Voucher.get({id:voucherid}, function (u, putResponseHeaders) { $location.path('/Issue/' + u.VoucherID); diff --git a/brewman/brewman/static/scripts/journal.js b/brewman/brewman/static/scripts/journal.js index d76b8bf8..f151859d 100644 --- a/brewman/brewman/static/scripts/journal.js +++ b/brewman/brewman/static/scripts/journal.js @@ -1,10 +1,5 @@ -function JournalCtrl($scope, $routeParams, $location, Voucher) { - if (typeof $routeParams.id === 'undefined'){ - $scope.voucher = Voucher.get({type:'Journal'}); - } else { - $scope.voucher = Voucher.get({id:$routeParams.id}); - } - +function JournalCtrl($scope, $location, voucher) { + $scope.voucher = voucher; $scope.name = ''; $scope.debit = 1; $scope.addJournal = function () { @@ -45,6 +40,18 @@ $scope.amount = Math.abs(amount); }, true); + $scope.preventAlteration = function (voucher) { + if (typeof voucher.VoucherID === 'undefined') { + return !$scope.perms['Journal']; + } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) { + return true; + } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) { + return true; + } else { + return false; + } + }; + $scope.get = function (voucherid) { $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) { $scope.toasts.push({Type:'Success', Message:u.Code}); @@ -79,3 +86,23 @@ }); }; } + +JournalCtrl.resolve = { + voucher:function ($q, $route, Voucher) { + var deferred = $q.defer(); + + var id = $route.current.params.id; + + var successCb = function (result) { + deferred.resolve(result); + }; + + if (typeof id === 'undefined') { + Voucher.get({type:'Journal'}, successCb); + } else { + Voucher.get({id:id}, successCb); + } + return deferred.promise; + } + +} \ No newline at end of file diff --git a/brewman/brewman/static/scripts/overlord.js b/brewman/brewman/static/scripts/overlord.js index 1ff13de1..9c807e1a 100644 --- a/brewman/brewman/static/scripts/overlord.js +++ b/brewman/brewman/static/scripts/overlord.js @@ -7,8 +7,8 @@ var overlord = angular.module('overlord', ['overlord.directive', 'overlord.filte when('/login', {templateUrl:'/partial/login.html', controller:LoginCtrl}). when('/logout', {templateUrl:'/partial/home.html', controller:LogoutCtrl}). - when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl}). - when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl}). + when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}). + when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}). when('/Payment', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}). when('/Payment/:id', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}). diff --git a/brewman/brewman/static/scripts/payment.js b/brewman/brewman/static/scripts/payment.js index 619c6acb..cab9af63 100644 --- a/brewman/brewman/static/scripts/payment.js +++ b/brewman/brewman/static/scripts/payment.js @@ -51,6 +51,18 @@ } }, true); + $scope.preventAlteration = function (voucher) { + if (typeof voucher.VoucherID === 'undefined') { + return !$scope.perms['Payment']; + } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) { + return true; + } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) { + return true; + } else { + return false; + } + }; + $scope.get = function (voucherid) { $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) { $scope.toasts.push({Type:'Success', Message:u.Code}); diff --git a/brewman/brewman/static/scripts/purchase.js b/brewman/brewman/static/scripts/purchase.js index 5ddc6225..ad8f490c 100644 --- a/brewman/brewman/static/scripts/purchase.js +++ b/brewman/brewman/static/scripts/purchase.js @@ -62,6 +62,18 @@ } }, true); + $scope.preventAlteration = function (voucher) { + if (typeof voucher.VoucherID === 'undefined') { + return !$scope.perms['Purchase']; + } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) { + return true; + } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) { + return true; + } else { + return false; + } + }; + $scope.get = function (voucherid) { $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) { $scope.toasts.push({Type:'Success', Message:u.Code}); diff --git a/brewman/brewman/static/scripts/receipt.js b/brewman/brewman/static/scripts/receipt.js index 3c497119..a43f8299 100644 --- a/brewman/brewman/static/scripts/receipt.js +++ b/brewman/brewman/static/scripts/receipt.js @@ -51,6 +51,18 @@ } }, true); + $scope.preventAlteration = function (voucher) { + if (typeof voucher.VoucherID === 'undefined') { + return !