fix #1449, limitation des recherches par personne connectee, securite renforcee pour...

diff --git a/project/dae/catalogues.py b/project/dae/catalogues.py
index 2a88370..4aa32d8 100644 (file)
--- a/project/dae/catalogues.py
+++ b/project/dae/catalogues.py
@@ -40,8 +40,6 @@ class Dossier(object):
         
         employe = get_employe_from_user(request.user)
         prefixe_implantation = 'poste1__implantation'
-        print employe.implantation
-        print employe.implantation.region
 
         q_recherche = Q(complement1__icontains=q) | \
             Q(poste1__type_poste__nom__icontains=q) | \
@@ -57,8 +55,7 @@ class Dossier(object):
         if grp_drh in request.user.groups.all():
             q_filtre = q_recherche
         else:
-            q_filtre = q_place & q_place
-
+            q_filtre = q_place & q_recherche
         return rh.Dossier.objects.filter(q_filtre).distinct()
 
     def format_result(self, dossier):

diff --git a/project/dae/decorators.py b/project/dae/decorators.py
index 443384e..6a14f2c 100644 (file)
--- a/project/dae/decorators.py
+++ b/project/dae/decorators.py
@@ -1,12 +1,14 @@
 # -*- encoding: utf-8 -*-
 
+from django.db.models import Q
 from django.contrib import messages
 from django.contrib.auth.decorators import user_passes_test
 from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect
-from workflow import dae_groupes, ETATS_EDITABLE
+from workflow import dae_groupes, ETATS_EDITABLE, grp_drh
 from project.dae import models as dae
 from project.rh_v1 import models as rh
+from utils import get_employe_from_user, is_user_dans_service
 
 def user_in_dae_groupes(user):
     """
@@ -106,6 +108,38 @@ def dossier_dans_ma_region_ou_service(fn):
             return poste_dans_ma_region_ou_service(fn)(request, *args, **kwargs)
     return inner
 
+def vieux_dossier_dans_ma_region_ou_service(fn):
+    """
+    Test si le user connecté appartient bien à la même région ou service que le poste.
+    """
+    def inner(request, *args, **kwargs):
+        user = request.user
+        dossier_id = kwargs.get('dossier_id', None)
+
+        employe = get_employe_from_user(request.user)
+        prefixe_implantation = 'poste1__implantation'
+
+        if is_user_dans_service(request.user):
+            q_place = Q(**{ '%s' % prefixe_implantation : employe.implantation })
+        else:
+            q_place = Q(**{ '%s__region' % prefixe_implantation : employe.implantation.region })
+
+
+        if grp_drh in request.user.groups.all():
+            q_filtre = Q(id=dossier_id)
+        else:
+            q_filtre = q_place & Q(id=dossier_id) 
+
+        try:
+            dossier = rh.Dossier.objects.get(q_filtre)
+            return fn(request, *args, **kwargs)
+        except Exception, e:
+            msg = u"Vous n'avez pas le droit de consulter ce dossier d'embauche."
+            return redirect_interdiction(request, msg)
+
+
+    return inner
+
 def employe_dans_ma_region_ou_service(fn):
     """
     Test d'accès à un employé

diff --git a/project/dae/views.py b/project/dae/views.py
index 33e3bbb..64cecd7 100644 (file)
--- a/project/dae/views.py
+++ b/project/dae/views.py
@@ -24,6 +24,7 @@ from project.rh_v1 import models as rh
 from decorators import dae_groupe_requis, \
                        poste_dans_ma_region_ou_service, \
                        dossier_dans_ma_region_ou_service, \
+                       vieux_dossier_dans_ma_region_ou_service, \
                        employe_dans_ma_region_ou_service, \
                        dossier_est_modifiable, \
                        poste_est_modifiable
@@ -490,7 +491,7 @@ def pre_filled_dossier(dossier_rh, employe_source, poste_rh):
     return dossier
 
 @dae_groupe_requis
-@dossier_dans_ma_region_ou_service
+@vieux_dossier_dans_ma_region_ou_service
 def dossier_resume(request, dossier_id=None):
     """ Appel AJAX : 
     input : valeur_point