From 6f1e5b91bb232ab0532fbd701a99681e40a68085 Mon Sep 17 00:00:00 2001
From: Helge Jung <hej@c3pb.de>
Date: Tue, 29 Dec 2020 03:34:28 +0100
Subject: [PATCH] backoffice user mgmt: fix perms

---
 src/backoffice/views/mixins.py |  4 +++-
 src/backoffice/views/users.py  | 14 +++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/backoffice/views/mixins.py b/src/backoffice/views/mixins.py
index 63b691657..062739610 100644
--- a/src/backoffice/views/mixins.py
+++ b/src/backoffice/views/mixins.py
@@ -67,6 +67,8 @@ class ConferenceMixin(PermissionRequiredMixin):
             return redirect('conference_selection')
         if self.require_conference_open and not self.conference.is_open and not self.is_assembly_team:
             raise PermissionDenied('Conference not open.')
+        if not self.has_permission():
+            raise PermissionDenied('Insufficient priviledges.')
         return super().dispatch(request, *args, **kwargs)
 
     def get_context_data(self, *args, **kwargs):
@@ -89,7 +91,7 @@ class ConferenceMixin(PermissionRequiredMixin):
             context.update({
                 'has_assemblies': self.is_assembly_team,
                 'has_pages': self.request.user.has_conference_staffpermission(self.conference, 'core.static_pages'),
-                'has_users': self.request.user.has_conference_staffpermission(self.conference, 'core.platformusers', 'core.block_platformuser'),
+                'has_users': self.request.user.has_conference_staffpermission(self.conference, 'core.platformusers'),
             })
         else:
             context.update({
diff --git a/src/backoffice/views/users.py b/src/backoffice/views/users.py
index 3929b0a5a..4277760d6 100644
--- a/src/backoffice/views/users.py
+++ b/src/backoffice/views/users.py
@@ -21,7 +21,7 @@ MAX_ROWS = 42
 
 
 class UsersView(ConferenceMixin, TemplateView):
-    permissions_required = ['core.platformusers']
+    permission_required = ['core.platformusers']
     template_name = 'backoffice/user-list.html'
 
     def get_context_data(self, *args, **kwargs):
@@ -31,9 +31,6 @@ class UsersView(ConferenceMixin, TemplateView):
         ctx['usercount'] = PlatformUser.objects.count()
         ctx['myconf'] = self.request.method == 'GET' or 'myconf' in self.request.POST
 
-        ctx['can_block'] = self.request.user.has_conference_staffpermission(self.conference, 'core.block_platformuser')
-        ctx['can_rename'] = self.request.user.has_conference_staffpermission(self.conference, 'core.rename_platformuser')
-
         return ctx
 
     def post(self, *args, **kwargs):
@@ -64,7 +61,7 @@ class UsersView(ConferenceMixin, TemplateView):
 
 class UserView(ConferenceMixin, DetailView):
     model = PlatformUser
-    permissions_required = ['core.platformusers']
+    permission_required = ['core.platformusers']
     template_name = 'backoffice/user-detail.html'
 
     def get_context_data(self, *args, **kwargs):
@@ -75,6 +72,9 @@ class UserView(ConferenceMixin, DetailView):
         guardians = list(self.object.guardians)
         ctx['guardians'] = guardians
 
+        ctx['can_block'] = self.request.user.has_conference_staffpermission(self.conference, 'block_platformuser')
+        ctx['can_rename'] = self.request.user.has_conference_staffpermission(self.conference, 'rename_platformuser')
+
         try:
             ctx['user_conferencemember'] = ConferenceMember.objects.get(conference=self.conference, user=self.object)
         except ConferenceMember.DoesNotExist:
@@ -85,7 +85,7 @@ class UserView(ConferenceMixin, DetailView):
 
 class UserBlockView(ConferenceMixin, DetailView):
     model = PlatformUser
-    permissions_required = ['core.block_platformuser']
+    permission_required = ['core.block_platformuser']
     template_name = 'backoffice/user-block.html'
 
     def get_context_data(self, *args, **kwargs):
@@ -138,7 +138,7 @@ class UserBlockView(ConferenceMixin, DetailView):
 
 class UserRenameView(ConferenceMixin, DetailView):
     model = PlatformUser
-    permissions_required = ['core.rename_platformuser']
+    permission_required = ['core.rename_platformuser']
     template_name = 'backoffice/user-rename.html'
 
     def get_context_data(self, *args, **kwargs):
-- 
GitLab