$scope.perms['Receipt']; + } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) { + return true; + } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) { + return true; + } else { + return false; + } + }; + $scope.get = function (voucherid) { $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) { $scope.toasts.push({Type:'Success', Message:u.Code}); diff --git a/brewman/brewman/views/services/session.py b/brewman/brewman/views/services/session.py index 4aca86b0..9712ddc8 100644 --- a/brewman/brewman/views/services/session.py +++ b/brewman/brewman/views/services/session.py @@ -36,7 +36,7 @@ def user_permission(request): auth = {'isAuthenticated': False, 'perms': {}} else: user = User.get_by_id(uuid.UUID(user_id)) - auth = {'isAuthenticated': True, 'Name': user.name} + auth = {'isAuthenticated': True, 'Name': user.name, 'UserID': user.id} session_perms = request.session['perms'] perms = {} for item in Role.list(): diff --git a/brewman/brewman/views/services/voucher/__init__.py b/brewman/brewman/views/services/voucher/__init__.py index f69d5806..b8c228d2 100644 --- a/brewman/brewman/views/services/voucher/__init__.py +++ b/brewman/brewman/views/services/voucher/__init__.py @@ -32,10 +32,30 @@ def voucher_post(request): return response +def check_delete_permissions(request, voucher): + user = User.get_by_id(uuid.UUID(authenticated_userid(request))) + permissions = request.session['perms'] + if voucher.posted and not 'Edit Posted Vouchers' in permissions: + response = Response("You are not allowed to edit posted vouchers") + response.status_int = 403 + return response + elif voucher.user_id != user.id and "Edit Other User's Vouchers" not in permissions: + response = Response("You are not allowed to edit other user's vouchers") + response.status_int = 403 + return response + elif VoucherType.by_id(voucher.type).name not in permissions: + response = Response("You are not allowed (0) vouchers".format(VoucherType.by_id(voucher.type).name)) + response.status_int = 403 + return response + + @view_config(request_method='DELETE', route_name='voucher', renderer='json', xhr=True) def delete(request): id = request.matchdict.get('id', None) voucher = Voucher.by_id(uuid.UUID(id)) + permission = check_delete_permissions(request, voucher) + if permission is not None: + return permission json_voucher = voucher_info(voucher) if voucher.type == 'Issue': for item in voucher.journals: @@ -86,7 +106,7 @@ def voucher_info(voucher): 'Inventories': [], 'CreationDate': voucher.creation_date.strftime('%d-%b-%Y %H:%M'), 'LastEditDate': voucher.last_edit_date.strftime('%d-%b-%Y %H:%M'), - 'User': voucher.user.name, + 'User': {'UserID': voucher.user.id, 'Name': voucher.user.name}, 'Poster': voucher.poster.name if voucher.posted else ''} for item in voucher.journals: json_voucher['Journals'].append({'JournalID': item.id, 'Debit': item.debit, 'Amount': item.amount, diff --git a/brewman/brewman/views/services/voucher/update_voucher.py b/brewman/brewman/views/services/voucher/update_voucher.py index ed1b2818..78268b03 100644 --- a/brewman/brewman/views/services/voucher/update_voucher.py +++ b/brewman/brewman/views/services/voucher/update_voucher.py @@ -1,6 +1,6 @@ import uuid from pyramid.response import Response -from pyramid.security import authenticated_userid, has_permission, Denied +from pyramid.security import authenticated_userid from pyramid.view import view_defaults, view_config import transaction from brewman.models.auth import User @@ -18,10 +18,18 @@ class update_voucher(object): self.user = User.get_by_id(uuid.UUID(authenticated_userid(request))) self.voucher = Voucher.by_id(uuid.UUID(request.matchdict.get('id', None))) self.json = request.json_body - permission = Denied - if self.voucher.posted: - permission = has_permisson('EditPosted', None, request) + permissions = request.session['perms'] + if self.voucher.posted and not 'Edit Posted Vouchers' in permissions: + response = Response("You are not allowed to edit posted vouchers") + response.status_int = 403 + self.error = response + elif self.voucher.user_id != self.user.id and "Edit Other User's Vouchers" not in permissions: + response = Response("You are not allowed to edit other user's vouchers") + response.status_int = 403 + self.error = response + else: + self.error = None @view_config(request_param='type=Journal', permission='Journal') @@ -49,6 +57,8 @@ class update_voucher(object): return self.update() def update(self): + if self.error is not None: + return self.error try: if self.json['Type'] in ['Journal', 'Payment', 'Receipt']: voucher = journal_update_voucher(self.voucher, self.json, self.user)